Hack The Toppo:1 VM (CTF Challenge)

Hello friends!! Today we are going to solve latest CTF challenge presented by vulnhub for penetration practice and design by Mr. Hadi Mene. This lab is proposal for beginners and mode of difficulty level is easy. You can download it from this Link: https://www.vulnhub.com/entry/toppo-1,245/

Penetration Methodologies

  • Network scaning
  • Directory brute-force attack
  • Abusing HTTP web directories
  • Compromise confidential
  • Spawn tty shell (ssh login)
  • SUID privilege escalation
  • Get root access and capture the flag

Let’s Begin!!

You will get target VM machine IP at the time of boot-up so let’s start with nmap port enumeration and execute following command in our terminal.

Since port 80 was opened; so I explored target IP in the web browser and welcomed by following web page as shown below.

Unfortunately, I didn’t compute any remarkable hint from its web home page, therefore, I decided to launch directory brute-force attack through ‘dirb’ and run following command.

The minute you will execute above command you will found so many web directories. Here /admin looks more interesting, lets figure out it.

So when I explored the following URL, it put-up a notes.txt file which might be holding something important.

http://192.168.1.104/admin

So I looked into notes.txt and notice towards “12345ted123” which is a password.

Since port 22 was open so I can try ssh login and as we already have the password 12345ted123 but don’t know the username therefore, I decided to use hit-try method and use following credential for ssh login.

Wonderful!! We got login successfully, now move for post exploitation and try to get root access. Then by using the following command you can enumerate all binaries having SUID permission.

And it dumped all system binaries which have SUID permissions but /usr/bin.mawk and /usr/bin/python2.7 are at my target point for escalating root privilege through them. So I had exploit this VM twice to root access.

Run following command and get the root access directly.

This was 1st technique for escalating root privilege through awk one-liner.

Similarly you can perform same task by using python one-liner and can spawn root shell.

B000MM!!! We have captured the flag and challenges is completed.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

3 Comments Hack The Toppo:1 VM (CTF Challenge)

  1. Alden

    Hi, I’m new in CTF, and was wondering if you could please share a little more detail on the command

    python2.7 -c ‘import pty;pty.spawn(“/bin/sh”)’

    that you used here?
    Thanks

    Reply
    1. Mark

      @Alden
      python2.7 -c mean that’s we are going to run a python command directly from terminal without writing a file.
      then the ‘import pty;pty.spawn(“/bin/sh”)’ is composed from two statements
      “import pty” is to import the pty python module and pty.spawn(“/bin/sh”) is for spawning a process in this case it’s /bin/sh so it’s gonna spawn a root shell cuz as you know /bin/python2.7 have SUID permissions .

      more info about python 2 and “pty” module:
      https://docs.python.org/2/library/pty.html

      Reply
    2. Mark

      python2.7 -c mean that’s we are going to run a python command directly from terminal without writing a file.
      then the ‘import pty;pty.spawn(“/bin/sh”)’ is for spawning a process in this case it’s /bin/sh so it’s gonna spawn a root shell cuz as you know /bin/python2.7 have SUID permissions

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *