VulnHub - Toppo

Aug 30, 2019

Information

Name Author Series Difficulty
Toppo Hadi Mene Toppto Easy

Let’s Start

We start with checking our IP address with:

ifconfig

Ifconfig

Our IP is:

192.168.1.39

Now open Zenmap (nmap GUI verison), and do a “Quick Scan” for the IP “192.168.1.*” ( * symbolize for every number) Zenmap So the target IP is

192.168.1.40

And we have a http port and ssh port open. So at first let’s check the web server through FireFox. Web Page

But there is nothing in those pages or in the pages source.

Let’s try to check what we have on the web server with Nikto

nikto -h 192.168.1.40

Nitko

We can see some folders so we need to check them. admin folder. Admin Folder We can see a txt file so open it. Text File

There is a password there

12345ted123

Let’s keep searching in the other folders. mail folder. Mail Folder Open the php file. Php File img folder. img folder All the images look normal, so what we have? we know that the password is

12345ted123

and that there is a open port for ssh. So let’s try to connect to the ssh, but we need a username… Maybe, it’s ted from the password.

ssh ted@192.168.1.40
yes
12345ted123

SSH Now we are in, go to out from the folders

cd ..

lets search for files that has root permission

find / -type f -user root -perm /u+s -ls 2> /dev/null Let's break it down
  • find - command for search something
  • / - to search in all the files system
  • -type f - search for files
  • -user root - the owner of the file (here is root)
  • -perm /u+s - files that have the permission of their owner
  • -ls - list the files in ls format
  • 2> /dev/null - to avoid “permission denied “messages Find Files

We can see that python is one of those files that as u+s permission therefore, if we use python we have a root permission (python owner is root). We can use this to get our root privilege. We can do this by python that import pty, this package can start process ,one of them is a shell.

python -c 'import pty; pty.spawn("/bin/sh");'    Let's break it
  • python - we want to use python.
  • -c - (flag) that this is a python in this command.
  • import pty - import that package.
  • pty.spawn(“/bin/sh”)- create process of TTY shell. Python shell

Now that we have root privilege, we can go to root folder.

cd root

And there look for the files in it.

ls

We can see file with the name flag.txt, read it

cat flag.txt

And we done. Flag file

The flag is:

0wnedlab{p4ssi0n_c0me_with_pract1ce}

 Tags
 Related