I completed my Certified Ethical Hacker exam today, so to celebrate, here is a full Boot to Root guide of the Toppo Box on Vulnhub. This was a really fun challenge!
First, power up the machine and make sure it can get an IP via DHCP. Next, we’re scanning it with nmap to see what ports are open. From the scan, it looks like 22, 80, and 111 are available. Since 80 is open, our first logical step is to visit it in a webpage.
It takes us to a blog, with a start bootstrap link, and all filler text. None of the links really do anything. It does give us some information about the file system, so lets break out dirb to see what files we can look at.
Dirb is a really cool tool that enumerates folders/links/files on a web server. In Kali, it comes with a few wordlists. I assumed that the creator of the box wouldn’t make anything crazy, and I was right. Immediately, we see a /admin/ directory.
Lets visit that in a web browser! We got a notes text file that reveals a password that is in use. I immediately tried to log in as root via SSH, but nothing in life is that easy.
Root didn’t work, but the password string includes the name Ted. Lets see if that works.
Since we’re in a Linux shell, we need to look at Linux privilege escalation. I came across a script that scans and finds potential privesc vulnerabilities, so I fired that off.
Immediately, awk sticks out to us. Awk is a scripting language to manipulate data, why would that be a vulnerability? Awk runs as root! A quick command injection later, and we have root access, and can see the flag.