Jangow
Hacking Jangow VM: Active Enumeration and Exploitation
HACKS
Ryan Pearson, CNVP
2/8/20254 min read
🍺 I am currently enjoying:
Olde Mother - It's Complicated
Table of Contents
Exploitation Mis-hacks
Introduction
Kia Ora, friends! If you've ever felt stuck after working through TryHackMe and HackTheBox, wondering how to level up your skills, this one's for you. In this tutorial, we're diving deep into real-world vulnerabilities using a home lab setup. Forget scripted challenges—this is an open-world approach to vulnerability discovery and exploitation.
Today, we're taking on Jangow VM from VulnHub, and along the way, I'll walk you through active enumeration techniques, uncovering potential weaknesses, and exploiting them to root the box. So grab a drink, fill that glass, and let’s brew up some fresh hacks!
The Importance of Enumeration
Reconnaissance is a critical phase in penetration testing, and enumeration is one of its most vital components. It’s like having a map before embarking on a journey—it saves time, reduces risk, and increases your chances of success. Our focus in this tutorial will be on active enumeration techniques to gather valuable intel on the target system.
Key Concepts:
- Open Ports: Entry points into a system that can be accessed remotely.
- Service and OS Versioning: Identifying running software to detect vulnerabilities.
And yes, we’ll be exploiting those vulnerabilities—but first, we have to find them!
Step 1: Initial Network Discovery with Nmap
First, we need to locate our target machine on the network. Since we’re assuming we don’t know the IP address, we’ll perform a host discovery scan using Nmap:
This reveals multiple hosts, including our target at 192.168.56.118.
Identifying Services and Open Ports
Next, we conduct a more detailed scan to determine which services are running:
Findings:
Apache 2.4.18 running on port 80
VSFTPD 3.0.3 running on port 21
Both of these could be potential entry points!
Step 2: Web Enumeration with Dirb
Since Apache is running, let's check for hidden directories and files using Dirb:
We discover a Buscar.php page, which could indicate a search function—often a goldmine for command injection vulnerabilities.
Enumeration Mishacks – What Didn’t Work (And Why)
One of my core principles with Brews 'n Hacks is sharing not just the right way to hack a machine, but also the wrong ways—the rabbit holes, the missteps, the head-scratching moments. I truly believe we learn from mistakes, and better yet, we can learn from someone else’s mistakes before making them ourselves.
So, if you’re following along with my Jangow VM walkthrough, here’s a collection of methods that did not work and why. Think of this as a pentesting blooper reel, except instead of just laughs, we get valuable lessons.
Enumeration Mishaps
Using the `-T2` Flag in Nmap
My initial Nmap scan included a `-T2` timing flag, which is great for staying stealthy in red team operations, but unnecessary for a home lab setup. Unless you're simulating an adversary, it's best to leave this out and keep things simple.
✅ Lesson learned: Use stealth flags only when necessary; they slow down your scans for no reason otherwise.
Ineffective Directory Busting with Dirb/Dirbuster
I ran Dirbuster expecting valuable directory enumeration results. The only semi-useful find was the PHP search page that we later exploited for command injection. Otherwise, Dirbuster didn’t provide any unique insights.
Then:
This didn't offer any more information than a simple, quick dirb scan. No need for any of this.
✅ Lesson learned: While directory busting is valuable, it won’t always yield useful results. Still worth trying on future tests!
Step 3: Command Injection via Buscar.php
Using Burp Suite, we intercept the request and test for command injection. After some experimentation, we find that using:
Successfully retrieves the first flag! 🚩
Step 4: FTP Exploitation
Since VSFTPD is running on port 21, we attempt to log in using credentials found in Buscar.php:
We successfully log in and navigate to `/home/jangow01/`, confirming our access.
Step 5: Privilege Escalation to Root
With user access secured, the next step is privilege escalation. We check for kernel vulnerabilities and find that the system is vulnerable to a Berkeley Packet Filter (BPF) exploit.
Compiling and Executing the Exploit
We download the exploit and compile it using GCC:
And just like that, we get root access! 🏆
Exploitation Mis-Hacks
Default Credentials – A Shot in the Dark
Tried the usual suspects:
`admin:admin`
`admin:password`
`admin:admin123`
None worked. A better approach would have been to identify the software or hardware vendor and research common default credentials.
✅ Lesson learned: Guessing default creds works only when the target uses them. Researching vendor defaults can be more effective.
Misguided Exploit Searches
I went down a CVE rabbit hole, searching for:
Apache 2.4.18 exploits
VSFTPD 3.0.3 exploits
Various Ubuntu-based vulnerabilities
While this was good practice, none of the findings were applicable because we already had a clear attack path via FTP.
✅ Lesson learned: If you already have a working attack path, don’t waste time forcing an exploit that isn’t necessary.
Metasploit Misfires
Blindly Searching for Exploits
I spent time scrolling through Metasploit’s Apache and Ubuntu exploit modules, hoping something would stand out. While this is a valid approach in some cases, it didn’t lead anywhere productive for Jangow.
✅ Lesson learned: Instead of blindly searching, make informed searches by cross-referencing CVEs with the exact versions found during enumeration.
Burp Suite Fumbles
When testing command injection in the URL, I initially failed because I wasn’t fully reading the vulnerability details. Instead of injecting commands directly into the URL parameter, I was trying unnecessary payloads.
✅ Lesson learned: Reading is fundamental. Always fully understand how an exploit works before testing it.
Privilege Escalation Woes
Kernel Exploits That Went Nowhere
Tried escalating privileges with:
CVE-2017-16995 (Linux Kernel 4.13.9)
Dirty COW (CVE-2016-5195)
Neither worked. While the kernel version seemed vulnerable, my execution must have been off—or the exploit was patched in this specific environment.
✅ Lesson learned: Kernel exploits require careful execution and troubleshooting. Always review documentation thoroughly.
FTP Session Timeouts
One minor annoyance: The FTP connection kept timing out, forcing me to log in multiple times.
✅ Lesson learned: If you're dealing with unstable services, expect frequent reconnections and plan accordingly.
Final Thoughts
I hope this breakdown of what didn’t work helps you troubleshoot your own pentesting adventures. Mistakes are just part of the process, but the more we document and reflect on them, the faster we improve.
Wrapping Up
This walkthrough covered the essential steps of: ✅ Identifying open ports and services using Nmap
✅ Discovering web vulnerabilities through Burp Suite
✅ Exploiting command injection and FTP misconfigurations
✅ Gaining root access via kernel exploitation
What's Next?
I’m planning to release more deep-dive pentesting tutorials every second Saturday of the month. If you found this guide helpful, please subscribe to Pints and Payloads and drop a comment with your thoughts!
Have you rooted Jangow VM? What was your approach? Let me know in the comments! 🚀
Resources
🔗 [Nmap Cheat Sheet](https://nmap.org/book/man.html)
🔗 [ExploitDB](https://www.exploit-db.com/)
🔗 [Burp Suite Guide](https://portswigger.net/burp)
Until next time—happy hacking! 🎩
KIA ORA!
