本文记录了一次靶机渗透测试的实战过程。主要步骤包括:通过端口扫描发现8007端口的扫雷游戏并通关获取初始登录凭证;SSH登录后解除 TMOUT 会话超时限制;从 /etc/backup 提取 hidden.img 镜像文件,利用 debugfs 导出 secretmusic 音频文件;最后 通过在线DTMF(双音多频)解码工具成功解析音频,获取隐藏密码 *#*#660930334*#*#。 This article documents a real-world penetration testing process of a target machine. The main steps include: discovering a Minesweeper game on port 8007 through port scanning and completing it to obtain initial login credentials; after SSH login, removing the TMOUT session timeout restriction; extracting the hidden.img disk image file from /etc/backup and using debugfs to export the secretmusic audio file; finally, successfully decoding the audio using an online DTMF (Dual-Tone Multi-Frequency) decoding tool to obtain the hidden password *#*#660930334*#*#.

信息收集

--------------------------------------------------------------------------------
Port 22     | Service: ssh             | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80     | Service: http            | Banner: HTTP/1.1 200 OK
Port 8001   | Service: Unknown         | Banner: (no banner)
Port 8002   | Service: Unknown         | Banner: (no banner)
Port 8003   | Service: Unknown         | Banner: (no banner)
Port 8004   | Service: Unknown         | Banner: (no banner)
Port 8005   | Service: Unknown         | Banner: (no banner)
Port 8006   | Service: Unknown         | Banner: (no banner)
Port 8007   | Service: Unknown         | Banner: (no banner)
Port 8008   | Service: Unknown         | Banner: (no banner)
Port 8009   | Service: Unknown         | Banner: (no banner)
Port 8010   | Service: Unknown         | Banner: (no banner)
--------------------------------------------------------------------------------

漏洞分析

skr:skrampy1 —做完扫雷游戏得到的8007

上去后发现有个TMOUT,unset TMOUT就不会被t

利用

在/etc/backup发现hidden.img,将它传回本机

➜  GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs:  ls -l
debugfs:  dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs:  dump secretmusic secretmusic

听着像电话号码

使用在线 DTMF Decoder破解得密码:*#*#660930334*#*#

Information Gathering

--------------------------------------------------------------------------------
Port 22     | Service: ssh             | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80     | Service: http            | Banner: HTTP/1.1 200 OK
Port 8001   | Service: Unknown         | Banner: (no banner)
Port 8002   | Service: Unknown         | Banner: (no banner)
Port 8003   | Service: Unknown         | Banner: (no banner)
Port 8004   | Service: Unknown         | Banner: (no banner)
Port 8005   | Service: Unknown         | Banner: (no banner)
Port 8006   | Service: Unknown         | Banner: (no banner)
Port 8007   | Service: Unknown         | Banner: (no banner)
Port 8008   | Service: Unknown         | Banner: (no banner)
Port 8009   | Service: Unknown         | Banner: (no banner)
Port 8010   | Service: Unknown         | Banner: (no banner)
--------------------------------------------------------------------------------

Vulnerability Analysis

skr:skrampy1 — Obtained 8007 after finishing the Minesweeper game

After logging in, found a TMOUT variable; unsetting TMOUT prevents being timed out

Exploitation

Found hidden.img in /etc/backup, transferred it back to local machine

➜  GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs:  ls -l
debugfs:  dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs:  dump secretmusic secretmusic

Sounds like a phone number

Used an online DTMF Decoder to decode the password: *#*#660930334*#*#