Toppo:1 | Vulnhub Walkthrough

Simple or tough, if the challenge has some takeaway lessons, I believe its worth my time. Toppo is a simple but great Vulnhub machine made by Hadi Mene. Toppo is one of the best challenges for one to start with Vulnhub machines.

Level: Beginner

On bootup, Toppo displays its own IP address saving the trouble to use netdiscover or arp-scan.

Enumeration and First Blood

Nmap scans identified a website running on port 80. Apparently there was a blog running on it.

Nmap detailed scan

Blog on port 80

Launching nikto or dirb was more than adequate to find the first hint. Inside the admin folder in notes.txt, was a password. But there was no username and this should be some SSH credentials. I had to do a bit of guesswork to find the username, I tried toppo, admin then finally ted to make my initial compromise.

dirbusting the blog

SSH credentials for ted user stored in a file

ssh access

G0tmi1k’s privilege escalation cheat sheet is one of best write-ups on basic Linux privilege escalation and it helped me to dig out the root. There is a section in his material that covers sticky bits, SUID and SGID.

SUID and SGID files

SUID (Set User ID) is a permission bit that can be set on an executable allowing any one to run the executable with the owner’s permissions. That means if a user bob has set SUID bit on his executable, another user alice can run it with bob’s privileges. Similarly SGID (Set Group ID) bit allows the executable to run with the groups privileges.On the first look , this might sound risky.

But SUID and SGID files are very important to the way Linux operates. Many legitimate Linux programs require these permissions. If SUID and SGID permissions are provided to many known binaries listed below, it could result in privilege escalation. You can find more details on pentestlab.blog.

• Nmap
• Vim
• find
• Bash
• More
• Less
• Nano
• cp

Path to root

We can use the below command to find SUID and SGID files.

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

There are two files in the binaries with SUID permissions, which are of special interest. Both of them can be exploited to gain root privileges.

1. /usr/bin/python2.7
2. /usr/bin/mawk

Privilege escalation using python

Privilege escalation with mawk

If you closely observed above screenshots, you can see that I was not able to invoke bash with SUID privileges. Bash ignores SUID/SGID bit and drops shell to current user privileges.We need to some other shell like sh or ksh for exploitation

Overall a fun machine! If you are new to security or want to get started, Toppo is the challenge for you.