📦 HTB - Explore
Pretty interesting box, first time seeing Android in HTB.
Exfilter files on device using ES File explorer exploit, get user credentials. Root is straightforward with ADB.
nmap we get the following:
2222: SSH server
5555: not interesting, we will see why further
33195: ES File Explorer (with some research)
The only useful port here is
33195, with a litle research on the web we get that this is possibly a good entrypoint for our exploit.
As this is an easy box
and I am lazy I used the forbidden M e t a s p l o i t. Using it’s
auxiliary/scanner/es_file_explorer_open_port exploit I managed to exfilter some files off the device:
We found some Pictures on the device. The
creds.jpg is very interesting:
We can now ssh to the device and get
The idea that came to my mind here was to use ADB to get a root shell on the device. We first need to connect to this device with ADB, so we have to make a tunnel:
We can now connect to it:
End of the box.