Hack The Box: Topology Machine Walkthrough – Easy Difficulty

Written by darknite -
on November 4, 2023

In this post, I would like to share a walkthrough of the Topology Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

Testing

What will you gain from the Topology machine?

For the user flag, you will need to abuse a website that runs based on LaTeX inline math commands. The vulnerability on the website is reading arbitrary files that leak a credential like username and password hash. We should be able to crack the password hash and access the machine via SSH service.

As for the root flag, you should be able to notice a cronjob that can be executed with any .plt script located inside /opt/gnuplot from the pspy64 process. We should be able to retrieve a root shell by adding malicious script inside the /opt/gnuplot which will be executed from the cronjob activity


For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vv

Information Gathering on Topology Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

─[darknite@parrot]─[~/Document/htb/Topology]
└──╼ $nmap -sV -sC 10.10.11.217 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-12 21:24 EDT
Nmap scan report for 10.10.11.217
Host is up (0.16s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)
|   256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)
|_  256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Miskatonic University | Topology Group
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.77 seconds
┌─[darknite@parrot]─[~/Document/htb/Topology]
└──╼ $

Let’s access the website interface

We managed to notice a link saying “LaTeX Equation Generator” which we can click the link to access another page.

It has redirected us to a page like the above.

We should enumerate further with gobuster but didn’t find anything useful there.

However, we managed to sight two subdomains that we can abuse in the next stage

A screenshot of a computer program Description automatically generated with medium confidence

We managed to retrieve the /etc/passwd content from the command we executed earlier.

At last, we managed to see the hashes for the user “vdaisley”

Boom! We managed to obtain the password by running the John the Ripper

Finally, we have access to the machine via SSH service

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

As usual, we can try to find the SUID binary with the command “sudo -l” but sadly we didn’t find anything useful

By running the pspy64 script, we managed to find a directory that we could abuse for root access

We should create a new file inside the directory

At least, we can be writable on the directory

Therefore, we are required to execute the command above so that we can escalate to Root

We managed to reassign the bash as SUID binary

We can read the root flag by running the “cat root.txt” command

Categories:

Easy Machine

Tags:

BurpSuiteChallengesgobusterHackTheBoxjohn the ripperLinuxPenetration Testingpspy64ssh

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *