HackTheBox-Explore

by

Hello everyone, this HackTheBox walkthrough ARZ101, shows you how to hack the HackTheBox-Explore machine. this write-up is related to HackTheBox Explore box which was the first android machine seen on the platform, starting with the Nmap scan we can see 4 TCP ports and an ssh port which were not common ports. On port 42135 it showed that it was using ES File Explorer which seemed odd that it didn’t show anything on visiting that port but a quick google search showed us that there’s an arbitrary file read vulnerability. After navigating into the file system we can find an image file that had ssh password for the user Kristi and look into the ports which were locally listening to we see port 5555 on which ADB service runs, as it was running locally we needed to do port forwarding in order to connect to that port using ADB client from our machine to get a root shell.

 

NMAP

nmap -p- -sC -sV --min-rate 5000 10.10.10.247 -vv
PORT      STATE    SERVICE REASON         VERSION          
2222/tcp  open     ssh     syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings:                                                        
|   NULL:                          
|_    SSH-2.0-SSH Server - Banana Studio                     
| ssh-hostkey:                
|   2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqK2WZkEVE0CPTPpWoyDKZkHVrmffyDgcNNVK3PkamKs3M8tyqeFBivz4o8i9Ai8UlrVZ8mztI3qb+cHCdLMDpaO0ghf/50qYVGH4gU5vuVN
0tbBJAR67ot4U+7WCcdh4sZHX5NNatyE36wpKj9t7n2XpEmIYda4CEIeUOy2Mm3Es+GD0AAUl8xG4uMYd2rdrJrrO1p15PO97/1ebsTH6SgFz3qjZvSirpom62WmmMbfRvJtNFiNJRydDpJvag2u
rk16GM9a0buF4h1JCGwMHxpSY05aKQLo8shdb9SxJRa9lMu3g2zgiDAmBCoKjsiPnuyWW+8G7Vz7X6nJC87KpL                                                              
5555/tcp  filtered freeciv no-response                                
42135/tcp open     http    syn-ack ttl 63 ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server              
|_http-title: Site doesn't have a title (text/html).
43891/tcp open     unknown syn-ack ttl 63              
| fingerprint-strings:                        
|   GenericLines:                                            
|     HTTP/1.0 400 Bad Request                                                
|     Date: Sat, 26 Jun 2021 22:27:36 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest: 
|     HTTP/1.1 412 Precondition Failed
|     Date: Sat, 26 Jun 2021 22:27:36 GMT
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.0 501 Not Implemented
|     Date: Sat, 26 Jun 2021 22:27:42 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 26 Jun 2021 22:27:59 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 26 Jun 2021 22:27:42 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 26 Jun 2021 22:27:59 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ?G???,???`~?
|   TLSSessionReq:      
|     HTTP/1.0 400 Bad Request                                            
|     Date: Sat, 26 Jun 2021 22:28:01 GMT
|     Content-Length: 71           
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close       
|     Invalid request line:                                               
|     ??random1random2random3random4
|   TerminalServerCookie:                                                 
|     HTTP/1.0 400 Bad Request
|     Date: Sat, 26 Jun 2021 22:28:01 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close                                                   
|     Invalid request line: 
|_    Cookie: mstshash=nmap                                               
59777/tcp open     http    syn-ack ttl 63 Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).

From the Nmap scan the only port that interests me was port 42135

PORT 42135 (HTTP)

But there was nothing on this port, so I searched a bit since it was using ES File explorer Name Response httpd and that made me curious as I daily used that file explorer on my android device. On searching, I found some interesting results.

 

https://www.safe.security/assets/img/research-paper/pdf/es-file-explorer-vulnerability.pdf

 

PORT 59777 (HTTP)

This version of ES File Explorer was vulnerable that would allow us to read and download files being on the same network as ES file browser creates an HTTP service bound to port 59777 at runtime, which provides some commands for accessing data in android device executing them however the service does not check this request, the available commands for us are.

So I used the Metasploit module to exploit this.

And this work so let’s use the command to list apps installed on this device.

 

We can try to list all apps including the system apps to see which version of android it’s using and from the results it’s android 9.

Now the issue with the Metasploit module is that we can only list files but not in folders, like if I want to look at what’s in /sdcard I can’t do that so I looked for articles on how to exploit it manually.

curl --header "Content-Type: application/json" --request POST --data "{\"command\":\"listFiles\"}" http://10.10.10.247:59777/sdcard/

Perfect, we can now somehow try to navigate to folders and we can see them user.txt as well, we can’t grab the text file by using curl but the Metasploit module did have a command GETFILE.

We got the user flag, now we just need to figure out how we can get into the android device.

Ongoing through different directories, I visited DCIM folder which is a folder for storing images taken from an android device’s camera or any other photos you download from app basically all images are stored here, so in this folder, we can see an image creds.jpg that is interesting.

So to get this image we’ll do the same thing we did for the user flag.

We got the creds as the SSH server is listening on port 2222 we can connect to it.

PORT 2222 (SSH)

Now remember that we saw port 5555 which was filtered, googling that tells us that the port listens for ADB (Android Debug Bridge) which allows us to debug apps or access hidden features or maybe to pop up Unix shell so maybe we can use this to get root. You can read more about ADB from here https://www.xda-developers.com/what-is-adb/.

 

In order to connect it, we need to first do port forwarding for port 5555.

 

PORT 5555 (ADB)

 

Now we just need to use adb to connect with that port, if you don’t have ADB installed you can install it by following this https://www.xda-developers.com/install-adb-windows-macos-linux/

On connecting we can see changes in user groups.

So let’s just do su

 

We are root, for the root flag, I used find command as I didn’t know where to look for root.txt

 

With this, we solved this machine !!!

References