mazesec gameshell3

信息收集

--------------------------------------------------------------------------------
Port 22     | Service: ssh             | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80     | Service: http            | Banner: HTTP/1.1 200 OK
Port 8001   | Service: Unknown         | Banner: (no banner)
Port 8002   | Service: Unknown         | Banner: (no banner)
Port 8003   | Service: Unknown         | Banner: (no banner)
Port 8004   | Service: Unknown         | Banner: (no banner)
Port 8005   | Service: Unknown         | Banner: (no banner)
Port 8006   | Service: Unknown         | Banner: (no banner)
Port 8007   | Service: Unknown         | Banner: (no banner)
Port 8008   | Service: Unknown         | Banner: (no banner)
Port 8009   | Service: Unknown         | Banner: (no banner)
Port 8010   | Service: Unknown         | Banner: (no banner)
--------------------------------------------------------------------------------

漏洞分析

skr:skrampy1 —做完扫雷游戏得到的8007

上去后发现有个TMOUT,unset TMOUT就不会被t

利用

在/etc/backup发现hidden.img,将它传回本机

  GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs:  ls -l
debugfs:  dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs:  dump secretmusic secretmusic

听着像电话号码

使用在线 DTMF Decoder破解得密码:*#*#660930334*#*#

mazesec gameshell3

Information Gathering

--------------------------------------------------------------------------------
Port 22     | Service: ssh             | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80     | Service: http            | Banner: HTTP/1.1 200 OK
Port 8001   | Service: Unknown         | Banner: (no banner)
Port 8002   | Service: Unknown         | Banner: (no banner)
Port 8003   | Service: Unknown         | Banner: (no banner)
Port 8004   | Service: Unknown         | Banner: (no banner)
Port 8005   | Service: Unknown         | Banner: (no banner)
Port 8006   | Service: Unknown         | Banner: (no banner)
Port 8007   | Service: Unknown         | Banner: (no banner)
Port 8008   | Service: Unknown         | Banner: (no banner)
Port 8009   | Service: Unknown         | Banner: (no banner)
Port 8010   | Service: Unknown         | Banner: (no banner)
--------------------------------------------------------------------------------

Vulnerability Analysis

skr:skrampy1 — Obtained after completing the Minesweeper game on port 8007.

After logging in, a TMOUT variable was found. Unsetting TMOUT prevents the session from timing out.

Exploitation

Found hidden.img in /etc/backup and transferred it back to the local machine.

  GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs:  ls -l
debugfs:  dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs:  dump secretmusic secretmusic

It sounded like phone numbers.

Used the online DTMF Decoder to decode the password: *#*#660930334*#*#