HTB - Explore #

Android - Easy #

IP = 10.10.10.247

Enumuration #

Likes always run Nmap scan for opening port

Nmap: sudo nmap -sSVC -p- explore.htb -oA nmap/explore

Freeciv, ES File Explorer and Bukkit JSONAPI httpd is quiet interesting then I research some CVE, vulnerabilities about them and I found the FreeCIV Arbitrary Code Execution and ES File Explorer - Arbitrary File Read (the FreeCIV exploit can get root maybe this was privilege escalation part)

Metasploit: Module ES File Explorer Open Port

This module was create from CVE-2019-6447,ES File Explorer - Arbitrary File Read So I use it to get more information on this machine

After list some files I found the creds.jpg file, looks like it contains user credentials, I access that path in browser http://explore.htb:59777/storage/emulated/0/DCIM/creds.jpg then I got some user credential

SSH: ssh kristi@explore.htb -p 2222 with Kristi:Kr1sT!5h@Rp3xPl0r3!

I try SSH with the Kristi user and got it now look for user.txt

I list all files and found the link directory name sdcard link to primary storage of the device and then found user.txt

Exploitation & Privilege Escalation #

Now I try the Freeciv CVE-2010-2445 that I found early in the enumeration part I try ADB connect from my kali -> machine and it does not work and the remote machine does not have ADB too

So I use Tunneling to access the 5555 ADB port with this I can access remote machine specific port through my local machine

Now I can use ADB to connect and got shell user since it doesn’t require any authentication, I just su to login as root and got root.txt

Referrences #

https://www.rapid7.com/db/modules/auxiliary/scanner/http/es_file_explorer_open_port/

https://labs.f-secure.com/blog/hackin-around-the-christmas-tree/

https://packetstormsecurity.com/files/163311/Android-2.0-FreeCIV-Arbitrary-Code-Execution.html