Official Explore Discussion

Rooted
Foothold/User: enumerate service discovered.
Root: traceback to initial enumeration and try to go trough the tunnel, eventually you’ll reach the finish line.

Thanks for the box!

if you are stuck, Google is your friend here, for both user and root! (use your initial scan).

Fun and easy box, took me way longer because of the issues everybody is talking about… I was second guessing myself, but after resetting everything I tried before worked perfectly.

Ez.

/

rooted. if you know android hacking at all this box will be somewhat easy. obtaining root involved a trick that I’m just not great with. thanks to @gunn4r for pointing me in the right direction (literally).

well… that was… something. certainly different from the normal env. lmk if anyone need a lil nudge :slight_smile:

Congrants @bertolis ! Something a bit different and I learned a new thing :wink:

stuck in the root, I have no idea what to do, first time on android.

@not1sfound said:

stuck in the root, I have no idea what to do, first time on android.

Enumerate. Find something listening, forward it to your attacking machine and attack it. When you get that working there is a super-easy-to-exploit way to become the super user.

rooted, hacktricks saved me, thanks everyone. thanks @TazWake .

Hello, I got the user.txt.
And I am stuck in the root… I thought it was a** for android debug but I get : Connection timed out
Any hint ? I am almost sure this is the good way, but there is something I miss… Thanks!

@B15HO0P said:

Hello, I got the user.txt.
And I am stuck in the root… I thought it was a** for android debug but I get : Connection timed out
Any hint ? I am almost sure this is the good way, but there is something I miss… Thanks!

You are on the right path. Dig into why the connection is timing out and see if you can resolve that.

hello guys, now im finding root but stucked to this “error: no devices/emulators found”, any nudges or any other useful tips? is it my listening port?

@DemChuck said:

hello guys, now im finding root but stucked to this “error: no devices/emulators found”, any nudges or any other useful tips? is it my listening port?

Could be a few things - are you hitting the correct location?

Hi everyone,

I’m still working on the foothold and don’t understand something… My first nmap scan detected only 4 ports/services. I spent some time on a*b only to find out it was a dead end. I decided to start from fresh and this time nmap found 2 “new ports”, one of them looking promising.
My question is, how is that possible ? It was the exact same command… From now on, should I always run nmap a few times to be sure it caught everything?

Thank you and happy hacking!

@Netpal said:

Hi everyone,

I’m still working on the foothold and don’t understand something… My first nmap scan detected only 4 ports/services. I spent some time on a*b only to find out it was a dead end. I decided to start from fresh and this time nmap found 2 “new ports”, one of them looking promising.

When I did the box, there were only four open ports but a lot that returned responses nmap could consider “not closed”.

The port to target first is unusual, definitely.

My question is, how is that possible ? It was the exact same command… From now on, should I always run nmap a few times to be sure it caught everything?

No, but you do need to be conscious of some facts:

  • Other people on the box can open ports. This can lead to misleading discoveries. The port you started on might be useful later on and there is a chance someone opened it externally because they got excited about how to do port forwarding.

  • Look into how nmap determines if a port is open or not. The --reason flag is useful because (not relevant on this box) sometimes the response will tell you why a port looks open/closed which is useful (for example - firewalls).

  • Network traffic can cause issues. Nmap sends a lot of packets (you can configure this) and sometimes packets do get lost.

  • All tools have a false positive/false negative rate and it is worth keeping this in mind. The nmap error rate is low but it exists.

  • If you scan a box while it is starting up, some services might not have been initialised when nmap probes their port.

Type your comment> @TazWake said:

Could be a few things - are you hitting the correct location?

sorry, what is the meaning by “hitting the correct location”? btw i tried to use “a** s****” but nothing happened. try some tools from github such as “PhoneS*****” to connect ip:5*** but still not giving a good progress for me.

@DemChuck said:

Type your comment> @TazWake said:

Could be a few things - are you hitting the correct location?

sorry, what is the meaning by “hitting the correct location”? btw i tried to use “a** s****” but nothing happened.

You need to think about what happens when you run ***. It’s hard to explain more without a load of spoilers.

As an example. If I use a curl to visit a website, it needs to know where to go to get the website data. If I run curl nothing will happen. If I run curl http://example.com it will work.

If you are just running ***, how does it know where the thing it is looking for lives? Is your IP:PORT combination correct and pointing at something you can access.

try some tools from github such as “PhoneS*****” to connect ip:5*** but still not giving a good progress for me.

*** is good enough. Have a think about the IP you are using and make sure you’ve set things up so that this will work.

Type your comment> @TazWake said:

@DemChuck said:

Type your comment> @TazWake said:

Could be a few things - are you hitting the correct location?

sorry, what is the meaning by “hitting the correct location”? btw i tried to use “a** s****” but nothing happened.

You need to think about what happens when you run ***. It’s hard to explain more without a load of spoilers.

As an example. If I use a curl to visit a website, it needs to know where to go to get the website data. If I run curl nothing will happen. If I run curl http://example.com it will work.

If you are just running ***, how does it know where the thing it is looking for lives? Is your IP:PORT combination correct and pointing at something you can access.

try some tools from github such as “PhoneS*****” to connect ip:5*** but still not giving a good progress for me.

*** is good enough. Have a think about the IP you are using and make sure you’ve set things up so that this will work.

Rooted! Thank you so much! Appreciate it! Yup, ngl *** is good enough.