Vulnhub Toppo Walkthrough


Today’s writeup is a machine called Toppo from Vulnhub. Toppo is rated at beginner level and is fairly simple to root. Depending on how you go about the privilege escalation, it could throw you off a bit.

I started off by running a typical nmap scan (nmap -sV -sC -v -oN map1). It has SSH and Port 80 open. Let’s check out the web page.


Here we have a blog site, but not much else. Let’s run a directory brute force to see if anything else can be found.


Running gobuster provides us with an interesting admin directory. Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u



In the admin directory are some notes.


The notes give us the user name and password for something. Let’s try it out on SSH.


SSH worked!


Checking some basics like the bash history and sudo permissions doesn’t yield anything. So I used wget to bring over and ran it.

python -m SimpleHTTPServer 80



When running the script something interesting happened. It said I was already root.


What’s happening here is that python runs as root. This means that if we spawn a shell with python, we can be root too.

python -c ‘import pty; pty.spawn(“/bin/bash”)’


Ok so what went wrong? The script clearly ran as root (it even dumped the shadow file), so why didn’t we get a root shell? Somethings not right. Let’s try it again with sh.


Ok that worked. Now we’re root. It looks like bash will always run under the context of the ted user, but sh works normally. Now we can get the flag.


That’s Toppo. It’s a basic and quick box to pop. If you used sh with python from the start, you’d completely miss the weird bash issue. Another way to do it would have been to spawn a python reverse shell. Alternatively, it might have been possible to crack the root password from the shadow file dump (after running linuxprivchecker), but I didn’t try it.

If you’d like to see a video walkthrough with the python reverse shell, you can find it here.

Hope you found this helpful.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s