Machine: https://www.vulnhub.com/entry/jangow-101,754/ Machine Author: Jangow

Nmap

# Nmap 7.94SVN scan initiated Thu Jan  9 06:06:54 2025 as: /usr/lib/nmap/nmap -Pn -p- -A -T4 -oN scan.txt 192.168.56.118
Nmap scan report for 192.168.56.118
Host is up (0.00076s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18
|_http-title: Index of /
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
MAC Address: 08:00:27:C6:3D:E5 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.16 - 4.6 (97%), Linux 3.2 - 4.9 (97%), Linux 4.4 (97%), Linux 3.13 (94%), Linux 4.2 (94%), Linux 3.13 - 3.16 (91%), OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1 or 4.4) (91%), Linux 4.10 (91%), Linux 5.1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.76 ms 192.168.56.118

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan  9 06:08:37 2025 -- 1 IP address (1 host up) scanned in 103.18 seconds

We can see that there are only two ports open ftp and http. Let’s see if we can anonymous ftp on.

1

Seems not. Let’s check out the website see what we can find there.

2

We get this listing, let’s go ahead and open it

3

We are greeted with this webpage.

Looking around there isn’t much of interest, nothing much in the source code either except for the link for buscar. Let’s go ahead and visit that.

4

That gives us an empty page. Seeing that there is a GET parameter we can try to see if it’s an LFI. Trying /etc/passwd or ../../../../../../etc/passwd didn’t yield any results.

We can try and see if it is a command injection perhaps.

5

There we go, it was a command injection after all.

Let’s go ahead and see if we can get a shell from this.

After trying various shell commands, it seems we are not able to make a reverse connection. Then the only option left is to use the webshell as it is and perform manual enumeration to see if we can find any credentials.

Looking around we run into a config.php in the wordpress folder

6

<?php
$servername = "localhost";
$database = "desafio02";
$username = "desafio02";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
?>

We can see some mysql credentials. Let’s see if we can use these to connect to the ftp service using these credentials.

7

Seems not. Let’s look at what other users are there in the system by looking at the /etc/passwd file

root:x:0:0:root:/root:/bin/bash
<SNIP>
jangow01:x:1000:1000:desafio02,,,:/home/jangow01:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:111:118:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:112:119:MySQL Server,,,:/nonexistent:/bin/false

We can see a jangow01 account with desafio02 as it’s user ID info. Let’s see if we can use this username with the password from the config.php file to login into the ftp service.

8

There we go, we were able to connect successfully, we are able to access the server using ftp, but that doesn’t really get us as far except for the user.txt file.

I then tried to get a web shell again. I tried using the 443 port to see if that would work and sure enough that worked to get me a shell

10

After looking around, I didn’t really find any manual way of exploiting to get root. So I ran linpeas to see if I could find anything else

11

Turns out there is a kernel exploit to get root, but that usually is not the intended way of solving these, but since there wasn’t anything else we can just go ahead and use the kernel exploit. I went ahead with using PwnKit (https://github.com/ly4k/PwnKit) since that is the easiest to use.

12