VulnHub (Toppo)

Back to Basics

If you didn’t know already I am a nerd

As always we start with a nmap scan.

Nmap -sC -sV -p- -vv 192.168.111.169 -oA nmapTCP

Based on the scan we identify four open ports 22,80,111,and 46862.

After searching through port 111 and 46862 and finding nothing useful, I switched over to port 80.

Simply browsing we find the blog template.

The template was not immediately familiar. Next I switched to nikto.

We find an interesting admin directory…

Nice and an even more interesting notes.txt file.

So it seems we have a password. “12345ted123”. Next I attempted to ssh as the users root, toppo, user, and even goku. Finally after looking at the password again I tried “ted” and success!

Viewed /etc/passwd but no other non-standard users.

Looking for the Privesc path

Next I looked at sudoers. The “sudo” command was not present so I looked at the “/etc/sudoers” file directly.

So Ted can run awk as root. After looking at my reference sheet from previous CTFs, I found the command to abuse this to run commands as root.

awk ‘BEGIN {system(“command”)}’

Qucik check to confirm I am root and it works.Now to get a root shell.

With root access we can view the flag.

Quick VM that goes back to basics.