This post documents the complete walkthrough of Explore, a retired vulnerable VM created by bertolis, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Explore is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.247 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-06-28 08:28:05 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 59777/tcp on 10.10.10.247
Discovered open port 2222/tcp on 10.10.10.247
Discovered open port 39765/tcp on 10.10.10.247
Discovered open port 42135/tcp on 10.10.10.247

This is an interesting list of open ports. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p2222,39765,42135,59777 -A --reason 10.10.10.247 -oN nmap.txt
...
2222/tcp  open  ssh     syn-ack ttl 63 (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
39765/tcp open  unknown syn-ack ttl 63
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Mon, 28 Jun 2021 08:45:06 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest:
|     HTTP/1.1 412 Precondition Failed
|     Date: Mon, 28 Jun 2021 08:45:06 GMT
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.0 501 Not Implemented
|     Date: Mon, 28 Jun 2021 08:45:11 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help:
|     HTTP/1.0 400 Bad Request
|     Date: Mon, 28 Jun 2021 08:45:27 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest:
|     HTTP/1.0 400 Bad Request
|     Date: Mon, 28 Jun 2021 08:45:11 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Mon, 28 Jun 2021 08:45:27 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Mon, 28 Jun 2021 08:45:27 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ??random1random2random3random4
|   TerminalServerCookie:
|     HTTP/1.0 400 Bad Request
|     Date: Mon, 28 Jun 2021 08:45:27 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|_    Cookie: mstshash=nmap
42135/tcp open  http    syn-ack ttl 63 ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
59777/tcp open  http    syn-ack ttl 63 Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older

CVE-2019-6447 ES File Explorer Open Port Vulnerability

Open ports 42135/tcp and 59777/tcp suggest that ES File Explorer is installed. It’s likely we can use this proof-of-concept exploit code to browse the file system.

The file creds.jpg sure looks interesting! Let’s grab a copy of it.

What do we have here?

Foothold

Armed with a pair of credentials (kristi:[email protected]!), we should be able to SSH in.

Bingo.

The file user.txt is in /sdcard.

Privilege Escalation

During enumeration of this account, I notice port 5555/tcp is listening on the loopback interface.

Android Debug Bridge

This means that I should be able to forward port 5555/tcp to a local port of my choice like so and use adb to connect to it.

ssh -L5555:127.0.0.1:5555 [email protected] -p2222

connect

devices -l

Both devices listed are one and the same. Select either one will do (see next step).

shell

Time to open a shell into the device.

su to root

Let’s see if we can su to root.

The rest is history…

:dancer: