Explore

Explore writeup by Thamizhiniyan C S

Overview

Hello everyone, In this blog we are going to solve Explore from HackTheBox.

Link for the machine : https://app.hackthebox.com/machines/356

Lets Start 🙌

Connect to the HTB server by using the OpenVpn configuration file that’s generated by HTB.

[ Click Here to learn more about how to connect to vpn and access the boxes. ]

After connecting to the vpn service, click on Join Machine to access the machine’s ip.

After joining the machine you can see the IP Address of the target machine.

---

Reconnaissance

Rustscan

First I started by scanning for open ports on the target machine.

Results

From the scan results we have found the following open ports:

Port	Service	Version
2222	SSH	ssh2.0
46173	unknown	unknown
59777	HTTP	-

---

Port 59777

On searching about the port 59777, found the following:

GitHub - fs0c131y/ESFileExplorerOpenPortVuln: ES File Explorer Open Port Vulnerability - CVE-2019-6447GitHub

On further research about the CVE-2019-6447, found the following exploit:

ES File Explorer 4.1.9.7.4 - Arbitrary File ReadExploit Database

Download the exploit and run it with python 3

Now to list the files, execute the following command:python3 50070.py listFiles 10.10.10.247 | grep name

Based on the output, nothing interesting was found. Next I tried to list the pictures.

Command:python3 50070.py listPics 10.10.10.247

From the output, we can see a picture named creds.jpg, which sounds interesting.

So I decided to take a look it and downloaded the picture using the command:

python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg

Open the out.dat file with a image viewer.

---

Initial Access

From the image, we have got the following credentials: kristi:Kr1sT!5h@Rp3xPl0r3!

Now try to login via SSH to the target using the found credentials.

While trying to login via SSH got the following error:

On searching for solution for the above error, found this:

I get the error "no matching host key type found. Their offer: ssh-rsa" when trying to connect with SSHGenymotion

To fix the error, use the ssh command as shown below:

Command:ssh -p 2222 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa kristi@10.10.10.247

We have successfully logged in.

---

Getting the User Flag

On surfing the file system, I found the flag at /sdcard/ location.

---

Getting the Root Flag

Next its time to escalate our privileges. I was looking out for privilege escalation vectors and found the /etc/init.sh script.

On viewing the contents of the script, we can see that firewall blocks all the connections to the port 5555 from the outside and only allows access to it from localhost.

By default, ADB runs on port 5555.

5555 - Android Debug Bridge - HackTricksbook.hacktricks.xyz

If we can connect to this device via adb, we can try to escalate our privileges.

For that first we need adb. I have it one my local machine. Since, firewall blocks external connections to port 5555, we have to create a tunnel to the target machine, and then use adb to escalate our privilege.

To create a tunnel I used SSH.

# Creating a tunnel to the target machine via SSH
ssh -p 2222 -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa kristi@10.10.10.247 -L localhost:5555:localhost:5555 -fN

# Here
# -L - Creates a link between the target machine port and our local machine port\
# -N - Tells SSH that we don't want to exectue any commands
# -f - Runs SSH in background

After executing the command successfully, we can now connect to the target via adb using the command: adb connect localhost:5555

Now lets open the interactive shell using the command: adb -s localhost:5555 shell

Now use the su command to escalate our privilege as sudo/root.

Found the flag at /data/ directory.

We have successfully found the root flag.

Thank You……..