djinn: 1 vulnhub Walkthrough

djinn: 1 Vulnhub Walkthrough CTF | djinn: 1 vulnhub CTF Writeup

In this article, we will be looking at some interesting VulnHub machines. This time, we will take a look at a VulnHub machine called djinn: 1 This VM is created by 0xmzfr you can download here

Description

The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You’ll see the IP right on the login screen. You have to find and read the flag which is present in /root/proof.sh. If you’ve done djinn1 then you’ll notice some kind of similarity in services also a continuation in the storyline.

Network Scanning

let’s try to find the IP of this machine using the netdiscover command.

 djinn: 1 vulnhub Walkthrough vulnhub

Nmap scanning all open port and running services

 djinn: 1 vulnhub Walkthrough vulnhub

Enumeration

let’s browse over to port 80. Below is the landing page for port 80

 djinn: 1 vulnhub Walkthrough vulnhub

I try dirb scanning but I didn’t see useful directory We used the go buster tool for directory Bruteforce. and we find two pages genie and wish

I opened the /genie page. URL It is showing a message ( It’s not that hard )

next option is open the second URL /wish and we see a placeholder and submit button I ran the kernel version checking command

 djinn: 1 vulnhub Walkthrough vulnhub

and we see the output next page I confirm this URL vulnerable os command injection

 djinn: 1 vulnhub Walkthrough vulnhub

Exploitation

I try many payloads and Metasploit web delivery payload but they didn’t work here again I create simple bash reverse shell and encode the shell base64 using this command and starting our netcat listener

After start netcat listener copy our base64 reverse payload and paste the placeholder field and click submit button

 djinn: 1 vulnhub Walkthrough vulnhub

and I got a netcat reverse connection target machine I move on enumerating target directory and files

cat creds.txt

 djinn: 1 vulnhub Walkthrough vulnhub

Privilege Escalation

I found a creds.txt file cat command to we see the Nitish user and password I move on next step switch user using su command

we see blank shell now import python3 spawn shell using this command

checking Sudo rights of the user Nitish using the command

We found that the user Nitish can execute the genie binary without any password for user sam. using this command we successfully managed or get a shell of user sam

I again tried to enumerate the Sudo Permissions. for user sam As we can see user sam can execute the command /root/logo as root

 djinn: 1 vulnhub Walkthrough vulnhub

I run the command using sudo and I got a root shell I move on root user home directory and finally, I found our last flag proof.sh

reading the last flag

 djinn: 1 vulnhub Walkthrough vulnhub
Me and my Girlfriend 1 Vulnhub Walkthrough link