In this article we will try to gain root access to the machine Me and my girlfriend which is available in vulnhub.
First step is to find the IP address of the target machine and for that we used the command netdiscover -i wlan0
now next step is to check for the open ports and for that we used the command : nmap -p- -A 192.168.43.185
We can see that two ports are open and these are 22(SSH),80(HTTP). So we decided to browse HTTP service . Open the browser and type in URL http://192.168.43.185:80
This is the message when we accessed the webpage and there is a hint This site Can Only Be Accessed local !
So we decided to open the source code to seek for any kind of hint.
and yes this is a hint X-Forwarded-For . Now we will intercept the request by using burp suite and then we will add a line X-Forwarded-For:localhost to open the website locally.
Now click on forward and again burp suite capture a request from the same IP so we again added the same line and click on forward.
Now go back to the browser and we can see a website is opened!
After trying a lot of vulnerabilities we failed in finding any so we choose the last option that is to register and then used those credentials to login.
NOTE : As we have accessed this webpage locally. So to do anything in this website we need to capture the request and should add the same line (X-Forwarded-For:localhost) otherwise you will be redirected to the same page that we have in the starting . So remember this point!!!
Ok so now we clicked on Register tab and intercept the request we have added that line too! So now switch back to the browser and we can see a simple form.
Now we fill in the details.
Now click on login and again intercept the packet and add that line also.
Now we have registered successfully! Now click on login button to login into the website.
NOTE : from now I will not show you the intercepted packet after adding that line so remember to intercept the request and add that line otherwise this website will not open!!
Now we used the credentials to login into the website .And yes we are logged in successfully.
While exploring this website we decided to go to Profile Section and there we find a form that let us to change the password but as we can see the URL has id parameter it means we can change this id to any id (start from 1) and there are chances that we can access any other user account and then we can change that user's password to login into SSH.
And this was the whole thing we expected to work and yes it worked when we changed the id to 5 we can see we are logged in as some other user.
The pic shown below clearly indicates that we are logged in as Alice Geulis and instead of changing the password we use inspect element to know the password.
So now we have two things :
username : alice
password : 4lic3
we used these credentials to connect to SSH server and yes we are in!
Now we use sudo -l to check for the permissions.
and yess ! this user can execute php files as sudo. so I downloaded the reverse shell.php file from pentest monkey in our machine and make the necessary changes by changing lhost and lport in the code and then we started a HTTP server by using python -m SimpleHTTPServer and then by using wget in targeted machine we downloaded the php file.
Now we have to execute this php malicious code using the command : sudo php shell.php but before that we started nc listener by using the command : nc -nlvp 4444
php script is executed successfully and we have the root user shell on our Kali Linux machine.
Now we changed our directory to /root to read the final flag.
Done!! we gained the root access!