Explore HackTheBox WalkThrough
This is Explore HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Explore HackTheBox machine. Before starting let us know something about this box. It is an
Android OS box with IP address
10.10.10.247 and difficulty level
Easy assigned by its maker.
First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with
Explore machine by pinging its IP 10.10.10.247. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used nmap for this task and the result is given below: –
$ sudo nmap -sT -T4 -sV -p- -oN explore-all-tcp.nmap --min-rate=1000 10.10.10.247
Full TCP port scan revealed 4 ports as open.
SSH server on
ES File Explorer on
Bukkit JSONAPI web server on
59777 and an unknown service is running on port
33483. A quick googling on
ES File explorer exploit revealed that ES File Explorer on Android is vulnerable to
Arbitrary File Read vulnerability. For more info about this vulnerability check this link. You can either use previous link to download exploit code or use this link, all are same. Here is the snippet of the exploit.
Using this exploit I could read many files of the Explore machine. When I tried to list all the pics in the android phone, I found a pic named
creds.jpg. According to its name it may contains some type of credential. Then I tried to download this pic using the exploit itself but it gave me error
You need to provide full path of the file. After trying few more times when I could not able to download it, I tried to access the file using web browser. And the file can be accessed through it. Inside that file [pic] there is a hand written credential present. I followed the given steps to access the file.
Downloading & Executing Exploit
$ wget https://dl.packetstormsecurity.net/2106-exploits/esfileexplorer41974-fileread.txt
$ mv esfileexplorer41974-fileread.txt exploit.py
$ python3 exploit.py listPics 10.10.10.247
$ curl http://10.10.10.247:59777/storage/emulated/0/DCIM/creds.jpg -O
$ firefox creds.jpg
The extracted credential from the file is
Getting User Shell
Let us use grabbed credential to login into Kristi’s SSH account.
$ ssh [email protected] -p 2222
$ whoami && id
We are successfully logged into kristi’s SSH account. Let us capture user flag.
Capture User Flag
$ cat /sdcard/user.txt
To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can use some post exploitation enumeration script for this task. Check this link if you need more information about a bunch of post exploitation tools.
Finding PrivEsc Vector
$ ss -lnpt
Command revealed that port
5555 is open and listening locally.
Then I checked which process is running on this port and which user is executing this process. If this will be executed by
root or some
well-known user then we should definitely have a look on it. Generally, on android port
5555 is used by
adb so I checked the running processes and it revealed that adb is being executed by user
$ ps -ef | grep -i adb
A quick googling on
adb privilege escalation gave this ppt. According to this ppt we can perform privilege escalation only when we will be logged in as user
shell. But currently we are logged in as user
u0_a76. We have to anyhow login as user
shell to perform privilege escalation. When I logged in as user shell then I could perform privilege escalation very easily. So here our potential PrivEsc vector is
Privilege Escalation by exploiting adb [Android Debug Bridge].
Local Port Forwarding
adbd service is running locally as user
shell we can access this service on our Kali machine by forwarding port
5555 to our Kali machine. Therefore, to access adb I forwarded port 5555 locally to my kali machine through
local port forwarding. Now we can see the forwarded port on our Kali machine using
$ ss -lnpt command.
$ ssh -L 5555:127.0.0.1:5555 [email protected] -p 2222
Password: [email protected]!
$ ss -lnpt
Getting Root Shell
Once we can access adb service locally then we can easily connect to it and perform privilege escalation. To perform privilege escalation I followed the given steps.
$ adb connect 127.0.0.1
$ adb devices
$ adb shell
# whoami && id
We have successfully got root shell. Let us capture root flag.
Capture Root Flag
# find / -user "root" -type f -name "root.txt" 2>/dev/null
# cat /data/root.txt
This was how I rooted Explore HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].