Explore

Enumeration

Ports and Services

Initial Foothold

Visiting port 5977 shows a forbidden directory listing:

WFUZZ:

Port 42135 is vulnerable to CVE-2019-6447
Poc from https://github.com/fs0c131y/ESFileExplorerOpenPortVuln used to list files:

The WFUZZ and Poc have similar directories
wfuzz /sdcard

Searching for .txt files:

Found /sdcard/user.txt

User.txt Proof Screenshot

User.txt Contents

f32017174c7c7e8f50c6da52891ae250

Privilege Escalation

Replicated PoC manually:
curl –header “Content-Type: application/json” --request POST –data ‘{“command”:”listFiles”}’ http://10.129.132.118:59777/sdcard

Creds.jpg found in /sdcard/DCIM

Port 5555 (Android Debugger was filtered form outside. Oninside it seems to be listening as well

Portforwarded 555 to localhost:

Started ADB:

Started shell on ssh connection:

Found root.txt:
find / -name “root.txt”

RootScreenshot Here: