👀
WriteUps
  • WHOAMI
  • Try Hack Me - THM
    • Linux Boxes
      • Simple CTF
      • Basic Pentesting
      • Kenobi
      • TomGhost
      • Game Zone
      • Skynet
      • Daily Bugle
      • Dogcat
      • Anonymous
      • Wonderland
      • Blog
      • HaskHell
    • Windows Boxes
      • Blue
      • Alfred
      • HackPark
      • Retro
    • Windows Rooms
      • Windows Exploitation
        • Intro to Windows
        • Windows Fundamentals 1
        • Windows Fundamentals 2
      • Active Directory
        • Active Directory Basics
    • Privilege Escalation Rooms
      • Linux
        • Linux PrivEsc
        • Common Linux Privesc
      • Windows
        • Windows PrivEsc
    • Crypto Rooms
      • Hashing - Crypto 101
      • Encryption - Crypto 101
    • Web Rooms
      • OWASP Top 10
        • 1. Injection
        • 2. Broken Authentication
        • 3. Sensitive Data Exposure
        • 4. XML External Entity
        • 5. Broken Access Control
        • 6. Security Misconfiguration
        • 7. Cross-site Scripting
        • 8. Insecure Deserialization
        • 9. Components with Known Vulnerabilities
        • 10. Insufficent Logging & Monitoring
    • MISC
      • Tools
        • John The Ripper
        • Metasploit
      • Git Happens
      • What the Shell?
  • HACK THE BOX - HTB
    • Linux Boxes
      • CAP
      • KNIFE
      • BOUNTYHUNTER
      • PREVISE
      • DYNSTR
      • PIT
      • SEAL
  • VulnHub
    • KIOPTRIX Series
      • KIOPTRIX Level 1 (#1)
      • KIOPTRIX Level 1.1 (#2)
      • KIOPTRIX Level 1.2 (#3)
      • KIOPTRIX Level 1.3 (#4)
    • Privilege Escalation
      • Escalate Linux
      • Escalate My Privilege
    • MISC
      • Misdirection
      • TOPPO
      • NULLBYTE
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Privilege Escalation
  • SUID rights Exploit
  1. VulnHub
  2. MISC

TOPPO

Scanning

Nmap

➜  ~ nmap -T4 -p- -A toppo.vuln
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 08:54 EDT
Nmap scan report for toppo.vuln (172.16.129.142)
Host is up (0.0015s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|   256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          41898/tcp   status
|   100024  1          46451/udp   status
|   100024  1          56365/tcp6  status
|_  100024  1          60840/udp6  status
41898/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 seconds

Enumeration

port 80 is opened let's take a look

blog landing page ...

Whatweb

➜  ~ whatweb toppo.vuln
http://toppo.vuln [200 OK] Apache[2.4.10], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[172.16.129.142], JQuery, Script, Title[Clean Blog - Start Bootstrap Theme]

Check directory

➜  ~ gobuster dir -u http://toppo.vuln -w ~/SecLists/Discovery/Web-Content/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://toppo.vuln
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/x/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/14 09:11:26 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 294]
/.hta                 (Status: 403) [Size: 289]
/.htaccess            (Status: 403) [Size: 294]
/LICENSE              (Status: 200) [Size: 1093]
/admin                (Status: 301) [Size: 308] [--> http://toppo.vuln/admin/]
/css                  (Status: 301) [Size: 306] [--> http://toppo.vuln/css/]  
/img                  (Status: 301) [Size: 306] [--> http://toppo.vuln/img/]  
/index.html           (Status: 200) [Size: 6437]                              
/js                   (Status: 301) [Size: 305] [--> http://toppo.vuln/js/]   
/mail                 (Status: 301) [Size: 307] [--> http://toppo.vuln/mail/] 
/manual               (Status: 301) [Size: 309] [--> http://toppo.vuln/manual/]
/server-status        (Status: 403) [Size: 298]                                
/vendor               (Status: 301) [Size: 309] [--> http://toppo.vuln/vendor/]

===============================================================
2021/08/14 09:11:27 Finished
===============================================================

/admin/ directory

note.txt

password 12345ted123 from password we can guess username is ted

Credentials : ted:12345ted123

ssh target ...

WE IN ...

Privilege Escalation

SUID rights Exploit

we can run python

spawn shell

PreviousMisdirectionNextNULLBYTE

Last updated 3 years ago