Good evening! In this post, I’ll be exploiting another virtual machine that I downloaded from vulnhub.com. This one is called Toppo! This VM immediately caught my attention because of the name. For those unaware, Toppo is a character from Dragon Ball! No he is not a saiyan, but he proved to be quite the formidable foe in the Tournament of Power. But hey, who knows, maybe this VM was named Toppo for another reason. I, however, believe to think that it was named after the future God of Destruction of Universe 11. Anyway, enough Dragon Ball talk, and let’s get to it!
Once the VM is booted up, we are given the IP address of the system.
Alright, let’s scan it with Nmap to see what services we have running.
We can see that port 80 is open, so let’s open up a web browser and type in the IP address 10.10.1.12.
There is a website up and running, so let’s see if we can brute force some directories with dirb.
Right away, we can see there is a directory called /admin/. I don’t know about you, but seeing that will make me want to browse there immediately.
We’re greeted with a message! As you can see, there is some pretty critical information presented here; a possible password! Let’s see if we can use it somewhere. How about SSH? Let’s try.
So on my first few attempts, I didn’t have much luck. I tried accounts such as root, admin, Toppo, Jiren, Belmod, as well as a few other Dragon Ball characters, but to no avail. As it turns out, the account was staring me in the face the whole time. It was located in the password itself: Ted!
That’s more like it. We’re not quite root yet, so let’s look for ways to escalate. We’re going to start our Apache server, and grab the linuxprivchecker.py program that we’re hosting.
Once we grab linuxprivchecker, we have to adjust the permissions with chmod in order to run it.
There will be lots of information returned to us, but here’s something that stuck out to me:
So it looks like we’ll need to somehow find a way to abuse /usr/bin/awk as Ted in order to become root. But how?
This is where I hit a huge wall. I had to turn to Google and start researching about awk and how I could maybe use it to escalate privileges. I found a website called https://www.rebootuser.com, where I found this interesting command: awk ‘BEGIN {system(“/bin/bash”)}’ .
Now running this command spawns a bash shell, which isn’t what we want. Again, I was stuck! I turned to my incredibly intelligent brother-in-law to see if I could pick his brain on the matter. He mentioned something that stuck out to me: what if the system() could call something else? Hmm. I tried a few other commands here, but nothing was working, especially since sudo was appearing as an unrecognized command. I was starting to get frustrated, so I started doing more research. I felt like I was on the right path.
Then it happened! By trial and error, I was able to find the right command. What was it? A simple “whoami” command!
Much like in the Tournament of Power, Toppo was eventually taken down by a saiyan with a never give-up attitude. This was a ton of fun, despite the frustration. But you know what? I learned a lot doing this VM! And in the end, that’s what this whole adventure is about!
Thanks for reading!