Explore - HackTheBox
Comence con un escaneo de Nmap para detectar puertos abiertos.
root@wackyh4cker:/home/wackyh4cker/HTB/Explore# nmap -sS --min-rate=5000 -p- -Pn --open -vvv -n 10.10.10.247 -oN targeted
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-31 15:51 CET
Initiating SYN Stealth Scan at 15:51
Scanning 10.10.10.247 [65535 ports]
Discovered open port 43671/tcp on 10.10.10.247
Discovered open port 42135/tcp on 10.10.10.247
Discovered open port 59777/tcp on 10.10.10.247
Discovered open port 2222/tcp on 10.10.10.247
Completed SYN Stealth Scan at 15:51, 27.32s elapsed (65535 total ports)
Nmap scan report for 10.10.10.247
Host is up, received user-set (0.13s latency).
Scanned at 2021-10-31 15:51:23 CET for 28s
Not shown: 55102 closed ports, 10429 filtered ports
Reason: 55102 resets and 10429 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
2222/tcp open EtherNetIP-1 syn-ack ttl 63
42135/tcp open unknown syn-ack ttl 63
43671/tcp open unknown syn-ack ttl 63
59777/tcp open unknown syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.40 seconds
Raw packets sent: 133569 (5.877MB) | Rcvd: 55331 (2.213MB)
Efectue otra escaneo para detectar la version y servicio de cada puerto.
root@wackyh4cker:/home/wackyh4cker/HTB/Explore# cat webScan
# Nmap 7.80 scan initiated Sun Oct 31 15:56:11 2021 as: nmap -sCV -p2222,42135,43671,59777 -oN webScan 10.10.10.247
Nmap scan report for 10.10.10.247
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
43671/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:18 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Sun, 31 Oct 2021 14:56:18 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Sun, 31 Oct 2021 14:56:23 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:23 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.80%I=7%D=10/31%Time=617EAE92%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port43671-TCP:V=7.80%I=7%D=10/31%Time=617EAE91%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2
SF:031\x20Oct\x202021\x2014:56:18\x20GMT\r\nContent-Length:\x2022\r\nConte
SF:nt-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n
SF:\r\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412
SF:\x20Precondition\x20Failed\r\nDate:\x20Sun,\x2031\x20Oct\x202021\x2014:
SF:56:18\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1
SF:\.0\x20501\x20Not\x20Implemented\r\nDate:\x20Sun,\x2031\x20Oct\x202021\
SF:x2014:56:23\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/pl
SF:ain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x
SF:20supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20
SF:Request\r\nDate:\x20Sun,\x2031\x20Oct\x202021\x2014:56:23\x20GMT\r\nCon
SF:tent-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\
SF:r\nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version
SF::\x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nD
SF:ate:\x20Sun,\x2031\x20Oct\x202021\x2014:56:38\x20GMT\r\nContent-Length:
SF:\x2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnectio
SF:n:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionRe
SF:q,DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2031\x20Oct\
SF:x202021\x2014:56:38\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x2
SF:0text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid
SF:\x20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\
SF:?\0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalS
SF:erverCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x20
SF:31\x20Oct\x202021\x2014:56:38\x20GMT\r\nContent-Length:\x2054\r\nConten
SF:t-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\
SF:r\nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20mst
SF:shash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\n
SF:Date:\x20Sun,\x2031\x20Oct\x202021\x2014:56:38\x20GMT\r\nContent-Length
SF::\x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnecti
SF:on:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\
SF:0e\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");
Service Info: Device: phone
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 31 15:57:53 2021 -- 1 IP address (1 host up) scanned in 101.75 seconds
Viendo el resultado vi que era una maquina Android, la primera en HackTheBox, algo que me llamo la atencion es el puerto 42135, esta corriendo ES File Explorer, buscando exploits encontré lo siguiente.
Habia un “exploit” de lectura de archivos arbitrarios, me lo traje y lo ejecute, me permitia hacer lo siguiente.
Tras hacer una pequeña enumeracion en el dispositivo, encontre una imagen con un nombre llamativo, creds.jpg.
Decidí descargarmenla con el parametro getFile de la herramienta.
La abrí y encontré una credencial.
Probe a autenticarme por SSH y accedí, ya pude visualizar la “flag” del usuario.
Investigando un poco encontré el puerto 5555 abierto en local.
Ya que no tenia acceso a el externamente, efectue un Local Port Forwarding, es decir tener el puerto abierto en local en mi maquina pero a la vez haciendo conectividad con la maquina victima, tenia abierto SSH por lo que no hizo falta hacer uso de Chisel, aplique el siguiente comando.
Este puerto es de adb, un sistema que permite controlar dispositivo Android desde el ordenador, ya sea mediante USB o por TCP, en este caso fue por TCP, sabiendo esto pense en entablarme una shell, investigando un poco encontré como se hacia.
Basicamente era ejecutar adb -s IP:PUERTO shell, donde IP seria de la maquina victima, en este caso seria 127.0.0.1, en local, ya que hemos hecho un Port Forwarding y el puerto 5555 lo tenemos abierto en local.
Con esta Shell ya teniamos acceso al sistema como root, haciendo una busqueda con find encontré la flag, le hice un xargs para aplicarme un cat a la ruta que reportara.
Leave a comment