Me and My Girlfriend: 1 vulnhub walkthrough

Me and My Girlfriend: 1 | Me and My Girlfriend: 1

Hello friends, Welcome back for another Vulnhub Me and My Girlfriend: 1 CTF Walkthrough. this VM is made by TW1C3 and Difficulty Level is Beginner You can download here

Description

This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!

Network Scanning

Every time our first step is finding our target IP

netdiscover
 Me and My Girlfriend: 1  vulnhub walkthrough

In my case, my target Ip address is 192.168.1.15 our next step is nmap scanning running ports and services

nmap -A 192.168.1.15
 Me and My Girlfriend: 1  vulnhub walkthrough

Enumeration

I open target IP address our browser and We see a message who are you? hacker?

http://192.168.1.15
 Me and My Girlfriend: 1  vulnhub walkthrough

from the landing page, I didn’t find anything useful then I reading the source code landing page and we see a comment ( Maybe you can search how to user x-forwarder-for )

view-source:http://192.168.1.15/
 Me and My Girlfriend: 1  vulnhub walkthrough

well, we can easily do that using burp. So I open burp suite and click on the Options tab and added the header like this

X-Forwarded-For: localhost

And again refresh the page and I capture the request and we see replaced header our header is successful set now forward the request

 Me and My Girlfriend: 1  vulnhub walkthrough

After forward the burp suite request landing page is redirecting another URL and we see a login portal

http://192.168.1.15/?page=index

I click the register link and create a new user my name

login with the previous register user

http://192.168.1.15/index.php?page=login
 Me and My Girlfriend: 1  vulnhub walkthrough

I found a sql injection vulnerable URL user_id= Now using the vulnerability we see all user information changing user_id value

http://192.168.1.15/index.php?page=profile&user_id=12

again I click the profile link and using burp suite captures the request and send the request repeater

 Me and My Girlfriend: 1  vulnhub walkthrough

Now I start changing user_id and I found a valid-user Alice we see the response page

I tried to log in this username and password ssh connection and me successful login with Alice user then I ran the ls -lsa command and we see the terminal output all hidden file and directory

ssh [email protected]
ls -lsa

move on the .my_secret directory and again run ls command I found our first flag1.txt

cd .my_secret
ls
cat flag1.txt
Me and My Girlfriend: 1  vulnhub walkthrough

Privilege Escalation

Without wasting our time, I looked for sudo rights and I found that Alice can run the php command using sudo without root password

sudo -l

I create a variable and adding shell name /bin/bash our next step is executing the variable command using sudo /usr/bin/php/php

variable="/bin/bash"

sudo /usr/bin/php -r "system('$variable');"

We got the root shell through this script I move on root user home directory reading our last flag

cd /root
cat flag2.txt
EVM 1 Vulnhub CTF Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →