
Hack The Machine-Toppo by #Turbaned Security
So Today’s machine is a beginners level available on Vulnhub and designed by Author: Hadi Mene .This is a beginner level machine not much escalation would be required to get to the root.Neither much exploitation.
Machine Details- -
- Author: Hadi Mene
- Link to Machine-https://www.vulnhub.com/entry/toppo-1,245/
- Level : Beginner
- DHCP : activated
Technique and Tools used--
- Network scaning(Tool-Nmap)
- Directory brute-force attack(Tool-Dirbuster)
- Crawling through the web directories to get clear text password.
- SSH login
- SUID privilege escalation
- Get root access and finally capture the flag
LET’S ROLL UP OUR GEAR AND ATTACK-

As usual we would take our best tool out there NMAP to perform initial scanning so as to know the open ports and services running on this machine.
Command->Nmap -Pn -A i.paddress and here is the nmap output.

So from the above screenshot we can clearly see the open ports as 22,80 and 111.So we would go ahead and check port 80 on browser.

As usual we would go ahead and check the source code and robots.txt directories for any possible hint.


Unfortunately, There seem to be no possible hint or remarks which could help me in my journey further owning this machine.
Hence i decided to use our famous directory bruteforce attack using Dirbuster using command->dirb http://192.168.220.129

As soon as we entered the command to directory bruteforce the toppo machine we were able to get a lot of directories.Among which one of the directory got my attention #admin.

There i could see a Link to notes.txt.Let’s just go ahead and click on it.

And there we go ,we have a password in front of us.Since port 22 was open so I can try ssh login and as we already have the password 12345ted123 but don’t know the username therefore, I decided to use ted (from password hint)and use the credential for ssh login.

Privilege escalation
Moving ahead ,Here we would be playing with SUID permissions to get to root.Command-> find / -perm -u=s -type f 2>/dev/null

So it has dumped all the binaries having SUID permissions.Here my target would be /usr/bin.mawk and /usr/bin/python2.7 for which we can use the following commands to get to root.
- >mawk ‘BEGIN {system(“/bin/sh”)}’
- ->python2.7 -c ‘import pty;pty.spawn(“/bin/sh”)’

Hurray!!!!Finaaly we owned this system.Here is the flag.
#Happy Hacking from Turbaned Security.
- >cd /root
- ->ls
- ->cat flag.txt

