as far as I can tell this method worked very well… ***And note to other users trying this method… it is a good opportunity to slow down and look at how adb and anbox work and process commands.
Thanks for the share!
The advice here is good and should work in normal cases, but I am struggling to capture the right stuff on an ARM based system. I am wondering if anyone else can get the right tools working on this type of platform.
Also, this box is one of the reasons why mobile pen testing is an absolute nightmare. 
The main challenge was installing emulator…
- capture traffic and learn how to communicate with web service
- rce
- linpeas → recent cve for privesc
if android emulator is not a problem then the box will be a peace of cake for you
Got root and sure once you’re on the box its easy-peasy. But dang, that Emulator Boss was tough to crack. I had to take some breaks to play Elden Ring to relax.
2 Likes
Thank you @h4rithd for that interesting android box. It’s rare when we have the opportunity to train on that platform.
FOOTHOLD : the most complicated is installing the tools but everything is on forum. I managed to use unsquashfs and mksquashfs to put files on box. There’s an image compatible with adb root, adb remount but putting files doesn’t work for me. You don’t need burp to smash a fly but wireshark suffice to catch the only thing you need. Then try to understand how to bypass the json input and execute commands.
USER : zero work
ROOT : people say there’s a recent vulnerability. It’s recent, but have some months now. Therefore, I’m not sure it’s the only way to get inside. I will try something as shell**.
What a great machine. Part of being a hacker is getting outside your comfort zone and doing whatever it takes to get the job done. This machine forced me to use different OS and new tools. If you are stuck getting a foothold, do not settle for the first thing you find. If one application or OS does not work, try something else. Same applies for PrivEsc. It does not require a security distro to root.
Trying really hard not to give away spoiler, but have a question about the methodology/thinking…
How did any of you figure out that the altering the request would lead to RCE? I had no idea what the request was trying to do, so had no idea how to move on?
Please PM with a nudge for further research.
Basically you try to inject something basic and if expected output arrives than you try to get in
Ah, so it’s more “trial and error” than actually “Ah, I know exactly what they’re doing here!”?
Yeah exactly, typically when I start checking for command injection I test basic command like “whoami” then, I try to ping my box.
#pwned It was a great first machine to do, i learned many thing:
- Install an android emulator it is basic users stuff. I used Genymotion
- Redirect the emulator network through burp, it was a nice tip: “Change the listen options of the proxy to all interfaces”, i just changed the host target in burp so no need to configure any dns
- From there, i learned and studied a lot about “command injection”, thanks @alemusix for the tips
- So far i could get the user flag easily {“op”, “\nid”}
- Next i learned a lot about RSA keys and connect to SSH using my RSA Key (“no password”)
- Finally i got my session through SSH with the p… username and my RSA
- It felt really nice have a session, it felt more real than have only the command injection
- From there i learned about linPEAS, great py script to find vulnerabilities
- Finally the cherrie, linPEAS give you the “newest” exploit to scalate privileges and boom, root
Thanks to @h4rithd for this first test for me, it was a nice experience that took me a whole week of study between YouTube and Google
1 Like
For people wondering if Android Studio works…it totally does…
( especially with chocolate/milk biscuits and marshmallows to stay calm)
1 Like
Is the box supposed to be completely cut-off from HTB’s network?
Cannot transfer anything with wget, curl, nc…etc
Cannot ping my machine
Of course I have ssh access to the machine as the supposed user. I am playing the box on VIP+
PS: I love “easy” HTB boxes!
1 Like
Yes, it’s pretty closed off. There’s a way to use the access you have to copy files, however!
Hey @think,
would you mind sharing some ressources as a hint about the “command injection” you used after you managed to setup burp? I’m stuck and every injection i try fails.
Also i want to give the community something back:
As many people are having troubles with the emulator for me worked: android studio → pixel 4 api 26 for the burp connection there is a write up on their site how to connect.
Trust me when they say it’s “easy”, it is definitely “not easy”. 
1 Like
this is an example of command injection using the API request
also for the android emulator just:
- Download Genymotion bin file from their site
- go to your ~/Downloads folder and use: ./genimotion…
- voila, emulator installed, also watch some YouTube videos on that, there are many
- next install OpenGApps in your phone’s emulator to access Google Play Store
- from there install a web browser to make it easy to download files from the web (router space site)
1 Like
I just can’t set up traffic forwarding from the program to the burp. Tell me, please, how to do this?
Re: ROOT
“Please?”
I’m having a nightmare just TRYING to run the apk file. I’m using Parrot OS in a VM, snapd won’t install for some reason, genymotion requires VirtualBox to run, and Nox… ?
It’s been more than an hour now for me just trying to find a way to run that ■■■■ program. Not a good experience, at all 
1 Like