Harshaun Singh
Sep 3, 2018 · 3 min read
Toppo Machine -Writeup

Hack The Machine-Toppo by #Turbaned Security

So Today’s machine is a beginners level available on Vulnhub and designed by Author: Hadi Mene .This is a beginner level machine not much escalation would be required to get to the root.Neither much exploitation.

Machine Details- -

Technique and Tools used--

  • Network scaning(Tool-Nmap)
  • Directory brute-force attack(Tool-Dirbuster)
  • Crawling through the web directories to get clear text password.
  • SSH login
  • SUID privilege escalation
  • Get root access and finally capture the flag

LET’S ROLL UP OUR GEAR AND ATTACK-

As usual we would take our best tool out there NMAP to perform initial scanning so as to know the open ports and services running on this machine.

Command->Nmap -Pn -A i.paddress and here is the nmap output.

NMAP Output Toppo Machine

So from the above screenshot we can clearly see the open ports as 22,80 and 111.So we would go ahead and check port 80 on browser.

GUI Port 80 ,Machine Toppo

As usual we would go ahead and check the source code and robots.txt directories for any possible hint.

view-source,port 80,machine toppo
robots.txt ,Machine toppo

Unfortunately, There seem to be no possible hint or remarks which could help me in my journey further owning this machine.

Hence i decided to use our famous directory bruteforce attack using Dirbuster using command->dirb http://192.168.220.129

Dirb output,machine toppo

As soon as we entered the command to directory bruteforce the toppo machine we were able to get a lot of directories.Among which one of the directory got my attention #admin.

http://192.168.220.129/admin

There i could see a Link to notes.txt.Let’s just go ahead and click on it.

http://192.168.220.129/admin/notes.txt

And there we go ,we have a password in front of us.Since port 22 was open so I can try ssh login and as we already have the password 12345ted123 but don’t know the username therefore, I decided to use ted (from password hint)and use the credential for ssh login.

ssh to machine toppo

Privilege escalation

Moving ahead ,Here we would be playing with SUID permissions to get to root.Command-> find / -perm -u=s -type f 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

So it has dumped all the binaries having SUID permissions.Here my target would be /usr/bin.mawk and /usr/bin/python2.7 for which we can use the following commands to get to root.

  • >mawk ‘BEGIN {system(“/bin/sh”)}’
  • ->python2.7 -c ‘import pty;pty.spawn(“/bin/sh”)’
mawk ‘BEGIN {system(“/bin/sh”)}’

Hurray!!!!Finaaly we owned this system.Here is the flag.

#Happy Hacking from Turbaned Security.

  • >cd /root
  • ->ls
  • ->cat flag.txt

Harshaun Singh

Written by

#TURBANED SECUR!TY ,C.E.H,Security+ I am a cyber security enthusiast .Love reading cyber sec articles and dwelling into new tools and technologies.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade