Vulnhub Me and My Girlfriend: 1 Walkthrough

I'm teaching a class this weekend but my time is limited so instead of building something from scratch, I thought I would grab a couple of the more recent Vulnub boxes to see if there's anything I can use instead.  This box is perfect because I've wanted to give a brief primer on Burp and to make the job easier for the pwning, Burp comes in handy which you'll soon discover. 

Without giving away too much, we kick off with Nmap:





SSH & Web, we focus on web with Nikto:





A few tidbits to work with.  First, let's check out the web site:





Let's view the source:





Ok, I see where this is going.  Let's continue enumerating what Nikto uncovered first though...





We find a note, we view it:





Nothing of use.  We check out the /misc folder:





I try to do a few things with this but get nowhere.  Checking out /config:





Can't do anything with that so we circle back to the message in the source.  If we take one of our requests in the Burp history and send it over to repeater, we can modify it:





When we hit go, we get a different message:





If we turn on Intercept and hit / from the browser, we can tamper with the request in Burp, adding the X-Forwarded-For header:





Now we're cooking:





We would have to do this with EVERY request which could get annoying.  Or we can just add it to EVERY request we send from Burp instead:





Now we're able to browse with Intercept turned off.  I setup an account:






And then I login with my newly created account:







I do some poking around.  I try to SQL inject and I try LFI but I don't get anywhere.  From the Dashboard we find:

 




If we choose profile:





We see an ID in the URL.  Let's change that to 1:





Change is disabled but we can unmask the password:





If we change that to text:





We are now able to see the password.  We can also see it in the "value" field. 

We move to id=2:





Each time I reveal a password, I attempt to SSH with the account.  I work my way through 1-4 but 5 is where we strike gold:





When we attempt to login:





Excellent!  We check out the environment and we get the flag:





We do some basic enumeration and when we run sudo -l, we discover:





We put php in interactive mode and we execute a shell:





With our handler setup:





And that's a wrap!