Me and My Girlfriend: 1 Vulnhub Walkthrough | Me and My Girlfriend: 1 Vulnhub Writeup
Hello friends, Welcome back for another Vulnhub Me and My Girlfriend: 1 CTF Walkthrough. this VM is made by TW1C3 and Difficulty Level is Beginner You can download here
Description
This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!
Network Scanning
Every time our first step is finding our target IP
netdiscover

In my case, my target Ip address is 192.168.1.15 our next step is nmap scanning running ports and services
nmap -A 192.168.1.15

Enumeration
I open target IP address our browser and We see a message who are you? hacker?
http://192.168.1.15

from the landing page, I didn’t find anything useful then I reading the source code landing page and we see a comment ( Maybe you can search how to user x-forwarder-for )
view-source:http://192.168.1.15/

well, we can easily do that using burp. So I open burp suite and click on the Options tab and added the header like this
X-Forwarded-For: localhost

And again refresh the page and I capture the request and we see replaced header our header is successful set now forward the request

After forward the burp suite request landing page is redirecting another URL and we see a login portal
http://192.168.1.15/?page=index

I click the register link and create a new user my name

login with the previous register user
http://192.168.1.15/index.php?page=login

I found a sql injection vulnerable URL user_id= Now using the vulnerability we see all user information changing user_id value
http://192.168.1.15/index.php?page=profile&user_id=12

again I click the profile link and using burp suite captures the request and send the request repeater

Now I start changing user_id and I found a valid-user Alice we see the response page

I tried to log in this username and password ssh connection and me successful login with Alice user then I ran the ls -lsa command and we see the terminal output all hidden file and directory
ssh [email protected]
ls -lsa
move on the .my_secret directory and again run ls command I found our first flag1.txt
cd .my_secret
ls
cat flag1.txt

Privilege Escalation
Without wasting our time, I looked for sudo rights and I found that Alice can run the php command using sudo without root password
sudo -l
I create a variable and adding shell name /bin/bash our next step is executing the variable command using sudo /usr/bin/php/php
variable="/bin/bash"
sudo /usr/bin/php -r "system('$variable');"
We got the root shell through this script I move on root user home directory reading our last flag
cd /root
cat flag2.txt

