Toppo: 1 - VulnHub VM WriteUp

Michael Ikua
3 min readAug 14, 2018

--

Description:

The Machine isn’t hard to own and don’t require advanced exploitation .

Level : Beginner

As you can see after installing the VM we get the IP address immediately therefore no need to scan for IP with netdiscover. Next step is to load the IP on the browser and it’s a simple blog website.

I clicked around the website looking for clues but there was nothing meaningful hidden, even in the source code of the pages. Next step is to run nmap and see what services are running on open ports.

Other than tcp on port 80 which was expected there is ssh. So maybe I can login through ssh. But since I have no credentials let me gather more information using nikto.

Now to checkout the directories found.

The website exposes the admin directory which has a notes.txt .

The contents have a password: 12345ted123. Maybe I can use this on ssh. First try was admin as username but that didn’t work so I tried ted as written in the password.

It worked! I am logged in.

Now the rabbit hole begins! I looked in directories for clues and got nothing. I guess now I have to find a way to escalate privileges and get root.

Going through several exploits from exploitdb against this machine but none of them worked.

So to check for other potential ways to do privesc I ran LinEnum.sh which does checks for local privilege escalation.

This part of the output says that user: ted has sudo powers to run awk without a password.

Using this awk syntax: awk ‘BEGIN {system(“command”)}’

I try to access the root folder since I can run awk as root.

The command reveals the flag.txt file in the root directory and I cat out the contents therefore I have successfully owned this lab!

Victory!!!

I tried changing the root password but was not able to. At least I finished the challenge though. I have never used awk before so it was interesting to try it on this challenge. It was an awesome simple VM took me a few hours to crack it, plus lots of googling!

You can follow me and see how I try to solve this kind of challenges. Leave a comment or a suggestion.

--

--

Responses (1)