Hack the Box - Explore Walkthrough
#hackthebox#cybersecurity#hacking#ctf
Sophie Kaelin

Sophie Kaelin @sophiekaelin

About: Wish I could eat cake all day 🍰👩‍💻

Location:
Sydney, Australia
Joined:
Jul 3, 2021

Hack the Box - Explore Walkthrough

Publish Date: Sep 16 '21
10 7

Hack The Box - Explore

This is the second box I've system-owned on HTB. Explore was a fun machine to play with which taught me a lot about the importance of perseverance. I completed this box alongside a few other work colleagues.

Details

  • OS: Android
  • Difficulty: 3.6/10
  • Release: 17/08/2021
  • IP: 10.10.10.247
  • Box Author: bertolis

Knowledge/Skill Requirements

  • SSH Port Forwarding
  • Android OS + associated tools (ADB, ES File Explorer)
  • I used my Kali Linux VM to complete this.

Enumeration

As always, I started off by looking at which services were running by executing an nmap scan.

Alt Text

Seeing that the four ports running were (2222, 5555, 41567, 59777) I decided to do some research on common uses of those ports on android operating systems. Information I found included:

  • 2222: SimpleSSH
  • 5555: Android Debug Bridge (ADB)
  • 59777: ES File Explorer

I never worked out what 41567 was doing.

Analysis

The two services I wanted to look at in more detail were ADB and ES File Explorer. I'd never played with Android devices before, so I looked a little more into what each of the services did. I also searched if there were any known vulnerabilities/CVE's associated with them. And ... ✨VOILA

Alt Text

ES File explorer had a CVE associated with it (CVE-2019-6447). The exploit allows remote users to read arbitrary files from anywhere on the network over port 59777.

Digging around more, I found an exploit script on exploit-db. I played around with the script and saw it can list and retrieve files from the system. Eventually I found a file called creds.jpg which looked promising.

Alt Text

I could retrieve the file by running:

python3 exploit-script.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

The file contained what looked like a username and password (GASP!).

Alt Text

kristi:Kr1sT!5h@Rp3xPl0r3!

As a HTB noob, I thought I'd found the user flag here.

But when entering the password didn't work I looked at how else I could use these credentials.

Privilege Escalation

Remembering that an SSH port was open on 2222, I tried using these creds to SSH onto the machine. And after many failed attempts at guessing whether the password contains O's or 0's, and l's, 1's or I's, I could access the device!

Alt Text

Once I'd fought with find and grep (both of which I can never seem to get to work properly) I could see the flag inside sdcard/user.txt

Alt Text

Full Control

At this point I had access to the device through SSH, and I knew I had an ADB service running on port 5555. In order to run ADB on the device, I had to set up SSH port forwarding so that I could run ADB commands on the device.

ssh kristi@10.10.10.247 -p 2222 -L 5555:localhost:5555

Once port forwarding was set up, I was able to run ADB commands on the device, gain a shell, escalate that shell to root and search for the root.txt file.

adb connect 127.0.0.1:5555

Alt Text

And that's all ! Thanks for reading.

Comments 7 total

  • CʘDE
    CʘDEOct 1, 2021

    i cant see the localhost device on the adb devices command in mine.... why so?

  • Thibaud Cocostegue
    Thibaud CocostegueOct 3, 2021

    I litterally make the same way, but the password don't work, even if i replace the 0 with an o or the 1 with an I or L or l, i can't understand why

    • Sophie Kaelin
      Sophie KaelinOct 5, 2021

      the same thing happened to me ! I tried every single variation and couldn't get it to work hahah. Have you tried copying and pasting the password above?

  • IgorGarofano
    IgorGarofanoOct 9, 2021

    Thanks for sharing, one point adb to me didn't list localhost, but an emulator-5554 where i connected as you showed and able to get root flag.

  • dfm666
    dfm666Oct 26, 2021

    Thank you very much for your tutorial. I searched hours and hours to find another login then ssh because i thought i entered the correct password.

Add comment