Jangow VulnHub CTF Walkthrough

The Jangow: 1.0.1 is a linux machine (virtual OVA format). This machine was released on November 4th, 2021 and the developer of this machine is Jangow.

Download Jangow 1.0.1 from here.

Our goal is to import this machine into VirtualBox and capture the flags (user & root). The DHCP service in the machine is enabled automatically. Hence, the IP address will be assigned automatically.

So let’s import the virtual machine.

Let’s start the real attacking. But before that, we need to do recon for gaining more information.

sudo nmap -sV -A <ip>

Basic reconaissance is completed. Now we got 2 open ports, FTP (21) and HTTP (80) respectively.

I attempted to access FTP using the default anonymous credentials (anonymous:anonymous).

Unfortunately, the web server hasn’t configured the FTP with default credentials. Now we are left with the HTTP port, so let’s take a shot at it.

I clicked on the site/ directory and it redirected to a static webpage.

After this I started to do some directory listing using the dirsearch tool.

I attempted to access those available directories, but I wasn’t able to find anything useful except a directory called site/wordpress. So I again tried to find more directories using the same tool on site/wordpress.

Then I attempted to access /site/wordpress/config.php.

Unfortunately, nothing was found. I again visited /site and that’s when I noticed a webpage named “Buscar”, which means “to find” in Spanish. I accessed the Buscar webpage.

I saw a ‘=’ symbol in the URL. That’s when I realized there’s a chance for an OS Command Injection. So I intercepted the request in Burp Suite for more flexibility. And after intercepting, I sent the captured request to “Repeater”.

Then I encoded the command “cat wordpress/config.php” in URL encoding format and sent it in the request.

I tried the database username and password for the SSH remote login. But it wasn’t successful. So I had to do more research. Finally, I identified that the “/etc/passwd” file available. So I encoded the command and sent it.

This is were I realized that the database username and password which I found earlier belongs to the username jangow01. So I crosschecked the /etc/passwd file and the wordpress/config.php file. That’s when I has a thought to try the username (jangow01) from the passwd file and the database password (abygurl69) from the config file. It worked out !!! Hooray. I got into the system.

I redirected to the home folder of the user jangow01 and I found the user flag.

The final task is to access root flag. As always, we have to escalate our user privilege to root user. So for that I tried the command “uname -a” to find the kernel version.

I researched about kernel level vulnerabilities for this machine’s kernel version and I found one exploit in the Exploit-DB.

I used the FTP (credentials used to access SSH) to upload the exploit into the machine.

Then I compiled the exploit using gcc command.

I achieved the root access.

I redirected to the root directory and opened the “proof.txt” a.k.a root flag file.