本文记录了一次靶机渗透测试的实战过程。主要步骤包括：通过端口扫描发现8007端口的扫雷游戏并通关获取初始登录凭证；SSH登录后解除 TMOUT 会话超时限制；从 /etc/backup 提取 hidden.img 镜像文件，利用 debugfs 导出 secretmusic 音频文件；最后通过在线DTMF（双音多频）解码工具成功解析音频，获取隐藏密码 *#*#660930334*#*#。本文记录了一次靶机渗透测试的实战过程。主要步骤包括：通过端口扫描发现8007端口的扫雷游戏并通关获取初始登录凭证；SSH登录后解除 TMOUT 会话超时限制；从 /etc/backup 提取 hidden.img 镜像文件，利用 debugfs 导出 secretmusic 音频文件；最后通过在线DTMF（双音多频）解码工具成功解析音频，获取隐藏密码 *#*#660930334*#*#。

信息收集

--------------------------------------------------------------------------------
Port 22     | Service: ssh             | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80     | Service: http            | Banner: HTTP/1.1 200 OK
Port 8001   | Service: Unknown         | Banner: (no banner)
Port 8002   | Service: Unknown         | Banner: (no banner)
Port 8003   | Service: Unknown         | Banner: (no banner)
Port 8004   | Service: Unknown         | Banner: (no banner)
Port 8005   | Service: Unknown         | Banner: (no banner)
Port 8006   | Service: Unknown         | Banner: (no banner)
Port 8007   | Service: Unknown         | Banner: (no banner)
Port 8008   | Service: Unknown         | Banner: (no banner)
Port 8009   | Service: Unknown         | Banner: (no banner)
Port 8010   | Service: Unknown         | Banner: (no banner)
--------------------------------------------------------------------------------

漏洞分析

skr:skrampy1 —做完扫雷游戏得到的8007

上去后发现有个TMOUT，unset TMOUT就不会被t

利用

在/etc/backup发现hidden.img，将它传回本机

➜  GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs:  ls -l
debugfs:  dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs:  dump secretmusic secretmusic

听着像电话号码

使用在线 DTMF Decoder破解得密码：*#*#660930334*#*#

This post has not been translated to English yet.

信息收集

--------------------------------------------------------------------------------
Port 22     | Service: ssh             | Banner: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
Port 80     | Service: http            | Banner: HTTP/1.1 200 OK
Port 8001   | Service: Unknown         | Banner: (no banner)
Port 8002   | Service: Unknown         | Banner: (no banner)
Port 8003   | Service: Unknown         | Banner: (no banner)
Port 8004   | Service: Unknown         | Banner: (no banner)
Port 8005   | Service: Unknown         | Banner: (no banner)
Port 8006   | Service: Unknown         | Banner: (no banner)
Port 8007   | Service: Unknown         | Banner: (no banner)
Port 8008   | Service: Unknown         | Banner: (no banner)
Port 8009   | Service: Unknown         | Banner: (no banner)
Port 8010   | Service: Unknown         | Banner: (no banner)
--------------------------------------------------------------------------------

漏洞分析

skr:skrampy1 —做完扫雷游戏得到的8007

上去后发现有个TMOUT，unset TMOUT就不会被t

利用

在/etc/backup发现hidden.img，将它传回本机

➜  GameShell3 /sbin/debugfs hidden.img
debugfs 1.47.2 (1-Jan-2025)
debugfs:  ls -l
debugfs:  dump secretmusic
dump: Usage: dump_inode [-p] <file> <output_file>
debugfs:  dump secretmusic secretmusic

听着像电话号码

使用在线 DTMF Decoder破解得密码：*#*#660930334*#*#