Read this in other languages: English, Français
- Difficulty : Easy
- Type : Realist / Web (not a boot 2 root machine)
- Technologies : PHP / MariaDB
- Network : DHCP
MyExpense is a deliberately vulnerable web application that allows you to train in detecting and exploiting different web vulnerabilities. Unlike a more traditional "challenge" application (which allows you to train on a single specific vulnerability), MyExpense contains a set of vulnerabilities you need to exploit to achieve the whole scenario.
As the application is deliberately vulnerable, it is not desirable to expose it on the Internet because other people than you will be able to access it. It is advisable to use a virtual machine (using for example the VirtualBox software) and to restrict the host/vulnerable machine connectivity (Host Private Network mode).
For training purposes, it is advised not to use tools for detecting or exploiting vulnerabilities (vulnerability scanner, etc) and not to look at the application source code (blackbox mode).
You are "Samuel Lamotte" and you have just been fired by your company "Furtura Business Informatique". Unfortunately because of your hasty departure, you did not have time to validate your expense report for your last business trip, which still amounts to 750 € corresponding to a return flight to your last customer.
Fearing that your former employer may not want to reimburse you for this expense report, you decide to hack into the internal application called "MyExpense " to manage employee expense reports.
So you are in your car, in the company carpark and connected to the internal Wi-Fi (the key has still not been changed after your departure). The application is protected by username/password authentication and you hope that the administrator has not yet modified or deleted your access.
Your credentials were: slamotte/fzghn4lw
Once the challenge is done, the flag will be displayed on the application while being connected with your (samuel) account.
It is easier to get the application by directly downloading the virtual machine in .vbox format:
The machine is in DHCP configuration, finding its IP address is part of the challenge (from version 1.2 the IP address is displayed when the box is started).
# docker-compose up -d
Access to the application must be done via http://myexpense-web. Therefore, it is necessary to add the following entry to the /etc/hosts file of the host machine:
127.0.0.1 myexpense-web
The IP address may be adjusted according to the system configuration.
During installation via a virtual machine, the first network interface must be set to either bridge or host_only mode.
Tested on Virtualbox 7.0.18 / Debian 12 (bookworm) / Python3 / Google Chrome 129.0.6668.58-1
You can install git tool to download the source files of the application:
# apt-get install git
# cd /tmp
# git clone https://github.com/Sharpforce/MyExpense.git
# /bin/bash /tmp/MyExpense/install/install.sh
The configuration of MyExpense application should now be accessible via the url http://your-ip/config/setup.php (it is possible that an error is displayed as long as the database is not created yet):
Verify database information the click on Create/Restore the database:
The installation is now complete, the application is available at http://your_ip_.
It is possible to restore the application database so that you can restart from the initial state. To do this, go to the url http://ip/config/setup.php then click on Create/restore the database. A message indicating that the operation has been carried out successfully should appear: