304 North Cardinal St.
Dorchester Center, MA 02124
In this post, we walk through a HackTheBox machine, “Explore”. This machine is an ANDROID-based machine, and according to HTB users, hardness is easy. But we go over this machine’s step-by-step solution, which is useful for starters. Let’s begin.
A Nmap scan reveals that 3 ports are open, as seen below.
Let’s check whether we have any useful information on the Webpage. The image below shows up when we go to the website on ports 42135, 59777.
Nothing interesting but Port 59777 gives something special output, when we try to search via google as “port 59777 exploit”, google gives a result that it is vulnerable to ES File Explorer (CVE-2019–6447).
The ES file browser creates an HTTP service bound to port 59777 at runtime, which provides 10+ commands for accessing data in user’s cell phone and executing the application; however, the service does not check this request. Test, resulting in a security breach.CVE 2019 – 6447
We the exploit code for CVE 2019-6447 on GITHUB . Git clone this then install requirements (pip install -r requirements.txt), then run it against the machine.
When we further enumerate the target we found creds.jpg int he storageemulated/0/DCIM directory and we tried to access the machine using it.
#ssh [email protected] -p 2222
It’s an Android box, so we need ADB in our system. We found port 5555 is filtered, and this port runs locally.
What is adb? Android Debug Bridge (ADB) is a development tool that facilitates communication between an Android device and a personal computer. We can install ADB with “sudo apt-get install android-tools-adb” command
Android devices Being Shipped with TCP Port 5555 Enabled so we port forward 5555 (port) to our localhost then exploit via adb to get shell access 🙂
#sudo ssh -p 2222 -L 5555:localhost:5555 [email protected]
After port forwarding done, run adb shell and with “ su “ command we are now root user. Now we have an elevated session and are browsing the Administrator directory to get root.txt.
Omer Faruk Kerman