Doubletrouble 1 Walkthrough

Mridul Bhardwaj
3 min readOct 6, 2021

Doubletrouble 1 walkthrough from vulnhub

Host discovery

VM running on 192.168.2.4

Scanning target for further enumeration

Port 80 open

Opening web page as port 80 is open

Trying directory brute force using gobuster

Endpoint with “secret”

Opening /secret endpoint

1 image in the endpoint

Opening image

There is only an image in secret endpoint so, there is a great chance of steganography on image

Using stegseek to extract hidden file from image

Logging in with details

We have a endpoint to upload files to server

Upload option does not have a check over the files which are uploaded

Uploading reverse PHP shell

Listening with netcat
executing uploaded PHP shell

Got reverse shell

Spawning user to shell

non root shell

Privilege escalation

Checking for programs which run with root privileges without password

We got awk

Checking GTFOBins for awk

We got Root shell

Inside root directory we have another machine

Hosting the VM, it has a name “inner”

Scanning for VM

192.168.2.5

Scanning services

This form is vulnerable to SQL injection

Found Database name using Sqlmap

Found table with name “users”

Found table contains credentials

Trying SSH using found users

Got initial shell

Privilege Escalation

Kernel is vulnerable to Dirty cow exploit

We can login with new user firefart with root privileges

We got the flag

Conclusion: This is an easy machine but getting machine inside a machine is quite exciting and new for me. Overall this was a great machine and it was fun to crack it.

--

--

Mridul Bhardwaj

CEH v10 | CCNA v7 | OSCP aspirant | System and Network Penetration Tester