mazesec gameshell3
信息收集
--------------------------------------------------------------------------------
Port 22 | Service: ssh | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80 | Service: http | Banner: HTTP/1.1 200 OK
Port 8001 | Service: Unknown | Banner: (no banner)
Port 8002 | Service: Unknown | Banner: (no banner)
Port 8003 | Service: Unknown | Banner: (no banner)
Port 8004 | Service: Unknown | Banner: (no banner)
Port 8005 | Service: Unknown | Banner: (no banner)
Port 8006 | Service: Unknown | Banner: (no banner)
Port 8007 | Service: Unknown | Banner: (no banner)
Port 8008 | Service: Unknown | Banner: (no banner)
Port 8009 | Service: Unknown | Banner: (no banner)
Port 8010 | Service: Unknown | Banner: (no banner)
--------------------------------------------------------------------------------
漏洞分析
skr:skrampy1 —做完扫雷游戏得到的8007
上去后发现有个TMOUT,unset TMOUT就不会被t
利用
在/etc/backup发现hidden.img,将它传回本机
➜ GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs: ls -l
debugfs: dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs: dump secretmusic secretmusic
听着像电话号码
使用在线 DTMF Decoder破解得密码:*#*#660930334*#*#
mazesec gameshell3
Information Gathering
--------------------------------------------------------------------------------
Port 22 | Service: ssh | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80 | Service: http | Banner: HTTP/1.1 200 OK
Port 8001 | Service: Unknown | Banner: (no banner)
Port 8002 | Service: Unknown | Banner: (no banner)
Port 8003 | Service: Unknown | Banner: (no banner)
Port 8004 | Service: Unknown | Banner: (no banner)
Port 8005 | Service: Unknown | Banner: (no banner)
Port 8006 | Service: Unknown | Banner: (no banner)
Port 8007 | Service: Unknown | Banner: (no banner)
Port 8008 | Service: Unknown | Banner: (no banner)
Port 8009 | Service: Unknown | Banner: (no banner)
Port 8010 | Service: Unknown | Banner: (no banner)
--------------------------------------------------------------------------------
Vulnerability Analysis
skr:skrampy1 — Obtained after completing the Minesweeper game on port 8007.
After logging in, a TMOUT variable was found. Unsetting TMOUT prevents the session from timing out.
Exploitation
Found hidden.img in /etc/backup and transferred it back to the local machine.
➜ GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs: ls -l
debugfs: dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs: dump secretmusic secretmusic
It sounded like phone numbers.
Used the online DTMF Decoder to decode the password: *#*#660930334*#*#