Explore HTB - Walkthrough

-


Hey peeps Styx here, This is a quick write-up on the Explore box. The box is rated as easy. But this is also the first android challange!  
____________________________________________________________________________________
 # RECON #
OS = Android 
version =  4.9.214-android-x86_64-g04f9324 
____________________________________________________________________________________
 ## PORTS ## 
3 ports open 
2222 tcp SSH-2.0-SSH Server - Banana Studio 
44491 tcp 
42135/tcp open http ES File Explorer Name Response httpd 
59777 http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older 
____________________________________________________________________________________
 #EXPLOITATION#
The ES File Explorer service seems to have and arbitrary file read vulnerability. Link can be found  -- > here 

 run python3 exploit.py listPics 10.10.10.247 

We can see a couple of pics in that directory. The cred.jpg seems interesting. Let's look at it. 
And we found some creds!!!
____________________________________________________________________________________
 # CREDS # 
user: kristi 
pass : Kr1sT!5h@Rp3xPl0r3! 
____________________________________________________________________________________
Now that we have some credentials. Let's try and ssh into the machine!
____________________________________________________________________________________
ssh kristi@10.10.10.247 -p 2222 
____________________________________________________________________________________
 And you're in !
____________________________________________________________________________________
 # PRIVILEGE ESCALATION # 
We have not used and can not directly use port 5555 which is adbd. Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device. It is a client-server program that includes three components:
  • A client, which sends commands. The client runs on your development machine. You can invoke a client from a command-line terminal by issuing an adb command.
  • A daemon (adbd), which runs commands on a device. The daemon runs as a background process on each device.
  • A server, which manages communication between the client and the daemon. The server runs as a background process on your development machine.
Let's use ssh tunneling to communicate with the adbd daemon.  
____________________________________________________________________________________
ssh -L 5555:127.0.0.1:5555 kristi@10.10.10.247 -p 2222 -N -v -v 
____________________________________________________________________________________
Since this Android is connected to the sd card, the adb debugging bridge should be opened. we may be able to use ADB to directly to crack this box. 

run
____________________________________________________________________________________
adb -s 127.0.0.1:5555 shell 
____________________________________________________________________________________
when your connection is successfull run su to become root. 

____________________________________________________________________________________
Voila we are root. This was an easy box and I learned some new things during hacking on this box. 
Hope it was useful to you. See you in the next one!

Cheers,



Styx

Comments

Post a Comment

Popular posts from this blog

Schooled HTB -Writeup

-
Image
Hey guys Styx here, In this write-up I'll walk you through the steps in order to root the Schooled box. This box is rated medium and is in my opinion,a realistic scenario. Hopefully this write-up can be of educational value to you. Let's get into it! # Start Enum # Like every pen-test we start off with some reconnaissance. We scan for open ports and services that are exposed by the target machine. In the picture you can see the Nmap results.    nmap output In the Nmap results we see that our target has 2 ports open. The first thing I tried was to check for content on port 80. but our content discovery on the initial port led nowhere. so lets' enumerate possible subdomains.     ## SUBDOMAIN ENUM ## ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://schooled.htb/ -H 'Host: FUZZ.schooled.htb' -fs 20750 A very useful and quick tool to perform this enumeration is the tool FFUF. Check it out on github. As you can see on the pic above w...
Read more

Seal HTB Walkthrough

-
Image
Hey dudes and dudettes. In this post we'll be walking through the Seal Box. This box is rated as medium.  ## RECON ## Let's start with a quick nmap and see what ports and services are open.  ____________________________________________________________________________________ PORT     STATE SERVICE    REASON  VERSION 22/tcp   open  ssh        syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey:  |   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1FohcrXkoPYUOtmzAh5PlCU2H0+sFcGl6XXS6vX2lLJ3RD2Vd+KlcYtc2wQLjcYJhkFe793jmkogOSh0uI+fKQA9z1Ib3J0vtsIaNkXxvSMPcr54QxXgg1guaM1OQl43ePUADXnB6WqAg8QyF6Nxoa18vboOAu3a8Wn9Qf9iCpoU93d5zQj+FsBKVaDs3zuJkUBRfjsqq7rEMpxqCfkFIeUrJF9MBsQhgsEVUbo1zicWG32m49PgDbKr9yE3lPsV9K4b9ugNQ3zwWW5a1OpOs+r3AxFcu2q65N2znV3/p41ul9+fWXo9pm0jJPJ3V5gZphDkXVZEw16K2hcgQcQJUH7luaVTRpzqDxXaiK/8wChtMXEUjFQKL6sn...
Read more