DEV Community

Cover image for Hack the Box - Explore Walkthrough
Sophie Kaelin
Sophie Kaelin

Posted on • Updated on

Hack the Box - Explore Walkthrough

Hack The Box - Explore

This is the second box I've system-owned on HTB. Explore was a fun machine to play with which taught me a lot about the importance of perseverance. I completed this box alongside a few other work colleagues.

Details

  • OS: Android
  • Difficulty: 3.6/10
  • Release: 17/08/2021
  • IP: 10.10.10.247
  • Box Author: bertolis

Knowledge/Skill Requirements

  • SSH Port Forwarding
  • Android OS + associated tools (ADB, ES File Explorer)
  • I used my Kali Linux VM to complete this.

Enumeration

As always, I started off by looking at which services were running by executing an nmap scan.

Alt Text

Seeing that the four ports running were (2222, 5555, 41567, 59777) I decided to do some research on common uses of those ports on android operating systems. Information I found included:

  • 2222: SimpleSSH
  • 5555: Android Debug Bridge (ADB)
  • 59777: ES File Explorer

I never worked out what 41567 was doing.

Analysis

The two services I wanted to look at in more detail were ADB and ES File Explorer. I'd never played with Android devices before, so I looked a little more into what each of the services did. I also searched if there were any known vulnerabilities/CVE's associated with them. And ... ✨VOILA

Alt Text

ES File explorer had a CVE associated with it (CVE-2019-6447). The exploit allows remote users to read arbitrary files from anywhere on the network over port 59777.

Digging around more, I found an exploit script on exploit-db. I played around with the script and saw it can list and retrieve files from the system. Eventually I found a file called creds.jpg which looked promising.

Alt Text

I could retrieve the file by running:

python3 exploit-script.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

The file contained what looked like a username and password (GASP!).

Alt Text

kristi:Kr1sT!5h@Rp3xPl0r3!

As a HTB noob, I thought I'd found the user flag here.

But when entering the password didn't work I looked at how else I could use these credentials.

Privilege Escalation

Remembering that an SSH port was open on 2222, I tried using these creds to SSH onto the machine. And after many failed attempts at guessing whether the password contains O's or 0's, and l's, 1's or I's, I could access the device!

Alt Text

Once I'd fought with find and grep (both of which I can never seem to get to work properly) I could see the flag inside sdcard/user.txt

Alt Text

Full Control

At this point I had access to the device through SSH, and I knew I had an ADB service running on port 5555. In order to run ADB on the device, I had to set up SSH port forwarding so that I could run ADB commands on the device.

ssh kristi@10.10.10.247 -p 2222 -L 5555:localhost:5555

Once port forwarding was set up, I was able to run ADB commands on the device, gain a shell, escalate that shell to root and search for the root.txt file.

adb connect 127.0.0.1:5555

Alt Text

And that's all ! Thanks for reading.

Discussion (7)

Collapse
thibaudcocostegue profile image
Thibaud Cocostegue

I litterally make the same way, but the password don't work, even if i replace the 0 with an o or the 1 with an I or L or l, i can't understand why

Collapse
sophiekaelin profile image
Sophie Kaelin Author

the same thing happened to me ! I tried every single variation and couldn't get it to work hahah. Have you tried copying and pasting the password above?

Collapse
thibaudcocostegue profile image
Thibaud Cocostegue

Yeah, i resolve it, it was my fault lmao, i write "ssh kristi@10.10.10.247 -p 2222" and not "ssh kristi@10.10.10.247 -p 2222 -L 5555:localhost:5555" and it work with the second but not with the first.

Collapse
dfm666 profile image
dfm666

Thank you very much for your tutorial. I searched hours and hours to find another login then ssh because i thought i entered the correct password.

Collapse
sysment profile image
CʘDE

i cant see the localhost device on the adb devices command in mine.... why so?

Collapse
sophiekaelin profile image
Sophie Kaelin Author

That might mean your SSH Port forwarding wasn't successful set up? Otherwise, I'd have a look at the ADB user guide: developer.android.com/studio/comma...

Collapse
igorg1312 profile image
IgorGarofano

Thanks for sharing, one point adb to me didn't list localhost, but an emulator-5554 where i connected as you showed and able to get root flag.