Topology

Created by gedsic

Hack The Box

The following post by 0xb0b is licensed under CC BY 4.0

Recon

By scanning our target with Nmap, we can discover just two open ports. We have SSH on port 22 with OpenSSH 8.2p1 and on port 80 running Apache httpd 2.4.41, a web server.

Since only a web server is present, the first thing to do is to enumerate possible subdomains using FFuF and possible directories via Gobuster. We are able to spot two subdomains: dev and stats. The subdomain dev looks promising. While Gobuster is running in the background, we move on to enumerate the web page manually.

But upon visiting the page at http://dev.topology.htb, we have to provide some credentials. Let's move on to the page at http://topology.htb.

Here we are welcomed to Topology, a site representing a research team and their work. There aren't any links directing to other sources, except for their software project, the LaTeX Equation Generator.

After clicking on it, we see another subdomain we were not able to enumerate with our wordlist. We update our /etc/hosts and refresh the page.

Here we are able to provide LateX code, especially code that is used in a math environment, to generate good-looking equations, rendered as a picture. Reading the text, we get two interesting hints. Firstly, only LaTeX code in inline math mode syntax is supported, and secondly, only one-liners can be evaluated.

Command Injection Into LFI

Let's try the equation generator with a simple command \cdot.

It works...

Let's check out how the mathmode looks from the following source:

Mathematical expressionsoverleaf

Since only inline math mode is supported, our input is placed in one of the following environments:

• \(...\)

• $...$

• \begin{math}...\end{math}

So it should be possible to escape those and use other LaTeX commands. To test whether we are successful we place the command \cdot between $ signs which is only evaluated in math mode.

Internally it would look like $ $ 2\cdot 2 $ $, we are outside the inline mathmode.

Since we received an error, it should work.

On further testing, we see our command can be injected. We are now able to execute commands outside of math mode.

Next, we conduct common resources for payloads about command / LaTeX injection. After trying several payloads, we are only able to read files by using the \lstinputlisting. \lstinputlisting{/path/to/desired/file}:

Formula/CSV/Doc/LaTeX/GhostScript InjectionHackTricks

PayloadsAllTheThings/LaTeX Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

The first successful attempt was to read the /etc/passwd file via

$ \lstinputlisting{/etc/passwd} $.

Here we are able to spot the user vdaisley.

Furthermore, we were able to retrieve the contents of the equation.php at

/var/www/latex/equation.php. But no credentials could be found in this folder.

$ \lstinputlisting{/var/www/latex/equation.php} $

Recalling the subdomain dev, we were able to spot a .htaccess and .htpasswd file via

$ \lstinputlisting{/var/www/dev/.htaccess} $

From there we were able to retrieve the credentials for the user vdaisley. But the password is hashed.

$ \lstinputlisting{/var/www/dev/.htpasswd} $

$vdaisley:apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTYO

The following link can be used to save the tedious copying text of the image:

Image to Text (Extract Text From Image)

By conducting the docs of hashcat we are able to determine the correct hash mode.

Using hashcat with the wordlist rockyou.txt the clear text credentials of vdaisley could be retrieved:

vdaisley:calculus20

The first idea was to visit dev.topology.htb, but there were nothing of interest.

Foothold

Recalling the Nmap scan, we know SSH is running on the machine, and the user vdaisly is also part of the system. Testing for credential reuse, we are able to log in via SSH.

Privilege Escalation

For privilege escalation, different scripts like linpeas.sh were used. But with pspy64 we were able to spot two interesting cronjobs from root running a script in /opt/gnuplot and gnuplot itself.

Since we can't read what the script is doing, the gnuplot execution is more interesting, it seems like a part of getdata.sh. In short, the gnuplot execution looks for any .plt file in /opt/gnuplot that will then be executed running gnuplot.

We are not able to do anything with getdata.sh.

But we are able to write to the folder /opt/gnuplot!

After placing a reverse shell in /opt/gnuplot/loadshell.plt and setting up a listener via nc -lvp 4445 on our attacker machine...

... our cretated .plt file gets executed.

We have a reverse shell as the user root and are able to read the root flag.