Jangow VulnHub CTF Walkthrough

The Jangow: 1.0.1 is a linux machine (virtual OVA format). This machine was released on November 4th, 2021 and the developer of this machine is Jangow.

Download Jangow 1.0.1 from here.

Our goal is to import this machine into VirtualBox and capture the flags (user & root). The DHCP service in the machine is enabled automatically. Hence, the IP address will be assigned automatically.

So let’s import the virtual machine.

After importing the machine

Let’s start the real attacking. But before that, we need to do recon for gaining more information.

Basic nmap scan results

sudo nmap -sV -A <ip>

Basic reconaissance is completed. Now we got 2 open ports, FTP (21) and HTTP (80) respectively.

I attempted to access FTP using the default anonymous credentials (anonymous:anonymous).

FTP login attempt failed

Unfortunately, the web server hasn’t configured the FTP with default credentials. Now we are left with the HTTP port, so let’s take a shot at it.

Web server page

I clicked on the site/ directory and it redirected to a static webpage.

After this I started to do some directory listing using the dirsearch tool.

Result from DIRSEARCH tool

I attempted to access those available directories, but I wasn’t able to find anything useful except a directory called site/wordpress. So I again tried to find more directories using the same tool on site/wordpress.

Results from DIRSEARCH tool on /site/wordpress

Then I attempted to access /site/wordpress/config.php.

Unfortunately, nothing was found. I again visited /site and that’s when I noticed a webpage named “Buscar”, which means “to find” in Spanish. I accessed the Buscar webpage.

buscar webpage /site/busque.php?buscar=

I saw a ‘=’ symbol in the URL. That’s when I realized there’s a chance for an OS Command Injection. So I intercepted the request in Burp Suite for more flexibility. And after intercepting, I sent the captured request to “Repeater”.

OS Command Injection.

Then I encoded the command “cat wordpress/config.php” in URL encoding format and sent it in the request.

Successfully injected an OS command

I tried the database username and password for the SSH remote login. But it wasn’t successful. So I had to do more research. Finally, I identified that the “/etc/passwd” file available. So I encoded the command and sent it.

Successfully inject a command.

This is were I realized that the database username and password which I found earlier belongs to the username jangow01. So I crosschecked the /etc/passwd file and the wordpress/config.php file. That’s when I has a thought to try the username (jangow01) from the passwd file and the database password (abygurl69) from the config file. It worked out !!! Hooray. I got into the system.

SSH remote connection established.

I redirected to the home folder of the user jangow01 and I found the user flag.

Successfully accessed the USER FLAG.

The final task is to access root flag. As always, we have to escalate our user privilege to root user. So for that I tried the command “uname -a” to find the kernel version.

Kernel version identified.

I researched about kernel level vulnerabilities for this machine’s kernel version and I found one exploit in the Exploit-DB.

Kernel based priv-esc exploit.

I used the FTP (credentials used to access SSH) to upload the exploit into the machine.

Kernel exploit upload via FTP.

Then I compiled the exploit using gcc command.

Exploit compilation using gcc command.

I ran the exploit.

Executing the exploit file.

I achieved the root access.

Priv-esc from user to root.

I redirected to the root directory and opened the “proof.txt” a.k.a root flag file.

Root flag found.

Completed !!!