![]() ![]() # to connect to specified device with interactive shellĪnd we are root! root.txt can be found in /data/root. We will run the following commands on the device, gain a shell, and escalate that shell to root. ![]() Ssh -p 2222 -L 5555:localhost:5555 Android Debug Bridge (adb)ĪDB commands help ⇐ Official documentation to adb commands. In order to run ADB commands on the device, we will have to set up SSH port forwarding with the following command: Since we have access to the device through SSH, and we know that there’s an ADB service running on port 5555 means we can execute commands with ADB. Python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpgĪnd we got some credentials, we will try to login with the SSH Server opened on the Android device with the following command:Īnd we get in, gaining our foothold! user.txt can be found in sdcard/user.txt Phase 3 - Privilege Escalation Port Forwarding Let’s download creds.jpg with the following command. Running the Python script with the following commands shows us the listings on the directory: Looking in ExploitDB, we find a proof-of-concept Python exploit script for CVE-2019-6447 Information I found included:ĭoing some research on each port, we find something on port 59777 which is for ES File Explorer, we find a vulnerability that allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local network. Seeing that the four ports running were (2222, 5555, 42135, 45225, 59777) We did some research on common uses of those ports on Android operating systems. obrpd 1092/tcp Open Business Reporting Protocol obrpd 1092/udp Open. Since we are not sure whether the output of previous nmap command shows all open ports, we will also run a full port scan on the target with the following:Ģ222 /tcp open EtherNetIP -1 5555 /tcp filtered freeciv comment tcpmux 1/tcp TCP port service multiplexer tcpmux 1/udp TCP port. SF:ULL, 24, "SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n" ) įrom the results above, we see that SSH is opened on port 2222 and it’s banner states that it’s “Banana Studio.” A quick Google search reveals that Banana Studio is a SSH Server for Android operating systems. The 3333 port, looking at that link Id guess its part of the netgenie. Which I understand is sort of of a superset or uses http. In it they talk about netgenie making soap calls to the device on port 5555. SF -Port2222 -TCP:V = 7.91 %I = 7 %D = 10 / 25 %Time =6176573F %P =x86_64 -pc -linux -gnu %r (N I think that the netgenie app uses port 5555 to talk to and setup the Netgear modem. ![]() If you know the service /version, please submit the following fingerprint at https: ///cgi-bin/submit.cgi?new-service : PORT STATE SERVICE VERSIONĢ222 /tcp open ssh (protocol 2.0 ) | fingerprint -strings: We first run a network scan to enumerate open ports. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |