VulnHub: Jangow 1.0.1 Writeup

Today we’re going to tackle an easy box from VulnHub. If you’re not familiar with VulnHub, it’s a great site for tackling CTF problems similar to HackTheBox. I have an isolated network created with a Kali box and the target on it. The box I will be writing up today is called Jangow 1.0.1.

Step 1: Nmap Scan

sudo nmap -sV -vv -O -p- -oN ./nmap_scan $BOX

• -sV: Service Version Detection
• -vv: Increase Verbosity
• -O: Attempt to guess OS
• -p-: Scann all ports
• -oN <filename>: Output our scan results into the specified file
• $BOX: Target’s IP

Right off the bat, we can see that we have ports 21 and 80 open. There’s probably some vulnerable website being hosted on port 80, so let’s take a closer look using Burp.

Step 2: Visit the site in Burp

It looks like we can see something via the browser. Let’s just see where it leads…

Following the previously shown link brought us to this “Grayscale” site. Looking around, there doesn’t seem to be anything too interesting except for the “Buscar” page found in the top right.

That’s interesting, it looks like it’s performing some kind of post request. I wonder what buscar means?

Hmm, let’s take a closer look at this in Burp’s repeater tool. I wonder if we can play around with the buscar param.

Step 3: Toss it into Burp Repeater

Nice. It looks like it’s executing whatever we want on the server. I wonder if we can use this to go ahead and grab the user flag.

And it looks like we can

From here I start digging around the system to see if I can find anything that might push me closer to gaining root access. I quickly notice that there’s a config file that seems to contain the following creds:

Step 4: Use The Creds

I first started by trying to use the passwords with the username “desafio02”, but I quickly discover that this does not work. I then try using the username that we saw early in the home directory and I am then able to log in to “jangow01”.

Step 5: ???

Honestly, I feel a little stumped here. At this point I have user creds and remote code execution, however, I am unable to stand up a reverse shell because for some reason the Jangow target is not configured to send outbound requests. I’m a little stumped on what to do here, so the only thing I can think of is to…..

Step 6: Login via the VM

I’m not sure if this is the path that the creator intended for me to take, but given the current setup this is what I am going to do. If anyone has an alternative route, please reach out and let me know. I’d love to hear it.

Step 7: Dirty Cow

Seeing the old version of Ubuntu being used, let’s see if DirtyCow works. Let’s first start by transferring dirtycow-mem over to the target via ftp:

Executing dirtycow-mem, we can see that the kernel exploit grants us root.

All that’s left now is to collect the proof from /root/proof.txt:

Conclusion

Overall, this box wasn’t super exciting. Admittedly, it took me a bit of time to realize that reverse shells weren’t going to give me access to the box. Again, I don’t know if what I did was the intended access so I’d be very much open to hearing any feedback people may have. Perhaps the box wasn’t configured correctly, or maybe I messed up something in my network configuration. I wouldn’t be surprised if the issue was something on my end.

If you enjoyed this writeup, please consider checking out any of my other posts. I try to post something new at least once a week! Also, please consider supporting me by following any of my other social media accounts: WordPress, Instagram, Twitter, or Facebook!

Originally published at http://testingonprod.com on December 5, 2021.