[HMV] Gameshell3

文章发布时间:

文章总字数:
1.6k

[HMV] Gameshell3

信息收集

nmap扫描下端口开放情况,发现端口还挺多,先从80端口开始查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
nmap -sV -sC -v 192.168.1.39
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-11 02:13 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:13
Completed NSE at 02:13, 0.00s elapsed
Initiating NSE at 02:13
Completed NSE at 02:13, 0.00s elapsed
Initiating NSE at 02:13
Completed NSE at 02:13, 0.00s elapsed
Initiating ARP Ping Scan at 02:13
Scanning 192.168.1.39 [1 port]
Completed ARP Ping Scan at 02:13, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:13
Completed Parallel DNS resolution of 1 host. at 02:13, 0.02s elapsed
Initiating SYN Stealth Scan at 02:13
Scanning 192.168.1.39 [1000 ports]
Discovered open port 22/tcp on 192.168.1.39
Discovered open port 80/tcp on 192.168.1.39
Discovered open port 8008/tcp on 192.168.1.39
Discovered open port 8010/tcp on 192.168.1.39
Discovered open port 8002/tcp on 192.168.1.39
Discovered open port 8007/tcp on 192.168.1.39
Discovered open port 8001/tcp on 192.168.1.39
Discovered open port 8009/tcp on 192.168.1.39
Completed SYN Stealth Scan at 02:13, 0.12s elapsed (1000 total ports)
Initiating Service scan at 02:13
Scanning 8 services on 192.168.1.39
Completed Service scan at 02:14, 6.24s elapsed (8 services on 1 host)
NSE: Script scanning 192.168.1.39.
Initiating NSE at 02:14
Completed NSE at 02:14, 1.19s elapsed
Initiating NSE at 02:14
Completed NSE at 02:14, 0.03s elapsed
Initiating NSE at 02:14
Completed NSE at 02:14, 0.00s elapsed
Nmap scan report for 192.168.1.39
Host is up (0.0040s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: Random Gate - Choose Your Door
8001/tcp open  http    ttyd 1.7.7-40e79c7 (libwebsockets 4.3.3-unknown)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: ttyd/1.7.7-40e79c7 (libwebsockets/4.3.3-unknown)
|_http-title: Site doesn't have a title (text/html).
8002/tcp open  http    ttyd 1.7.7-40e79c7 (libwebsockets 4.3.3-unknown)
|_http-server-header: ttyd/1.7.7-40e79c7 (libwebsockets/4.3.3-unknown)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: ttyd - Terminal
8007/tcp open  http    ttyd 1.7.7-40e79c7 (libwebsockets 4.3.3-unknown)
|_http-title: ttyd - Terminal
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: ttyd/1.7.7-40e79c7 (libwebsockets/4.3.3-unknown)
8008/tcp open  http    ttyd 1.7.7-40e79c7 (libwebsockets 4.3.3-unknown)
|_http-title: ttyd - Terminal
|_http-server-header: ttyd/1.7.7-40e79c7 (libwebsockets/4.3.3-unknown)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
8009/tcp open  http    ttyd 1.7.7-40e79c7 (libwebsockets 4.3.3-unknown)
|_ajp-methods: Failed to get a valid response for the OPTION request
|_http-server-header: ttyd/1.7.7-40e79c7 (libwebsockets/4.3.3-unknown)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: ttyd - Terminal
8010/tcp open  http    ttyd 1.7.7-40e79c7 (libwebsockets 4.3.3-unknown)
|_http-title: ttyd - Terminal
|_http-server-header: ttyd/1.7.7-40e79c7 (libwebsockets/4.3.3-unknown)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
MAC Address: 08:00:27:0D:7F:76 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 02:14
Completed NSE at 02:14, 0.00s elapsed
Initiating NSE at 02:14
Completed NSE at 02:14, 0.00s elapsed
Initiating NSE at 02:14
Completed NSE at 02:14, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.13 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.060KB)

80端口是一个随机门选择游戏,查看前端源代码中js部分

js这里好像就是单纯的一个前端游戏,选择随机门的,感觉这里不太可能会有shell或者其他信息的样子,之后开始查看其他端口的页面

其他端口都是ttyd的服务,上网查看发现好像是将linux的命令行程序放到网页上,类似于网页版的终端,那么感觉很有可能拿到一个shell

发现8001到8010都是这样的页面,不过其中9个页面都是没啥反应,一个个尝试下来,发现只有8009是可以执行的,那么就是开始通关这个扫雷游戏?

真通关下来,发现真的有东西,看着是给了一个sky账户的密码,那么就是尝试ssh登录sky账户后,成功在家目录中拿到第一个user.txt

权限提升

不过前面在登录sky的时候,发现没几秒就会自动退出登录,询问ai发现是可能设置了一个TMOUT的环境变量,可以使用echo $TMOUT来进行查看,确实设置了这个参数,那么就使用unset来关闭

1
unset TMOUT

之后查看.bash_history发现vi .bashrc,以为里面会有什么信息,不过看来只是改了最下面设置了那个TMOUT

然后就是跑了一下LinEnum.sh看看有没有提权的地方,不过好像没啥收获,唯一发现了root账户设置了可以ssh登录

发现skr账户不在sudo组中,sudo -l也没有可以执行的命令

ps aux发现运行了mine.sh的脚本,不过那些作为sky用户都只有查看和运行的权限,没有修改的权限

最后是在/var/backups找到一个hidden.img的镜像,一开始还以为这是张图片,原来是一个镜像可以挂载的

不过由于skr账户权限太低,打算发送到本地,本地挂载查看,使用scp来传输文件到本地

如果报错了,可以先mkdir /tmp/mnt创建好这个目录再挂载

1
sudo mount -o loop hidden.img /tmp/mnt

之后去目录查看,发现只有一个目录和一个音频文件

1
2
3
4
5
6
ls -al 
总计 44
drwxr-xr-x  3 root root  1024 11月21日 08:57 .
drwxr-xr-x 19 root root  4096 12月 4日 03:23 ..
drwx------  2 root root 12288 11月21日 08:56 lost+found
-rwxr-xr-x  1 root root 27245 11月21日 08:01 secretmusic

发现是一个WAV的音频文件,在kali直接听,差点给虚拟机卡死了,还是放到Windows上听吧

1
2
file secretmusic               
secretmusic: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 8000 Hz

放到Windows需要修改后缀,改为secretmusic.wav,发现是一段铃声

上网搜索,发现可以拨号按键是可以识别出来的,我使用的是这个在线网站

感觉这个可能是root的登录密码,果然成功登录了,拿到了root.txt

总结

当时第一眼看到这个音频文件真没想到里面还藏着东西,后来看到群主在B站的视频中搜索电话铃声才找到了最后的解题的思路,也是又学习到了一个新知识点