In this post, I would like to share a walkthrough on Explore Machine.
This room is been considered difficulty rated as an Easy machine
Information Gathering on Explore Machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Nmap scan report for explorer.htb (10.10.10.247) Host is up (0.12s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-SSH Server - Banana Studio | ssh-hostkey: |_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA) 5555/tcp filtered freeciv 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port2222-TCP:V=7.91%I=7%D=6/26%Time=60D77A2C%P=x86_64-pc-linux-gnu%r(NU SF:LL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=6/26%OT=2222%CT=1%CU=34420%PV=Y%DS=2%DC=T%G=Y%TM=60D77 OS:A4A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)S OS:EQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW6%O2=M54DST11NW6 OS:%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=FFFF%W OS:2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNN OS:SNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40 OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) 59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older |_http-title: Site doesn't have a title (text/plain). Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Sony X75CH-series Android TV (Android 5.0) (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Android 4.1 - 6.0 (Linux 3.4 - 3.14) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.0 - 7.0 (Linux 3.4 - 3.10) (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops
We notice that 3 Port have been found on the machine
- 2222 – SSH protocol 2.0
- 5555 – freeciv
- 59777 – Bukkit JSONAPI HTTPd for Minecraft game server 3.6.0 or older
The vulnerability on the machine is ES File Explore which the naming “explore” machine has been created
Let’s do some research on the vulnerability!
The first result of vulnerability can be found on the URL same: Android file manager app exposing user data through open port | The Daily Swig (portswigger.net)
The vulnerability code can be seen on the URL: ESFileExplorerOpenPortVuln/poc.py at master · fs0c131y/ESFileExplorerOpenPortVuln · GitHub
From the source code, there’s one line that has caught my eyes
Let’s do some research on the Mobile Penetration Testing
I found there are some common Android Directory Paths configured on Android Devices.
Let’s do enumerate the directory within the /sdcard/dcim
Wow! We found the information that looks like credentials saved on creds.jpg
## I just make a wild guess on the filename ##
I should need to login the ssh to the machine by using the credentials
We managed to login into the machine and it looks like the screenshot above.
We should getting access the sdcard directory
I found a user flag on that directory
We can read the user flag by executing “cat user.txt“
Escalate to Root Privileges Access
We should be requested to install adb tools that can be found over here
The only method for adb to work is that we need to do some port forwarding
We should be using ./adb connect localhost for the player to connect to the machine
I need to use ./adb shell for the player to get the android shell on the machine
We are currently inside the machine which the we should be getting the same file shown on the screenshot above.
The data directory has given permission to deny
We need to execute the “su” command to escalate to root privileges
I have managed to find the root flag on /data/ directory
We need to read the root flag by executing the “cat root.txt” command
Happy Learning Guys!