Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

X (Twitter)
Explore Hack The Box

Explore, HackTheBox Walk-Through

In this post, we walk through a HackTheBox machine, “Explore”. This machine is an ANDROID-based machine, and according to HTB users, hardness is easy. But we go over this machine’s step-by-step solution, which is useful for starters. Let’s begin.

NMAP

A Nmap scan reveals that 3 ports are open, as seen below.

nmap results of the machine
  • SSH service (protocol 2.0) is running on port 2222.
  • Web service (ES File Explorer Name Response httpd) runs on the port 42135.
  • Web service (Bukkit JASONAPI httpd for Minecraft game server 3.6.0) runs on 59777.
  • 5555 port seems filtered, this port is the ADB port (Android Debugger Bridge).

ENUMERATION

Let’s check whether we have any useful information on the Webpage. The image below shows up when we go to the website on ports 42135, 59777.

Nothing interesting but Port 59777 gives something special output, when we try to search via google as “port 59777 exploit”, google gives a result that it is vulnerable to ES File Explorer (CVE-2019–6447).

The ES file browser creates an HTTP service bound to port 59777 at runtime, which provides 10+ commands for accessing data in user’s cell phone and executing the application; however, the service does not check this request. Test, resulting in a security breach.

CVE 2019 – 6447

We the exploit code for CVE 2019-6447 on GITHUB . Git clone this then install requirements (pip install -r requirements.txt), then run it against the machine.

When we further enumerate the target we found creds.jpg int he storageemulated/0/DCIM directory and we tried to access the machine using it.

#ssh [email protected] -p 2222

It’s an Android box, so we need ADB in our system.  We found port 5555 is filtered, and this port runs locally.

What is adb? Android Debug Bridge (ADB) is a development tool that facilitates communication between an Android device and a personal computer. We can install ADB with “sudo apt-get install android-tools-adb” command

PRIVILEGE ESCALATION AND ROOT

Android devices Being Shipped with TCP Port 5555 Enabled so we port forward 5555 (port) to our localhost then exploit via adb to get shell access 🙂

#sudo ssh -p 2222 -L 5555:localhost:5555 [email protected]
ssh tunneling for using the ADB bridge

After port forwarding done, run adb shell and with “ su “ command we are now root user. Now we have an elevated session and are browsing the Administrator directory to get root.txt.

Omer Faruk Kerman

Trending now

Explore Hack The Box
Explore, HackTheBox Walk-Through
DFIR Team
Computer Forensics Investigation Process, Part Two
Computer Forensics Investigation Process, Part One
DFIR, need for an investigator
Forensics Investigator, Roles and Responsibilities and DFIR Legal Issues, Code of Ethics