Could it be the Modem built into the router itself? Another guess would be some host from my ISP. I have no clue what this device would be and am very curious. Now the really strange thing: When i try to connect to port 5555 ie with netcat, my internet connection stops working instantly and I have to reset the router. Not shown: 956 closed ports, 42 filtered ports Doing a port scan on the hosts reveals 2 open TCP ports: The router is directly connected via LTE modem to the internet, there's nothing else between. 5555, tcp, Freeciv versions up to 2.0, Hewlett-Packard Data Protector, McAfee EndPoint Encryption Database Server, SAP, Default for Microsoft Dynamics CRM. I did a traceroute, it's apearantly behind the TP-Link traceroute 192.168.0.1 This subnet / address is not configured in my network. Now i did a scan for network devices in the /16 range and found the strange address 192.168.0.1. # to connect to specified device with interactive shellĪnd we are root! root.txt can be found in /data/root.My router is configured to use the subnet 192.168.2.0/24 and has address 192.168.2.1. We will run the following commands on the device, gain a shell, and escalate that shell to root. Ssh -p 2222 -L 5555:localhost:5555 Android Debug Bridge (adb)ĪDB commands help ⇐ Official documentation to adb commands. In order to run ADB commands on the device, we will have to set up SSH port forwarding with the following command: Since we have access to the device through SSH, and we know that there’s an ADB service running on port 5555 means we can execute commands with ADB. Python3 exploit.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpgĪnd we got some credentials, we will try to login with the SSH Server opened on the Android device with the following command:Īnd we get in, gaining our foothold! user.txt can be found in sdcard/user.txt Phase 3 - Privilege Escalation Port Forwarding Let’s download creds.jpg with the following command. Running the Python script with the following commands shows us the listings on the directory: It is available for most desktop computer operating systems and available in an online browser version. Looking in ExploitDB, we find a proof-of-concept Python exploit script for CVE-2019-6447 Freeciv is a single- and multiplayer turn-based strategy game for workstations and personal computers inspired by the proprietary Sid Meier's Civilization series. Information I found included:ĭoing some research on each port, we find something on port 59777 which is for ES File Explorer, we find a vulnerability that allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local network. Seeing that the four ports running were (2222, 5555, 42135, 45225, 59777) We did some research on common uses of those ports on Android operating systems. Since we are not sure whether the output of previous nmap command shows all open ports, we will also run a full port scan on the target with the following:Ģ222 /tcp open EtherNetIP -1 5555 /tcp filtered freeciv SF:ULL, 24, "SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n" ) įrom the results above, we see that SSH is opened on port 2222 and it’s banner states that it’s “Banana Studio.” A quick Google search reveals that Banana Studio is a SSH Server for Android operating systems. To me, ports 53, 80, 139, and 445 seem like they're supposed to be there and I don't know how to poke at them. If you know the service /version, please submit the following fingerprint at https: ///cgi-bin/submit.cgi?new-service : PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3333/tcp open dec-notes 5555/tcp open freeciv I tried connecting to the telnet but that went nowhere. PORT STATE SERVICE VERSIONĢ222 /tcp open ssh (protocol 2.0 ) | fingerprint -strings: We first run a network scan to enumerate open ports.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |