Doubletrouble 1 walkthrough from vulnhub

Host discovery

Scanning target for further enumeration

Opening web page as port 80 is open

Trying directory brute force using gobuster

Opening /secret endpoint

Opening image

There is only an image in secret endpoint so, there is a great chance of steganography on image

Using stegseek to extract hidden file from image

Logging in with details

We have a endpoint to upload files to server

Upload option does not have a check over the files which are uploaded

Uploading reverse PHP shell

Got reverse shell

Spawning user to shell

Privilege escalation

Get Mridul Bhardwaj’s stories in your inbox

Join Medium for free to get updates from this writer.

Checking for programs which run with root privileges without password

Checking GTFOBins for awk

We got Root shell

Inside root directory we have another machine

Hosting the VM, it has a name “inner”

Scanning for VM

Scanning services

This form is vulnerable to SQL injection

Found Database name using Sqlmap

Found table with name “users”

Found table contains credentials

Trying SSH using found users

Privilege Escalation

Kernel is vulnerable to Dirty cow exploit

We can login with new user firefart with root privileges

We got the flag

Conclusion: This is an easy machine but getting machine inside a machine is quite exciting and new for me. Overall this was a great machine and it was fun to crack it.