# DJinn-3

<figure><img src="/files/yu173peleGLdCxueOucW" alt=""><figcaption></figcaption></figure>

Primeramente empezamos por lo basico escaneo de puertos abiertos que en este caso tenemos unos cuentos puertos abiertos.

***

```javascript
# Nmap 7.94SVN scan initiated Sat Mar  2 04:14:37 2024 as: nmap -sCV -p22,80,5000,31337 -oN target.txt 192.168.153.102
Nmap scan report for 192.168.153.102
Host is up (0.048s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e6:44:23:ac:b2:d9:82:e7:90:58:15:5e:40:23:ed:65 (RSA)
|   256 ae:04:85:6e:cb:10:4f:55:4a:ad:96:9e:f2:ce:18:4f (ECDSA)
|_  256 f7:08:56:19:97:b5:03:10:18:66:7e:7d:2e:0a:47:42 (ED25519)
80/tcp    open  http    lighttpd 1.4.45
|_http-title: Custom-ers
|_http-server-header: lighttpd/1.4.45
5000/tcp  open  http    Werkzeug httpd 1.0.1 (Python 3.6.9)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/1.0.1 Python/3.6.9
31337/tcp open  Elite?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, NULL: 
|     username>
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     username> password> authentication failed
|   Help: 
|     username> password>
|   RPCCheck: 
|     username> Traceback (most recent call last):
|     File "/opt/.tick-serv/tickets.py", line 105, in <module>
|     main()
|     File "/opt/.tick-serv/tickets.py", line 93, in main
|     username = input("username> ")
|     File "/usr/lib/python3.6/codecs.py", line 321, in decode
|     (result, consumed) = self._buffer_decode(data, self.errors, final)
|     UnicodeDecodeError: 'utf-8' codec can't decode byte 0x80 in position 0: invalid start byte
|   SSLSessionReq: 
|     username> Traceback (most recent call last):
|     File "/opt/.tick-serv/tickets.py", line 105, in <module>
|     main()
|     File "/opt/.tick-serv/tickets.py", line 93, in main
|     username = input("username> ")
|     File "/usr/lib/python3.6/codecs.py", line 321, in decode
|     (result, consumed) = self._buffer_decode(data, self.errors, final)
|     UnicodeDecodeError: 'utf-8' codec can't decode byte 0xd7 in position 13: invalid continuation byte
|   TerminalServerCookie: 
|     username> Traceback (most recent call last):
|     File "/opt/.tick-serv/tickets.py", line 105, in <module>
|     main()
|     File "/opt/.tick-serv/tickets.py", line 93, in main
|     username = input("username> ")
|     File "/usr/lib/python3.6/codecs.py", line 321, in decode
|     (result, consumed) = self._buffer_decode(data, self.errors, final)
|_    UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe0 in position 5: invalid continuation byte
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.94SVN%I=7%D=3/2%Time=65E2EE04%P=x86_64-pc-linux-gnu%r
SF:(NULL,A,"username>\x20")%r(GetRequest,2A,"username>\x20password>\x20aut
SF:hentication\x20failed\n")%r(SIPOptions,2A,"username>\x20password>\x20au
SF:thentication\x20failed\n")%r(GenericLines,2A,"username>\x20password>\x2
SF:0authentication\x20failed\n")%r(HTTPOptions,2A,"username>\x20password>\
SF:x20authentication\x20failed\n")%r(RTSPRequest,2A,"username>\x20password
SF:>\x20authentication\x20failed\n")%r(RPCCheck,1A9,"username>\x20Tracebac
SF:k\x20\(most\x20recent\x20call\x20last\):\n\x20\x20File\x20\"/opt/\.tick
SF:-serv/tickets\.py\",\x20line\x20105,\x20in\x20<module>\n\x20\x20\x20\x2
SF:0main\(\)\n\x20\x20File\x20\"/opt/\.tick-serv/tickets\.py\",\x20line\x2
SF:093,\x20in\x20main\n\x20\x20\x20\x20username\x20=\x20input\(\"username>
SF:\x20\"\)\n\x20\x20File\x20\"/usr/lib/python3\.6/codecs\.py\",\x20line\x
SF:20321,\x20in\x20decode\n\x20\x20\x20\x20\(result,\x20consumed\)\x20=\x2
SF:0self\._buffer_decode\(data,\x20self\.errors,\x20final\)\nUnicodeDecode
SF:Error:\x20'utf-8'\x20codec\x20can't\x20decode\x20byte\x200x80\x20in\x20
SF:position\x200:\x20invalid\x20start\x20byte\n")%r(DNSVersionBindReqTCP,A
SF:,"username>\x20")%r(DNSStatusRequestTCP,A,"username>\x20")%r(Help,14,"u
SF:sername>\x20password>\x20")%r(SSLSessionReq,1B1,"username>\x20Traceback
SF:\x20\(most\x20recent\x20call\x20last\):\n\x20\x20File\x20\"/opt/\.tick-
SF:serv/tickets\.py\",\x20line\x20105,\x20in\x20<module>\n\x20\x20\x20\x20
SF:main\(\)\n\x20\x20File\x20\"/opt/\.tick-serv/tickets\.py\",\x20line\x20
SF:93,\x20in\x20main\n\x20\x20\x20\x20username\x20=\x20input\(\"username>\
SF:x20\"\)\n\x20\x20File\x20\"/usr/lib/python3\.6/codecs\.py\",\x20line\x2
SF:0321,\x20in\x20decode\n\x20\x20\x20\x20\(result,\x20consumed\)\x20=\x20
SF:self\._buffer_decode\(data,\x20self\.errors,\x20final\)\nUnicodeDecodeE
SF:rror:\x20'utf-8'\x20codec\x20can't\x20decode\x20byte\x200xd7\x20in\x20p
SF:osition\x2013:\x20invalid\x20continuation\x20byte\n")%r(TerminalServerC
SF:ookie,1B0,"username>\x20Traceback\x20\(most\x20recent\x20call\x20last\)
SF::\n\x20\x20File\x20\"/opt/\.tick-serv/tickets\.py\",\x20line\x20105,\x2
SF:0in\x20<module>\n\x20\x20\x20\x20main\(\)\n\x20\x20File\x20\"/opt/\.tic
SF:k-serv/tickets\.py\",\x20line\x2093,\x20in\x20main\n\x20\x20\x20\x20use
SF:rname\x20=\x20input\(\"username>\x20\"\)\n\x20\x20File\x20\"/usr/lib/py
SF:thon3\.6/codecs\.py\",\x20line\x20321,\x20in\x20decode\n\x20\x20\x20\x2
SF:0\(result,\x20consumed\)\x20=\x20self\._buffer_decode\(data,\x20self\.e
SF:rrors,\x20final\)\nUnicodeDecodeError:\x20'utf-8'\x20codec\x20can't\x20
SF:decode\x20byte\x200xe0\x20in\x20position\x205:\x20invalid\x20continuati
SF:on\x20byte\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar  2 04:15:45 2024 -- 1 IP address (1 host up) scanned in 67.79 seconds
```

