Open in app

Sign in

Write

Sign in

Toppo-1: Vulnhub Walkthrough

Russell Murad
3 min readFeb 7, 2021

Hello Guys! This is Russell Murad working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).

In this writeup, we’ll solve a vulnerable box called “Toppo:1”.

It’s another beginner level box.

You can download it from here.

I’ve configured both Vulnhub machine and my kali machine on the Virtual Box Bridge connection.

  1. First, we’ll use arp-scan to check our victim machine’s IP address.
arp-scan -l

2. After that we need to find some open port and service enumeration. So, we’ll use Nmap for that.

nmap -sC -sV -A -O -p- -T4 — script http-enum 192.168.0.104

3. If we look there an HTTP service running so we’ll do some directory bruteforcing now. For that let’s use goBuster.

gobuster dir -u http://192.168.0.104/ -x php,txt,bak,old,zip,gz,conf,cnf,js -w /home/kali/Desktop/Big.txt -t 40

4. If we follow the admin directory now. We’ll find a text file named, “note.txt”.

5. Let’s open it. We’ll see there’s an old password given which the admin thinking about changing.

Note to myself :I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .

6. I think we can use this password to enter SSH Port.

While we trying to log in as root it won’t work. But if we follow carefully there’s a name called “ted” in the password which we can try.

And it’ll work.

7. Time to escalate privilege. Let’s search for some SUID privileged binary files.

find / -perm -u=s -type f 2>/dev/null

8. Here we can see that “/usr/bin/python2.7” has a special privilege.

Which we’ll use shortly.

For now, let’s open up /etc/passwd file. There you can see — user ted has 1000 as UID, GID.

We know that only root has UID, GID — 0.

Think about it. If we can set UID, GID as 0 for user ted, perhaps we can gain root privilege.

9. Let’s copy the passed file from /etc/passwd into /tmp directory.

10. Now open nano and modify it like this —

11. If you try to manually copy and replace that password file into /etc/ folder, it’ll say, “Permission Denied”. Do you remember about python which has special SUID permission, let’s use that to copy, replace the passwd file.

12. Now log out from SSH and log in again.

We’ll see, now we have gained root !!!

So, guys, that’s it for today.
Thank you for reading this write-up. Cheers!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Vulnhub

Russell Murad
Russell Murad

Written by Russell Murad

27 Followers
523 Following

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams