AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
5555 freeciv11/11/2023 ![]() ![]() Python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpgĪnd we got some credentials, we will try to login with the SSH Server opened on the Android device with the following command:Īnd we get in, gaining our foothold! user.txt can be found in sdcard/user.txt Phase 3 - Privilege Escalation Port Forwarding ![]() Let’s download creds.jpg with the following command. Running the Python script with the following commands shows us the listings on the directory: Looking in ExploitDB, we find a proof-of-concept Python exploit script for CVE-2019-6447 ![]() Information I found included:ĭoing some research on each port, we find something on port 59777 which is for ES File Explorer, we find a vulnerability that allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local network. Seeing that the four ports running were (2222, 5555, 42135, 45225, 59777) We did some research on common uses of those ports on Android operating systems. Since we are not sure whether the output of previous nmap command shows all open ports, we will also run a full port scan on the target with the following:Ģ222 /tcp open EtherNetIP -1 5555 /tcp filtered freeciv SF:ULL, 24, "SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n" ) įrom the results above, we see that SSH is opened on port 2222 and it’s banner states that it’s “Banana Studio.” A quick Google search reveals that Banana Studio is a SSH Server for Android operating systems. If you know the service /version, please submit the following fingerprint at https: ///cgi-bin/submit.cgi?new-service : PORT STATE SERVICE VERSIONĢ222 /tcp open ssh (protocol 2.0 ) | fingerprint -strings: We first run a network scan to enumerate open ports. ![]()
0 Comments
Read More
Leave a Reply. |