mazesec gameshell3

Information Gathering

--------------------------------------------------------------------------------
Port 22     | Service: ssh             | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80     | Service: http            | Banner: HTTP/1.1 200 OK
Port 8001   | Service: Unknown         | Banner: (no banner)
Port 8002   | Service: Unknown         | Banner: (no banner)
Port 8003   | Service: Unknown         | Banner: (no banner)
Port 8004   | Service: Unknown         | Banner: (no banner)
Port 8005   | Service: Unknown         | Banner: (no banner)
Port 8006   | Service: Unknown         | Banner: (no banner)
Port 8007   | Service: Unknown         | Banner: (no banner)
Port 8008   | Service: Unknown         | Banner: (no banner)
Port 8009   | Service: Unknown         | Banner: (no banner)
Port 8010   | Service: Unknown         | Banner: (no banner)
--------------------------------------------------------------------------------

Vulnerability Analysis

skr:skrampy1 — This is the result of completing the Minesweeper game, targeting port 8007.

Upon further investigation, a TMOUT (Time Out) setting was detected; resetting TMOUT prevents the system from timing out.

Exploitation

The file hidden.img was found in /etc/backup. It was transferred back to the local machine:

➜ GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs:  ls -l
debugfs:  dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs:  dump secretmusic secretmusic

The contents of secretmusic sound like a telephone number.

The password was cracked using an online DTMF Decoder: *#*#660930334*#*#