Toppo is a beginner box that can be found on VulnHub here.

So adding the box to our VMWare library and spinning it up, we are greeted with this screen:

We’re given the ip address, so let’s run a quick nmap scan on it.
nmap -sV -sC -p 1-10000 -o toppo.log

  • -sV for service version of software running on ports
  • -sC to run default scripts against the port that won’t crash the machine
  • -p 1-10000 to scan the first 10000 ports
  • -o to output the results of the scan to a file
  • the ip address to scan against

Since port 80 is open, it usually indicates a website is hosted there so let’s navigate to it in our browser.

Looks like a standard blog, let’s run a quick gobuster scan to see if there are any other directories.

Bingo! There’s an admin panel, let’s have a look at what’s there.

What’s in notes.txt?

A password!
Checking the nmap scan again, we know that ssh is running, the password 12345ted123 has a name in it, so let’s try to ssh in using ted as a username and 12345ted123 as the password.

Success! Now that we’re ted let’s see if we can enumerate some information about any services that can get us to a rot user.
Darsh showed me that HighOnCoffee (super cool domain name) has a cool linux script that can automate the enumeration for us, so lets wget it.

And now we can change the permissions and run it.

Scrolling through the big long list of text, we see something interesting. Ted can run awk (a programming language) with no password.

Searching for code that we can use to spawn a shell using awk, I stumbled upon a post from Fire Shell Security Team which has code for spawning a shell with awk among other shell code.

Running that in our terminal, we get a root shell!

Now all we need to do is find the flag, right there!


This box was quite easy, I did hit a dead end once I got user, so thanks to Darsh again for showing me HighOnCoffee’s and his awesome enumeration script which showed me the vulnerable service when I couldn’t even run sudo -l.