# Topology {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) ## Recon By scanning our target with Nmap, we can discover just two open ports. We have SSH on port 22 with OpenSSH 8.2p1 and on port 80 running Apache httpd 2.4.41, a web server.

Since only a web server is present, the first thing to do is to enumerate possible subdomains using FFuF and possible directories via Gobuster. We are able to spot two subdomains: `dev` and `stats`. The subdomain dev looks promising. While Gobuster is running in the background, we move on to enumerate the web page manually.

But upon visiting the page at `http://dev.topology.htb`, we have to provide some credentials. Let's move on to the page at `http://topology.htb`.

Here we are welcomed to Topology, a site representing a research team and their work. There aren't any links directing to other sources, except for their software project, the `LaTeX Equation Generator`.

After clicking on it, we see another subdomain we were not able to enumerate with our wordlist. We update our `/etc/hosts` and refresh the page.

Here we are able to provide LateX code, especially code that is used in a math environment, to generate good-looking equations, rendered as a picture. Reading the text, we get two interesting hints. Firstly, only LaTeX code in inline math mode syntax is supported, and secondly, only one-liners can be evaluated.

## Command Injection Into LFI Let's try the equation generator with a simple command `\cdot`.

It works...

Let's check out how the mathmode looks from the following source: {% embed url="" %} Since only inline math mode is supported, our input is placed in one of the following environments: * `$...$` * `$...$` * `\begin{math}...\end{math}` So it should be possible to escape those and use other LaTeX commands. To test whether we are successful we place the command `\cdot` between $ signs which is only evaluated in math mode. Internally it would look like `$ $ 2\cdot 2 $ $`, we are outside the inline mathmode.

Since we received an error, it should work.

On further testing, we see our command can be injected. We are now able to execute commands outside of math mode.

Next, we conduct common resources for payloads about command / LaTeX injection. After trying several payloads, we are only able to read files by using the `\lstinputlisting`. \ `\lstinputlisting{/path/to/desired/file}`: {% embed url="" %} {% embed url="" %} The first successful attempt was to read the `/etc/passwd` file via `$ \lstinputlisting{/etc/passwd} $`. Here we are able to spot the user `vdaisley`.

Furthermore, we were able to retrieve the contents of the `equation.php` at `/var/www/latex/equation.php`. But no credentials could be found in this folder. `$ \lstinputlisting{/var/www/latex/equation.php} $`

Recalling the subdomain `dev`, we were able to spot a `.htaccess` and `.htpasswd` file via `$ \lstinputlisting{/var/www/dev/.htaccess} $`

From there we were able to retrieve the credentials for the user `vdaisley`. But the password is hashed. `$ \lstinputlisting{/var/www/dev/.htpasswd} $`

`$vdaisley:apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTYO` The following link can be used to save the tedious copying text of the image: {% embed url="" %} By conducting the docs of hashcat we are able to determine the correct hash mode.

Using hashcat with the wordlist `rockyou.txt` the clear text credentials of `vdaisley` could be retrieved: `vdaisley:calculus20`

The first idea was to visit `dev.topology.htb`, but there were nothing of interest.

## Foothold Recalling the Nmap scan, we know SSH is running on the machine, and the user `vdaisly` is also part of the system. Testing for credential reuse, we are able to log in via SSH.

## Privilege Escalation For privilege escalation, different scripts like `linpeas.sh` were used. But with `pspy64` we were able to spot two interesting cronjobs from root running a script in `/opt/gnuplot` and gnuplot itself.

Since we can't read what the script is doing, the gnuplot execution is more interesting, it seems like a part of `getdata.sh`. In short, the gnuplot execution looks for any `.plt` file in `/opt/gnuplot` that will then be executed running gnuplot.

We are not able to do anything with `getdata.sh`.

But we are able to write to the folder `/opt/gnuplot`!

After placing a reverse shell in `/opt/gnuplot/loadshell.plt` and setting up a listener via \ `nc -lvp 4445` on our attacker machine...

... our cretated `.plt` file gets executed.

We have a reverse shell as the user root and are able to read the root flag.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hackthebox/2023/topology.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.