Link: https://app.hackthebox.eu/machines/Explore
First android box, let’s get to it!
Enumeration
We have ssh open on port 2222 that just asks for a password. Port 5555 is a program called freeciv but the port is filtered. Some investigation reveals on android this port can be used for ADB. Trying to connect to adb on this port times out.
We have a file explorer open on 42135 and a Minecraft server on 59777 (?).
I looked into ES File Explorer and found a CVE for arbitrary file read. It also appears ES File Explorer uses port 59777 as well, so the minecraft fingerprint might be invalid. The exploit can be found here.
File Explorer Enumeration
With this exploit, we can run some commands. Running getDeviceInfo shows it is a VM box and we are on the /sdcard. Many other apps for getting apps do not seem to work.
One command that does work is listPics:
One interesting file is creds.jpg.
Now we can run
python3 50070.py getFile 10.129.32.72 /storage/emulated/0/DCIM/creds.jpg and we get hand written credentials of kristi:Kr1sT!5h@Rp3xPl0r3!
With these credentials, we can login to ssh on port 222 and we are in! Doing some sleuthing around, we can find the user.txt in the sdcard root.
SSH Forwarding
I looked up how we could connect to ADB remotely, so we can execute adb root or adb shell and I found articles on adb ssh tunneling.
In a new kali terminal I ran this and provided the password:
ssh -L 5555:127.0.0.1:5555 -N -f [email protected] -p 2222Then we can run the following:
$ adb connect 127.0.0.1:5555
connected to 127.0.0.1:5555
$ adb root
restarting adbd as root
$ adb shell
x86_64:/ # whoami
rootNow we can find the root flag in /data/root.txt.
