Capture the flag (CTF)

DOUBLETROUBLE 1 Vulnhub CTF Walkthrough Part 1

The goal of this capture the flag (CTF ) is to gain root access on the target machine. The difficulty level is marked as medium by the author. Prerequisites would be having some knowledge of Linux commands and the ability to run some basic pen-testing tools. There are also some hints provided by the author which could be helpful while solving the challenges.

The torrent downloadable URL is also available for this VM; it’s been added in the reference section of this article.

• https://download.vulnhub.com/doubletrouble/doubletrouble.ova 

Please note: I have used Oracle Virtual Box to run the downloaded machine for all of these machines. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

The steps

A summary of the steps required in solving this CTF:

1. Getting the target machine IP address by using Netdiscover 
2. Getting open port details by using the Nmap tool
3. Identifying Vulnerabilities in running web application
4. Enumerating application with Drib Utility
5. Cracking password with StegCracker

So, as we have all the information that we need to start, let us get started with the challenge.  

The walkthrough

Step 1

The first step to solving any CTF is to identify the target machine’s IP address. Since we are running a virtual machine in the same network, we can identify the target machine’s IP address by scanning and identifying all the IP addresses in the network command. We used the Arp-scan tool for this purpose, a default utility in Kali Linux. The output of the command can be seen in the following screenshot.

Command used: << netdiscover >>

In the above screenshot, it can be seen that we have identified the IP address of all the devices connected to our router. Still, we have hidden the MAC address of my personal connected devices due to security reasons. Our target machine IP address that we will be working on throughout this challenge is 192.168.1.28 (the target machine IP address). We will be using 192.168.1.26 as the attacker’s IP address.

Note: the target machine IP address may be different in your case, as the network DHCP is assigning it.

Step 2

This step will conduct a port scan using an automated tool to identify the open ports through which the target machine can be attacked. We used the Nmap tool for this purpose as it is the most widely used port scanning tool, which is also by default available in Kali Linux. The scan command and output can be seen below. 

Command used: << nmap 192.168.1.28 -p- -sV >>

We used the ‘-sV’ switch for version enumeration in the Nmap command. We also used the ‘-p-’ option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results. 

The Nmap output shows two ports on the target machine that have been identified as Open. Port 22, which is being used for the SSH service and port 80, which is being used for HTTP service, are open. 

Step 3

Let us start by exploring the open port and services on the target machine. We will start the enumeration by the HTTP port. After opening the IP address in the browser, we found an application running on it, which can be seen in the screenshot given below. 

The target application can be seen in the above screenshot. The default page had a login form. However, the login page mentioned that the login form is for logging into ‘qdPM 9.1’. We tried a few commonly known credentials, but none of them worked. We also tried SQL injection to identify login credentials, but it was not vulnerable to SQL injection. We searched over the internet for some information about exploiting this software and found some interesting results, which can be seen below. 

The qdPM version was vulnerable for remote code execution, and several exploits were available. We checked the exploit procedure by visiting the URLs and found that we need to be authenticated to execute the exploit on the target application. As of now, we do not know any login credentials. 

In the next step, we will enumerate the application for more vulnerability. 

Step 4

We started with a web application brute force scan to enumerate hidden directories and files. We used the Dirb tool for this purpose. The scan command and results can be seen below. 

Command used: << dirb http://192.168.1.28/ >>

In the above screenshot, we can see that the scan provided a few directories in the output. We also identified that directory listing is enabled on the target machine, which allows us to check the directory contents on the browser. So, let us check each directory one by one to find some interesting hints. 

As seen in the above screenshot, we found an image file named ‘doubletrouble.jpg’ in the secret directory. We opened the image file into the browser, but nothing interesting could be identified there. So, we decided to download the file on our attacker machine for further analysis. 

Command used: << wget http://192.168.1.28/secret/doubletrouble.jpg >>

We used the wget utility to download the file on our attacker machine by giving the target machine URL. Now, we can further analyze the image file using Kali Linux utilities. There are multiple tools used to analyze the contents and code of image files. We decided to use the ‘steghide’ tool, which is used to extract hidden information from the image files. The tool command and results can be seen below. 

Command used: << steghide --extract -sf doubletrouble.jpg >>

We used the above command to extract information from the file. The scan returned an error as it required us to enter a passphrase which we did not have. 

Step 5

The downloaded file was password-protected, so we decided to use the StegCracker utility to extract the hidden passphrase from the file. The tool does not come pre-installed in Kali Linux. So we need to install it first, which can be seen below. 

Command used: << stegcracker --help >>

In the newer versions of Kali Linux, you can download the tool by writing the tool name in the terminal. Kali Linux will automatically scan and suggest a download if available in the repositories. Use the apt-get command to install the tool on your attacker machine for other versions. Let us use the tool to extract the passphrase, the scan command, and results in the following screenshot. 

Command used: 

<< stegcracker doubletrouble.jpg /usr/share/wordlists/rockyou.txt >>

We used the default wordlist ‘rockyou.txt’ in the scan command, available in Kali Linux. The scan brute forces the file to identify the passphrase using the provided word list. After some time, we found the passphrase in cleartext. The identified passphrase is given below for reference:

Password: 92camaro

Again, let us use the StegHide tool to extract the file contents by providing the identified passphrase. 

Command used: << steghide --extract -sf doubletrouble.jpg >>

Password: 92camaro

The tool successfully extracted information from the image file as the passphrase was correct. It saved the extracted information into the ‘creds.txt’ file. We opened the file using the cat command and found the details below. 

Extracted Details: 

• otisrush@localhost.com
• otis666

Till now, we have identified valid credentials in the target machine. We already know that the target application is vulnerable to remote code execution, for which we need to be authenticated. 

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

So, in the next part of the CTF, we will be using these credentials to set up the exploit as the exploit can only be run with valid credentials. Until then, I encourage you to try to finish this CTF! There are enough hints given in the above steps.

 

Sources

Doubletrouble, VulnHub

Doubletrouble, VulnHub

Doubletrouble, VulnHub