This was a very easy level CTF, and I am dropping the description for this box below:

Description: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company!

Difficulty Level: Beginner
Notes: there are 2 flag files
Learning: Web Application | Simple Privilege Escalation

So lets obtain the IP of the vulnerable machine. We know its MAC address is 08:00:27:15:F6:D4.

Lets run an arp scan on the bridged interface and grep its IP from the Mac Address.

Now we know the IP address if Alice’s computer at 192.168.56.106. Now lets run nmap and see what daemons are listening on open ports.

So there’s an Apache web-sever at port 80 and SSH open at port 22. Lets checkout the web-server. So we navigate to the IP in the browser and are greeted with this:

So lets run a Dirb scan and see what directories we can enumerate. At the same time its always good to check the pages source code.

I found an interesting comment:

It says “maybe you can search how to use X-forward” so all we have to do is add that header, well we can easily do that using burp . So I fired up burp add our IP to the scope, turn on our Firefox proxy and added the header like this:

And voila we’re in!

When I was doing this I got stumped kinda hard… In situations like this, I first like to try out brute force the login page or check for SQL injections which I did and I failed . I also played with the parameter for potential LFI but even that didn’t work. So with no other option, I registered myself in the register area and logged in.

I login and see this from the members area:

The thought is, if I’m user #12 then the 1st user must be the admin… Turns out that id=5 is Alice! And remember we’re helping Bob hack Alice…

And her password is 4lice3

Now lets go on a limb and assume that Alice uses her same password for SSH… And sure enough… We’re now alice.

So we look and get flag #1 gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

Now we want the 2nd flag so we want to be root… we dont really care about Alice… shes not root.

So we looked for sudo rights and fortunately we found that alice can run the php programs as a sudo user. So we’re going to establish a reverse shell by setting up a netcat listener in a new terminal and run the php reverse shell command in the host terminal. So to do this we’ll have to know the IP of our local machine which is 192.168.56.101.

The php reverse shell will be:

And that’s a wrap! We’ve got

flag #1 gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

flag #2 gfriEND{56fbeef560930e77ff984b644fde66e7}

I hope you’ve enjoyed!

My Website: https://olivierlaflamme.github.io/

My GitHub: https://github.com/OlivierLaflamme

My WeChat QR below:

I like to learn, dig, search for problems, and find solutions. Dont expect much from me. #CTF #VulnHub #Bug-Bounty