Explore - HackTheBox
Start with an Nmap scan for open ports.
root@wackyh4cker:/home/wackyh4cker/HTB/Explore# nmap -sS --min-rate=5000 -p- -Pn --open -vvv -n 10.10.10.247 -oN targeted
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-31 15:51 CET
Initiating SYN Stealth Scan at 15:51
Scanning 10.10.10.247 [65535 ports]
Discovered open port 43671/tcp on 10.10.10.247
Discovered open port 42135/tcp on 10.10.10.247
Discovered open port 59777/tcp on 10.10.10.247
Discovered open port 2222/tcp on 10.10.10.247
Completed SYN Stealth Scan at 15:51, 27.32s elapsed (65535 total ports)
Nmap scan report for 10.10.10.247
Host is up, received user-set (0.13s latency).
Scanned at 2021-10-31 15:51:23 CET for 28s
Not shown: 55102 closed ports, 10429 filtered ports
Reason: 55102 resets and 10429 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
2222/tcp open EtherNetIP-1 syn-ack ttl 63
42135/tcp open unknown syn-ack ttl 63
43671/tcp open unknown syn-ack ttl 63
59777/tcp open unknown syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.40 seconds
Raw packets sent: 133569 (5.877MB) | Rcvd: 55331 (2.213MB)
Perform another scan to detect the version and service of each port.
root@wackyh4cker:/home/wackyh4cker/HTB/Explore# cat webScan
# Nmap 7.80 scan initiated Sun Oct 31 15:56:11 2021 as: nmap -sCV -p2222,42135,43671,59777 -oN webScan 10.10.10.247
Nmap scan report for 10.10.10.247
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
43671/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:18 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Sun, 31 Oct 2021 14:56:18 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Sun, 31 Oct 2021 14:56:23 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:23 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Sun, 31 Oct 2021 14:56:38 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2222-TCP:V=7.80%I=7%D=10/31%Time=617EAE92%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port43671-TCP:V=7.80%I=7%D=10/31%Time=617EAE91%P=x86_64-pc-linux-gnu%r(
SF:GenericLines,AA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2
SF:031\x20Oct\x202021\x2014:56:18\x20GMT\r\nContent-Length:\x2022\r\nConte
SF:nt-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n
SF:\r\nInvalid\x20request\x20line:\x20")%r(GetRequest,5C,"HTTP/1\.1\x20412
SF:\x20Precondition\x20Failed\r\nDate:\x20Sun,\x2031\x20Oct\x202021\x2014:
SF:56:18\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,B5,"HTTP/1
SF:\.0\x20501\x20Not\x20Implemented\r\nDate:\x20Sun,\x2031\x20Oct\x202021\
SF:x2014:56:23\x20GMT\r\nContent-Length:\x2029\r\nContent-Type:\x20text/pl
SF:ain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nMethod\x20not\x
SF:20supported:\x20OPTIONS")%r(RTSPRequest,BB,"HTTP/1\.0\x20400\x20Bad\x20
SF:Request\r\nDate:\x20Sun,\x2031\x20Oct\x202021\x2014:56:23\x20GMT\r\nCon
SF:tent-Length:\x2039\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\
SF:r\nConnection:\x20Close\r\n\r\nNot\x20a\x20valid\x20protocol\x20version
SF::\x20\x20RTSP/1\.0")%r(Help,AE,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nD
SF:ate:\x20Sun,\x2031\x20Oct\x202021\x2014:56:38\x20GMT\r\nContent-Length:
SF:\x2026\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnectio
SF:n:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20HELP")%r(SSLSessionRe
SF:q,DD,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2031\x20Oct\
SF:x202021\x2014:56:38\x20GMT\r\nContent-Length:\x2073\r\nContent-Type:\x2
SF:0text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\r\nInvalid
SF:\x20request\x20line:\x20\x16\x03\0\0S\x01\0\0O\x03\0\?G\?\?\?,\?\?\?`~\
SF:?\0\?\?{\?\?\?\?w\?\?\?\?<=\?o\?\x10n\0\0\(\0\x16\0\x13\0")%r(TerminalS
SF:serverCookie,CA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x20
SF:31\x20Oct\x202021\x2014:56:38\x20GMT\r\nContent-Length:\x2054\r\nConten
SF:t-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnection:\x20Close\r\n\
SF:r\nInvalid\x20request\x20line:\x20\x03\0\0\*%\?\0\0\0\0\0Cookie:\x20mst
SF:shash=nmap")%r(TLSSessionReq,DB,"HTTP/1\.0\x20400\x20Bad\x20Request\r\n
SF:Date:\x20Sun,\x2031\x20Oct\x202021\x2014:56:38\x20GMT\r\nContent-Length
SF::\x2071\r\nContent-Type:\x20text/plain;\x20charset=US-ASCII\r\nConnecti
SF:on:\x20Close\r\n\r\nInvalid\x20request\x20line:\x20\x16\x03\0\0i\x01\0\
SF:0e\x03\x03U\x1c\?\?random1random2random3random4\0\0\x0c\0/\0");
Service Info: Device: phone
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 31 15:57:53 2021 -- 1 IP address (1 host up) scanned in 101.75 seconds
Looking at the result I saw that it was an Android machine, the first one in HackTheBox, something that caught my attention is the port 42135, it is running ES File Explorer, searching for exploits I found the following.
There was an “exploit” for reading arbitrary files, I found it and ran it, it allowed me to do the following.
After doing a little enumeration on the device, I found an image with a striking name, creds.jpg.
I decided to download it using the getFile parameter of the tool.
I opened it and found a credential.
I tried to authenticate via SSH and I got in, I could now view the user’s “flag”.
After doing some research I found port 5555 open locally.
Since I did not have access to it externally, I performed a Local Port Forwarding, that is, having the port open locally on my machine but at the same time making connectivity with the victim machine, I had SSH open so it was not necessary to use Chisel, apply the following command.
This port is from adb, a system that allows you to control Android devices from your computer, either via USB or TCP, in this case it was via TCP, knowing this I thought about creating a shell, and after a little research I found out how to do it.
Basically it was to execute adb -s IP:PORT shell, where IP would be the victim machine, in this case it would be 127.0.0.1, locally, since we have done a Port Forwarding and we have port 5555 open locally.
With this Shell we already had access to the system as root, doing a search with find I found the flag, I did a xargs to apply a cat to the path it reported.
Leave a comment