Table of Contents
In this article, we are going to tackle a vulnerable machine with a difficulty level easy, that we have downloaded from VulnHub.
Toppo: 1
Toppo: 1 is a vulnerable virtual machine available on Vulnhub, designed for penetration testing and cybersecurity learning purposes. It provides a hands-on opportunity to practice various penetration testing techniques and enhance your skills in identifying and exploiting vulnerabilities in a controlled environment. By exploring Toppo: 1, you can gain practical experience in security assessment and learn how to secure systems against common attacks.
Once you have downloaded it, you need to set up the server.
Settings Up
It is pretty easy, you can easily set up the server within VirtualBox. Follow the below steps to settings up the server.
1. Extract the zip file which has been downloaded from VulnHub.2. As this file is in the form of " .vmdk " format, we need to create a new virtual machine.
- Name: Toppo
- Type: Linux
- Version: Other Linux (64-bit)
3. Click next and allocate RAM size for your Virtual Machine and click on Next.
4. Now, select “Use an existing Virtual Hard disk file” and import the VMDK file that we have previously extracted.
5. Once you are done with these, click on settings and change the network adapter to the host-only adapter .
Make sure your Kali Linux Machine, from where you perform the attack, and Your Vulnerable machine, are in the same network.
Once you are done with the settings up, let’s start the Virtual Machines.
As you can notice, our Vulnerable Machine is ready, and we have got a login screen that prompts us to input the username and password.
Enumeration
Let's discover the IP address of the running server by using NetDiscover.
From the scanning, we have discovered our target IP address which is 192.168.162.4.
Now, let's perform a network scan to detect what ports are open.
Conducting Network Scans with Nmap
Scanning the Network is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks.
As in most cases, we are going to use the famous Nmap tool.
- -sC: Used to perform a script scan using the default set of scripts,
- -sV: Enables version detection, which will detect what versions are running on what port.
From the Network scanning, we have spotted three open ports.
- Port 22/TCP runs an SSH service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
- Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.
- The last one is Port 111/TCP running an RPC bind service, which seems to be not useful in terms of gaining access to the server.
Web Application Enumeration and Directory Discovery with Gobuster
So let’s take a look at the web content running on Port 80. To look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.
The running website might be created using Bootstrap. After analyzing, there is nothing to enumerate on the webpage. There might be any hidden or hardly accessible directories and pages, and that can be done through directory Busting.
Using gobuster as our tool of choice, we can use the following switches for the script to get the fastest, most accurate results.- dir: Used to specify the mode of enumeration,
- -u: Used to specify the target URL, and
- -w: Used to specify the path of the wordlist.
As a result of Directory busting, we obtained an admin page. Let’s dig into this directory and find out if there is any sensitive information that might help us in foothold. Let’s have a look.
Foothold
From the Admin Page, we obtain a Text file that contains a Password.
Let’s try to attempt login to gain access to the server with the help of the SSH client tool.
Establishing SSH Connection
To gain an SSH connection, we might have a username and password. From the note, we have obtained a password. If you have looked at it carefully, then you have noticed a username is also mentioned within the Password.
Let’s have a look. Open a terminal and run the following command:
As you can notice, we got login successfully, now move to post-exploitation and try to get root access.
Privilege Escalation
The next step is escalating to the root user in order to gain the highest privileges on the system. Let’s run “ uname -a ” to display the system the information that seems to be not vulnerable to this Debian version.
Now, run the following command, to enumerate all binaries, having SUID permissions.
SUID or Set Owner User ID is special file permission for executable files, which enables other users to run the file with the effective permissions of the file owner.
As you can see, this command dumped all system binaries which having SUID permissions. (Marked in Green)
SUID Binary Privilege Escalation
In order to gain root access, I have two methods.
Method 1: Using MAWK
MAWK is an interpreter for the AWK Programming Language. The AWK language is useful for manipulating data files, text retrieval and processing, and prototyping and experimenting with algorithms.
By running the following command with mawk to get the root shell. You can find the root flag from the root directory to complete the challenge.
Method 2: Using “Python 2.7”
You just need to run these interactive shell commands to obtain the root shell.
In this way, you can hack these types of vulnerable machines to gain access. Now, we have successfully captured the root flag. Now the challenge is completed.