Me and My Girlfriend: 1 Walk-through
Hey guys ! I hope you all were doing well ,so now lets get started with a vulnhub machine Me and MyGirlfriend:1. link:- https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
Index :-
- Network Scanning
a.)Identifying the target with nmap
b.)Service and port scanning with nmap
2. Web Enumeration and Exploitation
a.)Source Code
b.)Burpsuite X-forwarede-for
c.)Vunlerabel url
3. User shell
4. privilege escalation
Network Scanning :-
“#nmap -sn 192.168.43.1/24”
“#nmap -sT -p- -vv ”
Web Enumeration and Exploitaion:-
Here I used my firefox browser to open the web site
We can see their is some line written on the screen. Now source code analysis. I pressed “ctrl+u” key to open the source code of the page
Here is comment focusing on the x-forwarded-for http header.
So I quickly fired up my burpsuite and in the proxy option their is a setting called “match and replace” their I added x-forwarded-for http header
Now I refreshed the web page and captured the request form burpsuit where our x-forwarded-for header is enabled
Now we are in. So I tried to register in the web server .
As you can see that we’ve registered successfully and the url is showing the user id, So I changed the user id from 12 to 5
Here I got the user id and password of the “alice” which is our target , by pressing “ctrl + u” to view the code
we got the password too.
User Shell:-
From the password and username that we enumerated from the web alice:4lic3 ,I tried to connect to ssh.
I successfully obtained the “alice” ssh shell and I got both the “flage.txt” and “my_note.txt” file in “.my_secret folder”.
now its time for privilege escalation
Privilege Escalation:-
I changed my directory to “/var/www/html/” where the web server’s file were stored , but wait I found a “config” folder where “config.php” file is placed. It may be containing some config details.
After reading that “config.php” I got the root user password, So i tired to obtain root shell
I successfully rooted this machine and completed the challenge.
