Djinn 1
Djinn 1 vulnhub Walkthrough
Enumeration
nmap
nmap -sC -sV -oA nmap/djinn 192.168.1.110Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-22 03:22 EDT
Nmap scan report for 192.168.1.110
Host is up (0.00015s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.113
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
MAC Address: 00:0C:29:3A:97:CE (VMware)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
We can see here we have 2 more ports, 1337 and 7331.
FTP
We can see that it has anonymous login. Let's try that
Then, we can list all the directories using ls command
We can see that there are 3 files inside. Let's use get command to get those 3 files
We can see that the content inside these 3 files
More Discovery
We can see that there is port 1337 that we just discovered just now, let's head to the browser
Let's use netcat to get access
Answer 1000 times and I don't think he will give us our gift so let's move on to another port, port 7331.
gobuster
Lets use gobuster to enumerate the URL since we can't find any things interesting inside the site.
We can see that there are 2 directory that is /genie and /wish.
Let's navigate to /wish page
Type id then we will get the response from it
Reverse Shell
But when I set up a listener at my kali machine and type
It doesn't work that way, after that we actually need to encode using base64 and use pipe command to decode it and let it execute.
But then no luck too, we need to use bash reverse shell only can work
We then go to this website and encode it with base64
Then, we can go to our /wish and type this
We can first type this to ensure we get a proper shell
Then we can list out the directory and cat into app.py
Then we cat cat out the credentials.
We can su to the user nitish
Privilege Escalation
We then type sudo -l then we got this
We can use strings command to list out all readable strings from the genie file
We can see there is a -cmd paramter which can be apply.
After playing around we can go to sam user by typing
We then type sudo -l
If we run sudo /root/lago it will show us this
If we enter all the choices we still can't get through the selection.
So, we can navigate to the /home/sam directory to find out more
When we type ls -la then it will show us hidden files
Then we can use netcat to transfer files to our machine
Our machine
Target machine
pyc is actually compiled file of python files. We can use uncompyle6 to decompile to see the source file of it.
We can see that if input is num then we will able to get root!
After that type sudo -u root /root/lago
Then choose the number 2 and type num when it prompt to let us choose 1 - 100
Got root !
We then navigate to /root directory to get the flag
Last updated
Was this helpful?