Ahora podemos ver las versiones que corren para cada puerto que esta abierto, los observaremos uno a uno.

***

<figure><img src="/files/tySskwM1nemwWmUDd46q" alt=""><figcaption></figcaption></figure>

Si nos vamos al puerto 5000, observamos un usuario que utilizaremos en algun lugar que de momento no es aca, ya que aca observamos solo informacion reflejada.

***

<figure><img src="/files/gqN8fVW5EzOrMHIWXlnF" alt=""><figcaption></figcaption></figure>

Si lanzamos un whatweb sobre el puerto 5000, observamos a python corriendo por aca, lo que nos podria dar una pista que el sitio es vulnerable STTI. Pero el sitio solo refleja info no tiene input donde podamos colocar informacion.

***

<figure><img src="/files/JbPc5ShQV3VRxl2mHXeM" alt=""><figcaption></figcaption></figure>

Bueno descubri donde se usan las credenciales del puerto 5000, y la informacion que introduces por aca se refleja en el puerto 5000, vamos a ver si me computa el 7\*7.

```javascript
31337/tcp open  Elite?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, NULL: 
|     username>
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: 
|     username> password> authentication failed
```

No me habia percatado que en el escaneo de nmap, en este puerto hay un authentication failed, un apartado donde necesitabas credenciales, y bueno ya las tenemos.

***

<figure><img src="/files/0CjYisUyZKHZIDuCdLIL" alt=""><figcaption></figcaption></figure>

Observamos que nos computa el 7\*7 esto quiere decir que es vulnerable a STTI, la plantilla que usa python lo es.

***

<figure><img src="/files/mZxBWqTT54FQcFKv7jwI" alt=""><figcaption></figcaption></figure>

Nos conectamos al puerto 31337 y vamos a ver si nos hace un ls -l y podemos tener un RCE.

De donde me saco esto, pues del recurso de GitHub aca lo tienes.

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#exploit-the-ssti-by-calling-subprocesspopen>" %}

***

<figure><img src="/files/O6nSDC5My0PqSPWLXZQF" alt=""><figcaption></figcaption></figure>

Si vamos al puerto 5000 observamos que se refleja lo que introducimos anteriormente ahora falta observar si lo interpreta.

***

<figure><img src="/files/5vyCFOmviFkXBwnAWsSR" alt=""><figcaption></figcaption></figure>

Si lanzamos un CURL observamos que si nos interpreta, eh decir tenemos un RCE, ahora solo falta ganar acceso a la maquina.

***

<figure><img src="/files/xYRmwH2cZtUKdYuA7JgS" alt=""><figcaption></figcaption></figure>

Nos ponemos en escucha con netcat y ponemos el tipico one linner para entablarnos una revershell a nuestra maquina de atacante.

***

<figure><img src="/files/M7JxzEUWirjfL36rp1kT" alt=""><figcaption></figcaption></figure>

Lo observamos y ahora como lo ejecutamos para que nos interprete el codigo.

***

<figure><img src="/files/YjN2cwpJADYYTXDU2i9W" alt=""><figcaption></figcaption></figure>

Pues lo mismo con CURL enviamos la peticion, si no lo quieres hacer asi en la web solo preciona link y es el mismo efecto tendras tu revershell.

***

## Escalada de privilegios pkexec.

<figure><img src="/files/gP1e3OJmVUzBOWkGFvvU" alt=""><figcaption></figcaption></figure>

Ahora nos vamos a la raiz para buscar la forma de escalar privilegios y tenemos a nuestro querido pkexec. El cual usaremos para escalar nuestros privilegios a root.

***

<figure><img src="/files/Jjk0jMJnT3LUBctXnpZw" alt=""><figcaption></figcaption></figure>

Escribimos lo siguiente y somos root.&#x20;

El recurso esta aca en el siguiente vinculo.

{% embed url="<https://github.com/ly4k/PwnKit>" %}

***

<figure><img src="/files/G0FMyP54diy1x8dSNB1A" alt=""><figcaption></figcaption></figure>

Y la bandera de root. Y maquina resuelta amigos una maquina no muy complicada.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rodgar.gitbook.io/rodgar/plataformas/vulnhub/djinn-3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.