It seems like you haven’t tried any of the higher ports. And if you have, time to read them documentations.
Use the third CVE almost exactly as it is shown in the blogpost.
Rooted.
Personally not that hard if you are focus.
Foothold: usual scan + apk search, apktool is a friend all the way + read web service documentation.
User: there is a blog page everybody is talking about, read it carefully and exploit it. I wasted some time not looking at the evidence.
Root: obvious folder with a script to exploit.
DM for help
Hello I obtained creds to login and password but I’m not able to login, it says incorrect credentials. Can someone exploain me how tf is possible? I’m 100% sure they’re correct.
Am I the only one that used the simplest of the 3 CVE, l_a__d something and managed to SSH into the box as user due to c********* re***?
I see lot’s of comment mentioning rev** sh*** as w**-d***.
Maybe I’m doing the box not in the supposed way.
I got user the same way you did. I built a replica VM and when I found the in memory database application was not packaged or containerized with the vulnerable application, I went for the technique you used.
Finally rooted, it was quite an odd machine nonetheless very educative
Can someone please help me exploiting the right CVE from the blog post?
I managed to exploit the last one but it doesn’t seem to help much.
For the second one I tried writing ${_______} in the M__l H__t in settings but it doesn’t show anything.
The second one works but on the right field… the POC showed M__l H__t… try it where parameter are already filled up by system and refresh the page.
You can PM if this still confuses you.
Nice 
Can anyone please confirm if the a*k application is meant to actually work or not (I have spent a loooong time troubleshooting my vm)? I want to understand if my setup is wrong or if the app is broken somehow?
Just to be clear I am not looking for any tips about what is in the app.
NO, it dose not work
1 Like
Thank You!
Depending on how you approach the box, this advice might be relevant during the initial recon: if you get stuck on a seemingly wrong stackoverflow question, don’t waste hours like me, read the answer’s comments too.
pwned the machine at last. Was unusually easy to root, especially considering that the user was so hard… For me I found the “script” but it wasn’t SUID or there wasn’t any cron jobs as root. When I checked how it is executed as root, it was apparently in a foolish way. So foolish I am not sure if it is tampered or original. Didn’t even need to touch the script no more.
Foothold: Don’t fall for rabbit holes. Analyze apk with mobsf or something. In the keys, only one of 3 will work. But the web interface for the application won’t, so use their API to leak info.
User: Gather credentials and log in to the application. Search on google about vulnerabilities of the platform. Of the 3 CVEs, you have to use the config data leaking one only. Don’t use the other 2 or the app can break! Also, the config data leaking can have some issues with saving your input, just keep trying, that’s the one. The database credentials are the user credentials.
Root: As I said, there is a script in an obvious directory, but for me it was too easy. If the script is not SUID, then what would be? (Take it with a grain of salt, might be tampered by someone)
Nice box!))
Spent too much time on loophole 
Getting root was harder than user for me.
If you need some hints, you can DM 
Are there any resources on how to pull off the config part?
I found articles talking about it but no explanation on what to do.
I got it.
If you are struggling with this, think about what exactly the fields show and from where they get that value.
Hi All.
I am at the point where I have reversed that thing and I understand what to do. I even saw that the targets have all the tools required, but when I try to do the thing with the thing and then b the thing, it fails big time, even if I make no changes to parts of the thing.
I followed a few tutorials and tried a few different switches to no avail. In fact, even found a post advising that the error is unfixable if the thing wont b after no changes have been made, leading me to beleive I’m possibly down a rabbit hole.
I tried on the target and on my machine and saw the same issue. The thing will only b if I don’t de**** it. I’m probably missing something basic, can anyone throw me a dm with the smallest of nudges?
…scratch that. Got there after a nap. Amazing what catching some zzzz’s will do! Nice box, forced me to learn some new stuff!