Explore is rated as an Easy machine and interestingly running on Android.
After running nmap we find SSH has been moved to a non-standard port (TCP 2222 which I guess is more common than we realise) and a Bukkit Minecraft game server on TCP port 59777 with ES File Explorer installed on TCP port 42135.
Using the famous vulnerability for ES File Explorer (CVE-2019-6447) we can download an image file that contains credentials. This allows for SSH access and the user flag. Using this access we can pivot to the ADB service listening on TCP port 5555 which allows access as root therefore completing this box.
Performing our nmap scan we can see a couple of unusual ports:
If you're familiar with Android security you will recognise TCP port 5555 as the ADB service. The other ports are strange but nmap doesn't highlight the JSONAPI extension to the Bukkit Minecraft game server.
If you run a Google search for 'Android port 42135' the first result is an explanation of the ES File Explorer vulnerability for Android. Further down you may see the exploit-db link to a working script. Since i'm using Kali Linux I can grab that from searchsploit locally and run it.
The fire result is what we need. This script has some built-in functions to list files and pull device info. More interestingly you can list the pictures on the file system by using 'listPics'.
Clearly we need to download the creds.jpg file. This can be done with 'getFile' and supplying the absolute path to the image.
This gives us exactly what we expected and that's a username and password:
Naturally we can try these against the SSH service, but remember the non-standard port.
We can fine the user.txt file in /sdcard.
Externally we say TCP port 5555 open which is the known port for the ADB service. Usually this requires a USB connect for 'remote debugging', but because we have SSH access we can setup a local port forward to access that from the device itself.
Firstly, you want to make sure you have adb installed which can be done in with APT on Kali. Next we need to create our port forward:
In a second tab we can then connect with ADB to the local port forward with 'adb connect localhost:5555'. Since my Kali linux install is in a virtual environment, I have two devices in my list with ADB. You can check this with 'adb devices' or 'adb devices -l'. To specify which device we want to interact with we need to specify the ID of the device.
Since ADB runs with privileges we can escalate our shell with 'su root' to get a root shell.
Grab the root.txt file in /data and that's the box completed. Nothing overly complicated or difficult but interesting otherwise.