Today we’re going to work through easy machine from Vulnhub called Toppo. If you don’t have time, but still want to get these shells, just try this machine.
Big thanks to the author for creating this challenge and for Vulnhub for hosting and curating this great set of machines!
Firstly let’s start with our usual
nmap scan in order to view the open ports on this machine.
What parameters I’m using?
- -v - verbose output
- -sS - TCP-SYN scan
- -A - OS detection, version detection and traceroute
- -T4 - aggresive scan
- -p- - scan all 65535 ports
From here I can see only one service that’s worth looking at the start, which is
http running on port
80. While looking manually at the website, I decided to run
nikto to scan the website.
Here we have, an
/admin/ directory. Inside there was a note in
At first I thought about enumerating more in order to find the username, as we already have the password. But stupid me overthought this part way too much.
I didn’t notice that the username is already in the password. Like what was I thinking,
ted can be the username, and it probably will as this is easy machine.
Of course that the password works. Now we have to escalate our privilages. Here comes good old G0tm1k post and while trying different steps I’ve noticed this entry in
Now I decided to check whether
nc is installed on the system.
And now we can use simple
system() function from
awk in order to run the reverse shell with
Now we can look at the ouputu of the previously started listener.