Capture the flag (CTF)

Toppo: 1 capture-the-flag walkthrough

In this article, we will learn to solve the "Toppo: 1" Capture-the-Flag (CTF) challenge which was posted on VulnHub by Hadi Mene. According to the information given in description by the author of the challenge, this CTF is not very hard and does not require advanced exploitation. You can use this link to download the VM and launch it on Virtual Box. The torrent downloadable URL is also available for this VM; the link is in the sources section at the end of this article.

For those who are new to CTF challenges and are not aware of this platform, VulnHub is a well-known website for security researchers which provide users with a method to learn and practice their hacking skills through a series of challenges in a safe and legal environment.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Please Note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I will be using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

Toppo: 1 walkthrough

After downloading and running this machine in Virtual Box, we start by running the Netdiscover command to obtain the IP address of the target machine. The command and its output can be seen in the screenshot given below:

Command Used: Netdiscover

As shown in the highlighted area in the above screenshot, we have obtained the Virtual Machine IP address, i.e., 192.168.1.7 (the target machine IP address).

We will be using 192.168.1.11 as the attacker IP address.

Please Note: the target and the attacker IP addresses may be different depending on your network configuration.

So we have the target machine IP; the first step is to find out the ports and services that are available on the target machine. An Nmap full port scan is used for this purpose. This is illustrated in the screenshot given below:

Command Used: nmap 192.168.1.7 -v -Pn

After the completion of the scan, we get four open ports on the target machine. I decided to start with the HTTP port. When we open it on the browser, it shows a very nice website which can be seen in the following screenshot.

Unfortunately, I couldn't get any hints from its homepage. I also explored other web pages too for any interesting information but didn't find anything. So I decided to run the Dirb utility, which is by default available in Kali Linux. The screenshot of the tool output can be seen below.

Command Used: dirb http://192.168.1.7/

As can be seen in the above screenshot, we get a few directories as output. Some of the directories which caught my attention are given below.

• Admin/
• Mail/
• Vendor/

I started further exploration with the admin directory, which had directory listing enabled. That can be seen in the screenshot given below.

As you can see, this directory contains a text file called notes.txt. Let's open this file. There was an interesting note left about the application, which can be seen in the below screenshot.

A note is written which says the current password is "12345ted123," which needs to be changed. So at this time I thought there might be a login page in this application where we can log in with this password. I explored other directories to find the login page but didn't find anything.

Since the SSH port was identified as open in the Nmap scan, so I thought the default user could be root and the password we already got from the notes. I tried to login via SSH with user "root" and the above password. But the credentials were not valid, which can be seen in the following screenshot.

After that I decided to try the hit-and-trial method to guess the username and used the following credentials to login via SSH.

Username: ted

Password: 12345ted123

These credentials allowed us to log into the target machine. The successful SSH login can be seen in the following screenshot.

After that I used the "id" command to check whether ted is a root user or not. It shows that ted is not a root user in the target machine. Now we need to escalate the privilege to get to the root.

I stared exploring the target machine. The basic thing is to check the OS version and the Kernel version of the target machine, because there are lots of privilege-escalation exploits available over the Internet. The target machine OS and Kernel version can be seen in the following screenshot.

Command Used : uname –a, cat /etc/issue

As you can see, we have the version details of the target machine's OS, but there was no exploit available for this version of the OS.

After spending some time and exploring the target machine with limited access user, I found few binaries which had SUID permissions.

Command Used : find / -perm -u=s -type f 2>/dev/null

One of the interesting binaries which we found was Python, which can also be seen in the highlighted area of the above screenshot. So now we can use this to escalate the privilege of the user to get the root access of the target machine.

Command Used : /usr/bin/python2.7 -c 'import pty;pty.spawn("/bin/sh")'

As you can see, we have successfully escalated the privilege of the user and gotten the root access. So let's find the flag, which should be available in the root folder. It can be seen in the following screenshot.

As you can see in the above screenshot, we've got the flag! There was only one file in the root folder, and that was the flag file.

This completes this CTF. I hope you liked this article and enjoyed learning this machine. If you have any questions, I would love to answer them, so please leave them in the comments.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Sources

• Toppo: 1, Vulnhub
• Download Toppo.zip, Vulnhub
• Download Toppo.zip (Torrent), Vulnhub