VulnHub: Me and My Girlfriend Walkthrough
MaMGF is a beginner level vm by TW1C3, with a small storyline:
“ Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!”
Notes: there are 2 flag files
Learning: Web Application | Simple Privilege Escalation
Step 1: Enumeration
Kicking off a broad nmap scan, we can see there are not a tonne of ports open on this box, just 22 and 80:
A quick telnet to port 22 does not reveal any banner info (worth a check :p)
Taking a look on port 80, we don’t get much bar a snarky message (I also checked /robots.txt but there was only another message “do more recon” etc) :
BUT.. checking the source of the index page we get a wee bit of info:
Quick Google to refresh my memory brings us to a nice article on what the header param is used for.
So what we can do is, capture and amend the requests to our target and chuck in the “X-Forwarded-For: 127.0.0.1" param to spoof the client/originating ip, I fired up Burp and amended the request to the index page like so:
Now we can view the index page:
So we can see we have a couple of different options, after checking each page out, there was nothing of interest bar the register/login pages.
I checked out the functions of these pages, and ended up going down a bit of a rabbit hole because I thought I had found an LFI vulnerability, but that was not the case (wasted about 2 hours trying various types of LFI, maybe sub wasted for “practiced”)
Now.. Taking a look at the register page, it take some basic info so I create an account:
Sweet — Registered, now after logging in and flicking around it appears we have a Dashboard and a Profile page where we can edit/amend profile attributes.
One thing that immediately catches my eye is the format of the url upon login:
After testing out a couple of sql injection options, I came to the conclusion sqli was not to be here (still in pain from LFI trauma earlier so moved on quickly!)
I did find somewhat of an IDOR vuln, what we can do is change the id in the url and view another users profile/settings (you see where this is going I hope).
After I increment through each user id value I get to.. Alice!
We cant change her pass unfortunately, but checking the source of the page we can see the password is not hidden :)
Excellent, now from our previous nmap scan we know port 22 is open, so testing if we can ssh as Alice is a success:
One foot in…
After running ls -la (I am now pre-conditioned to run ls with the -la switch!!) we can see an interesting file:
Cat.. boom first flag! not to bad:
Now, lets get root!
Taking a poke around for incorrectly perms on binaries, we can see that Alice has access to run /usr/bin/php as root with no pass, this should be easy!
Welp..
I tried to execute many privilege escalation and shell spawning options, but anytime I tried to run a binary, I was cut off with the “Alice does not have permission to run this /usr/bin/BLAH”
This took me an hour and a bit of trying various methods, and feeling a bit discouraged (because I was sure there was a way to exploit the php bin & perms)
I took another look around, and while browsing the dirs that the php web app is hosted in I checked out process.php (used to register accounts).
hmm it is using this config file.. lets take a look..
Uhhh.. Yay! lets see if those creds apply to the root account on the box..
Who would have thunk it.. creds hard coded into config files.. shaaa go figure..
After taking a look around, and browsing to the /root dir we see:
FLAG 2!!!1
Done! :)
Conclusion:
Although this box was technically pretty easy, it did throw me off a bit with methodology, having a brain hard-wired to do the quickest and most impulsive thing leads to being dragged down rabbit-holes (I am working on this!)
What I have learned:
- Even if it looks like there is an obvious method of exploitation, enumerate more!
- PHP is the devil, but really powerful and I should read up to better understand it!
If you are here — thank you for taking the time to read this rambling!
Cheers,
Barry
