Explore is an Easy box from HTB and created by bertolis. This box features an Android phone with an exploitable ESFileExplorer and Android ADB privilege escalation. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. During this scan my rustscan kept timing out (but or update) so instead I ran nmap directly instead.

Seeing Port 59777 open on Android immediately reminded me of CVE-2019-6447 and Port Swigger – ES File Manager as I have used the ES Suite for years and read the article on the exploit when it came out.

I pulled the proof of concept to my local machine and then began investigating the different files installed on the device. Eventually I came across the pictures (which was unexpected) and had location":"/storage/emulated/0/DCIM/creds.jpg :-

I then pulled the file using the same tool:

As extra due-diligence the file was also accessible via HTTP:

Finding an image with the username/password for Kristi.

I then proceeded to login to SSH on Port 2222 remembering the original nmap scans:

After logging into the box I did some enumeration. Eventually I noticed that Port 5555 was open on the box and came up as filtered in my initial nmap scan:

I used SSH to forward Port 5555 to my localhost:

Next I attempted to connect to the Port using ADB(Android Device Bridge). More information regarding it can be found here.

I then looked to see if the box (android device) was registered:

I then logged in and upgraded my shell to root:

Finally I grabbed both flags: