This is the second box I've system-owned on HTB. Explore was a fun machine to play with which taught me a lot about the importance of perseverance. I completed this box alongside a few other work colleagues.
- OS: Android
- Difficulty: 3.6/10
- Release: 17/08/2021
- IP: 10.10.10.247
- Box Author: bertolis
- SSH Port Forwarding
- Android OS + associated tools (ADB, ES File Explorer)
- I used my Kali Linux VM to complete this.
As always, I started off by looking at which services were running by executing an
Seeing that the four ports running were (
2222, 5555, 41567, 59777) I decided to do some research on common uses of those ports on android operating systems. Information I found included:
- 2222: SimpleSSH
- 5555: Android Debug Bridge (ADB)
- 59777: ES File Explorer
I never worked out what 41567 was doing.
The two services I wanted to look at in more detail were ADB and ES File Explorer. I'd never played with Android devices before, so I looked a little more into what each of the services did. I also searched if there were any known vulnerabilities/CVE's associated with them. And ... ✨VOILA✨
ES File explorer had a CVE associated with it (CVE-2019-6447). The exploit allows remote users to read arbitrary files from anywhere on the network over port 59777.
Digging around more, I found an exploit script on exploit-db. I played around with the script and saw it can list and retrieve files from the system. Eventually I found a file called
creds.jpg which looked promising.
I could retrieve the file by running:
python3 exploit-script.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
The file contained what looked like a username and password (GASP!).
As a HTB noob, I thought I'd found the user flag here.
But when entering the password didn't work I looked at how else I could use these credentials.
Remembering that an SSH port was open on 2222, I tried using these creds to SSH onto the machine. And after many failed attempts at guessing whether the password contains O's or 0's, and l's, 1's or I's, I could access the device!
Once I'd fought with
grep (both of which I can never seem to get to work properly) I could see the flag inside
At this point I had access to the device through SSH, and I knew I had an ADB service running on port 5555. In order to run ADB on the device, I had to set up SSH port forwarding so that I could run ADB commands on the device.
ssh email@example.com -p 2222 -L 5555:localhost:5555
Once port forwarding was set up, I was able to run ADB commands on the device, gain a shell, escalate that shell to root and search for the root.txt file.
adb connect 127.0.0.1:5555
And that's all ! Thanks for reading.