📦 HTB - Explore

Pretty interesting box, first time seeing Android in HTB.
TL;DR
Exfilter files on device using ES File explorer exploit, get user credentials. Root is straightforward with ADB.
Footholds
With nmap
we get the following:
|
|
2222
: SSH server5555
: not interesting, we will see why further33195
: ES File Explorer (with some research)
The only useful port here is 33195
, with a litle research on the web we get that this is possibly a good entrypoint for our exploit.
User
As this is an easy box and I am lazy I used the forbidden M e t a s p l o i t. Using it’s auxiliary/scanner/es_file_explorer_open_port
exploit I managed to exfilter some files off the device:
We found some Pictures on the device. The creds.jpg
is very interesting:
We can now ssh to the device and get user.txt
.
Root
The idea that came to my mind here was to use ADB to get a root shell on the device. We first need to connect to this device with ADB, so we have to make a tunnel:
|
|
We can now connect to it:
|
|
End of the box.