Me and My Girlfriend: 1 vulnhub walkthrough

Me and My Girlfriend: 1 Vulnhub Walkthrough | Me and My Girlfriend: 1 Vulnhub Writeup

Hello friends, Welcome back for another Vulnhub Me and My Girlfriend: 1 CTF Walkthrough. this VM is made by TW1C3 and Difficulty Level is Beginner You can download here

Description

This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!

Network Scanning

Every time our first step is finding our target IP

 Me and My Girlfriend: 1  vulnhub walkthrough

In my case, my target Ip address is 192.168.1.15 our next step is nmap scanning running ports and services

 Me and My Girlfriend: 1  vulnhub walkthrough

Enumeration

I open target IP address our browser and We see a message who are you? hacker?

 Me and My Girlfriend: 1  vulnhub walkthrough

from the landing page, I didn’t find anything useful then I reading the source code landing page and we see a comment ( Maybe you can search how to user x-forwarder-for )

 Me and My Girlfriend: 1  vulnhub walkthrough

well, we can easily do that using burp. So I open burp suite and click on the Options tab and added the header like this

And again refresh the page and I capture the request and we see replaced header our header is successful set now forward the request

 Me and My Girlfriend: 1  vulnhub walkthrough

After forward the burp suite request landing page is redirecting another URL and we see a login portal

I click the register link and create a new user my name

login with the previous register user

 Me and My Girlfriend: 1  vulnhub walkthrough

I found a sql injection vulnerable URL user_id= Now using the vulnerability we see all user information changing user_id value

again I click the profile link and using burp suite captures the request and send the request repeater

 Me and My Girlfriend: 1  vulnhub walkthrough

Now I start changing user_id and I found a valid-user Alice we see the response page

I tried to log in this username and password ssh connection and me successful login with Alice user then I ran the ls -lsa command and we see the terminal output all hidden file and directory

move on the .my_secret directory and again run ls command I found our first flag1.txt

Me and My Girlfriend: 1  vulnhub walkthrough

Privilege Escalation

Without wasting our time, I looked for sudo rights and I found that Alice can run the php command using sudo without root password

I create a variable and adding shell name /bin/bash our next step is executing the variable command using sudo /usr/bin/php/php

We got the root shell through this script I move on root user home directory reading our last flag

EVM 1 Vulnhub CTF Walkthrough link