Explore HacktheBox

My first android Box.

nmap quick scan gave nothing, so had to perform full scan.

Found these some ports as below

2222/tcp open ssh (protocol 2.0)

42135/tcp open tcpwrapped

42489/tcp open tcpwrapped

59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older

searching for 59777 we got the below exploit:

Clone the exploit download the requirements(pip install -r requirements.txt), and then from the given curl command in the github page, just modifying the IP we can list down the files.

Then we listed the /sdcard directory:

There we could see the user.txt flag, we can use PULL command.

We got the user flag.

Now upon further searching we get credentials in an image stored in the DCIM folder.

Now I tried to pull that creds.jpg file but since it’s a jpeg file, pulling may mess up the terminal to I directed it to a file as below:

Below is the creds image.

Now may be that can be any sort of credentials, however we tried ssh using the same and Bingo done.

Well the below ssh is actually not regular ssh because by port forwarding to local host only we could take adb shell for further exploitation.

Now privilege escalation only takes a small command “su”.

Now searching for the root flag.

Got the root flag by simple find command.

That’s all folks.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store