Hi all, let’s pwn this box.
You can find the machine there > djinn2
Let’s start as always with a nmap scan.
1 |
|
Lot of stuff to enumerate, let’s start with FTP
since we have anonymous access. We can see lot of files, let’s download them all.
1 |
|
We got some creds, tried to ssh login with them but no luck. And 2 messages.
1 |
|
Let’s start the enumeration on port 7331
, let’s run gobuster
on it.
1 |
|
Source gives us a python
code, i guess for port 5000
web app. Let’s download it.
1 |
|
Let’s analyze the code.
We can see this on the top of the script.
1 |
|
I used cURL
to test for RCE
, after some tries i got it.
1 |
|
Perfect, i coded a small RCE
exploit for it, you can find it there : djinn exp
Got shell :
Now privesc, i found under /var/backups
this .kdbx
file.
kdbx = KeePass Password Database
You can install it it by running :
1 |
|
Let’s download this file using base64
.
1 |
|
Now save this into a .txt
and do this :
1 |
|
Perfect, who needs meterpreter ;-)
Let’s open the file now.
Use the password we found before on FTP
-> nitu:7846A$56
Now we can login with SSH
.
1 |
|
Perfect, now privesc is kinda tricky, let’s list the listening connections with netstat
.
1 |
|
This seems interesting -> 127.0.0.1:2843
Let’s connect.
1 |
|
I used the same creds, after some tries, i found a command injection vulnerability
on 5. Add a note for admin.
:
1 |
|
Perfect, we can get shell as ugtan
, let’s simply add a reverse shell.
1 |
|
We have shell!
1 |
|
Now privesc to root
is really simple, if we go to /var/mail
we can read an email.
1 |
|
We just have to create the clean.sh
with our payload in.
1 |
|
Few seconds later..
1 |
|
Let’s read the flag.
1 |
|
WHAT AN AWESOME BOX!! :D See you!