In this post, I would like to share a walkthrough on Explore Machine.

This room is been considered difficulty rated as an Easy machine

Information Gathering on Explore Machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

Nmap scan report for explorer.htb (10.10.10.247)
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE VERSION
2222/tcp open    ssh    (protocol 2.0)
| fingerprint-strings:
|  NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.91%I=7%D=6/26%Time=60D77A2C%P=x86_64-pc-linux-gnu%r(NU
SF:LL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/26%OT=2222%CT=1%CU=34420%PV=Y%DS=2%DC=T%G=Y%TM=60D77
OS:A4A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW6%O2=M54DST11NW6
OS:%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=FFFF%W
OS:2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNN
OS:SNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y
OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G
OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Sony X75CH-series Android TV (Android 5.0) (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Android 4.1 - 6.0 (Linux 3.4 - 3.14) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.0 - 7.0 (Linux 3.4 - 3.10) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

We notice that 3 Port have been found on the machine

  • 2222 – SSH protocol 2.0
  • 5555 – freeciv
  • 59777 – Bukkit JSONAPI HTTPd for Minecraft game server 3.6.0 or older

The vulnerability on the machine is ES File Explore which the naming “explore” machine has been created

Let’s do some research on the vulnerability!

The first result of vulnerability can be found on the URL same: Android file manager app exposing user data through open port | The Daily Swig (portswigger.net)

The vulnerability code can be seen on the URL: ESFileExplorerOpenPortVuln/poc.py at master · fs0c131y/ESFileExplorerOpenPortVuln · GitHub

From the source code, there’s one line that has caught my eyes

Source: All Android Directory Path · GitHub

Let’s do some research on the Mobile Penetration Testing

I found there are some common Android Directory Paths configured on Android Devices.

Let’s do enumerate the directory within the /sdcard/dcim

Wow! We found the information that looks like credentials saved on creds.jpg

## I just make a wild guess on the filename ##

Maintaining Acess

I should need to login the ssh to the machine by using the credentials

We managed to login into the machine and it looks like the screenshot above.

We should getting access the sdcard directory

I found a user flag on that directory

We can read the user flag by executing “cat user.txt

Escalate to Root Privileges Access

We should be requested to install adb tools that can be found over here

The only method for adb to work is that we need to do some port forwarding

We should be using ./adb connect localhost for the player to connect to the machine

I need to use ./adb shell for the player to get the android shell on the machine

We are currently inside the machine which the we should be getting the same file shown on the screenshot above.

The data directory has given permission to deny

We need to execute the “su” command to escalate to root privileges

I have managed to find the root flag on /data/ directory

We need to read the root flag by executing the “cat root.txt” command

-THE END-

Happy Learning Guys!

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *