Hello friends, Welcome back for another Vulnhub Me and My Girlfriend: 1 CTF Walkthrough. this VM is made by TW1C3 and Difficulty Level is Beginner You can download here
This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!
Every time our first step is finding our target IP
In my case, my target Ip address is 192.168.1.15 our next step is nmap scanning running ports and services
nmap -A 192.168.1.15
I open target IP address our browser and We see a message who are you? hacker?
from the landing page, I didn’t find anything useful then I reading the source code landing page and we see a comment ( Maybe you can search how to user x-forwarder-for )
well, we can easily do that using burp. So I open burp suite and click on the Options tab and added the header like this
And again refresh the page and I capture the request and we see replaced header our header is successful set now forward the request
After forward the burp suite request landing page is redirecting another URL and we see a login portal
I click the register link and create a new user my name
login with the previous register user
I found a sql injection vulnerable URL user_id= Now using the vulnerability we see all user information changing user_id value
again I click the profile link and using burp suite captures the request and send the request repeater
Now I start changing user_id and I found a valid-user Alice we see the response page
I tried to log in this username and password ssh connection and me successful login with Alice user then I ran the ls -lsa command and we see the terminal output all hidden file and directory
move on the .my_secret directory and again run ls command I found our first flag1.txt
ls cat flag1.txt
Without wasting our time, I looked for sudo rights and I found that Alice can run the php command using sudo without root password
I create a variable and adding shell name /bin/bash our next step is executing the variable command using sudo /usr/bin/php/php
variable="/bin/bash" sudo /usr/bin/php -r "system('$variable');"
We got the root shell through this script I move on root user home directory reading our last flag