Toppo is a beginner box that can be found on VulnHub here.
So adding the box to our VMWare library and spinning it up, we are greeted with this screen:
We’re given the ip address, so let’s run a quick nmap scan on it.
nmap -sV -sC -p 1-10000 -o toppo.log 172.16.99.135
-sVfor service version of software running on ports
-sCto run default scripts against the port that won’t crash the machine
-p 1-10000to scan the first 10000 ports
-oto output the results of the scan to a file
172.16.99.135the ip address to scan against
Since port 80 is open, it usually indicates a website is hosted there so let’s navigate to it in our browser.
Looks like a standard blog, let’s run a quick gobuster scan to see if there are any other directories.
Bingo! There’s an admin panel, let’s have a look at what’s there.
Checking the nmap scan again, we know that ssh is running, the password
12345ted123 has a name in it, so let’s try to ssh in using
ted as a username and
12345ted123 as the password.
Success! Now that we’re
ted let’s see if we can enumerate some information about any services that can get us to a rot user.
Darsh showed me that HighOnCoffee (super cool domain name) has a cool linux script that can automate the enumeration for us, so lets wget it.
And now we can change the permissions and run it.
Scrolling through the big long list of text, we see something interesting. Ted can run
awk (a programming language) with no password.
Running that in our terminal, we get a root shell!
Now all we need to do is find the flag, right there!
This box was quite easy, I did hit a dead end once I got user, so thanks to Darsh again for showing me HighOnCoffee’s and his awesome enumeration script which showed me the vulnerable service when I couldn’t even run