- 英文名称:Jangow:1.0.1
- Chinese name: Jango: 1.0.1
- Published date: November 4, 2021
- Difficulty: Easy
- Description: The secret of this box is enumeration! Query [email protected]
- Download link: https://www.vulnhub.com/entry/jangow-101,754/
AILX10
Excellent answerer in cybersecurity
Master's in Cybersecurity
Go to consult
1. You can see the IP address and scan its port
ip
You can see that port 21 and port 80 are open
Port scanning
2. Visit the web page and see the code execution
A free, responsive, one page Bootstrap theme created by Start Bootstrap.
由 Start Bootstrap 创建的免费、响应式、单页 Bootstrap 主题。 Leads page
3. Try to look through the page to hide the information and find .backup
Search for clues
4. View .backup, which is a piece of code that connects php to mysql
Keep track of leads
$servername = "localhost";
$database = "jangow01";
$username = "jangow01";
$password = "abygurl69";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $database);
// Check connection
if (!$conn)
{
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
mysqli_close($conn);
5、尝试登录(jangow01/abygurl69)
Login to the target machine is successful
6. Check the system information and get the ordinary user credentials, but you don't have root access and can't get the root credentials
ubuntu
user.txt
The root directory has no access
7. Try to search for Ubuntu system vulnerabilities, and there is indeed an elevation of privilege vulnerability
┌──(root㉿kali)-[/home/ailx10]
└─# searchsploit ubuntu 4.4.0
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | linux_x86-64/local/40871.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC) | linux/dos/41457.c
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation | linux/local/41458.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalat | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Esc | windows_x86-64/local/47170.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Esca | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt Documents available for elevation of rights:
- linux/local/45010.c(测试可以提权)
- linux/local/44298.c(测试不能提权)
- linux_x86-64/local/44300.c
8. Try FTP login
FTP login
9. Try FTP to upload the file
FTP to upload the file
10. After compiling a.out, I was about to raise the right, but I found/couldn't knock it out
Compiled elevation procedure
Try to pass. + tab to trigger /, found that this method is indeed OK, 45010.c can indeed escalate privileges, and successfully found the credentials in the root directory
The escalation was successful
At this point, the experiment is complete~
Posted on 2022-08-20 20:59