[VULNHUB] Djinn Writeup
For Indonesian version of this write-up, click here.
Information Gathering
NMAP
nmap -sC -sV -p- djinn.vh -v -oN initial.nmap
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 23:54 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 00:23 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 00:23 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.43.192
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '/', 1)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '-', 2)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in spaceFTP is open at port 21, SSH at port 22 (filtered), HTTP at port 7331, and some kind of app (maybe netcat?) at port 1337.
FTP
Login to ftp and download creds.txt , game.txt, and message.txt .
games.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.creds.txt
nitu:81299message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anythingDIRB
Then run dirb to scan the website’s directory.
dirb http://djinn.vh/ /usr/share/wordlists/big.txt
GENERATED WORDS: 20458
---- Scanning URL: http://djinn.vh:7331/ ----
+ http://djinn.vh:7331/genie (CODE:200|SIZE:1676)
(!) FATAL: Too many errors connecting to host
(Possible cause: EMPTY REPLY FROM SERVER)
-----------------
END_TIME: Sat Dec 21 20:14:37 2019
DOWNLOADED: 16063 - FOUND: 1Seeing that my dirb is getting an error and only listing 1 directory, I continued to the next step and assume that the attack vector is not from the web service.
index.html
/genie
Exploitation
1337
Simply just netcat into port 1337 and there is a game running inside.
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(1, '-', 2)
>Here I remembered that the web server is running Python backend (maybe Flask?) from the nmap scan result. And I decided to run python code injection to this port.. and its actually work! 😮
Just look for the root flag and we are done 😆
Actually this attack vector is based on pure luck because there is no indicator that the app running on port 1337 is using Python. The code injection is supposed to do on http://djinn.vh/wish such as in this article. But because my dirb is returning an error and only listing 1 directory ( /genie ), I didn’t found the /wish directory.
After some look around I found out that the app running in port 1337 is actually a python code located at /opt/1337/app.py . The code injection was able to executed because the user input is not filtered or sanitized + the app is actually running on outdated python version (v2.7.15) and ran by the root user.
Thanks for your attention. Feel free to correct anything (even my grammar xD) in my articles. See ya!
