In this post, I would like to share a walkthrough of the Topology Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Topology machine?
For the user flag, you will need to abuse a website that runs based on LaTeX inline math commands. The vulnerability on the website is reading arbitrary files that leak a credential like username and password hash. We should be able to crack the password hash and access the machine via SSH service.
As for the root flag, you should be able to notice a cronjob that can be executed with any .plt script located inside /opt/gnuplot from the pspy64 process. We should be able to retrieve a root shell by adding malicious script inside the /opt/gnuplot which will be executed from the cronjob activity
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vv
Information Gathering on Topology Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
─[darknite@parrot]─[~/Document/htb/Topology] └──╼ $nmap -sV -sC 10.10.11.217 -oA initial Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-12 21:24 EDT Nmap scan report for 10.10.11.217 Host is up (0.16s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA) | 256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA) |_ 256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Miskatonic University | Topology Group |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.77 seconds ┌─[darknite@parrot]─[~/Document/htb/Topology] └──╼ $
Let’s access the website interface
We managed to notice a link saying “LaTeX Equation Generator” which we can click the link to access another page.
It has redirected us to a page like the above.
We should enumerate further with gobuster but didn’t find anything useful there.
However, we managed to sight two subdomains that we can abuse in the next stage
We managed to retrieve the /etc/passwd content from the command we executed earlier.
At last, we managed to see the hashes for the user “vdaisley”
Boom! We managed to obtain the password by running the John the Ripper
Finally, we have access to the machine via SSH service
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we can try to find the SUID binary with the command “sudo -l” but sadly we didn’t find anything useful
By running the pspy64 script, we managed to find a directory that we could abuse for root access
We should create a new file inside the directory
At least, we can be writable on the directory
Therefore, we are required to execute the command above so that we can escalate to Root
We managed to reassign the bash as SUID binary
We can read the root flag by running the “cat root.txt” command