💻

Topology from Hack the Box Walkthrough

Jul 24, 2024

Topology from Hack the Box Walkthrough

Introduction

  • Walking through the topology box from Hack the Box.
  • Starts with finding a latch generator.
  • Latch generator: Similar to markdown but more complex, used for creating scientific documents.
  • Supports special characters, mathematical formulas, file inclusion, and code execution (with filters).
  • Bypass filters to include files and execute code.

Initial Steps

  1. Nmap Scan:
    • Syntax: nmap -sC -sV -oA nmap/topology 10.10.111.217
    • Open ports: 22 (SSH) and 80 (HTTP)
    • HTTP title: University-related page.
  2. Web Page Analysis: University of Mathematics
    • Latex equation generator (lat.toy.htb).
    • Requires DNS resolution (add entry in /etc/hosts).

Learning LaTeX Syntax

  • Create documents with precise control over elements.
  • Ideal for scientific publications.
  • Experimented with basic commands for file inclusion and command execution.
  • Found some commands blacklisted by filters.

Filter Bypass and File Inclusion

  • Explored Hacks: Looked up typical LaTeX injection techniques.
  • Commands tested with fuff: For discovering allowed commands.
    • Wordlist approach: Testing multiple commands quickly.
    • Key commands: listinputlisting to read files. Using $ for inline insertion.

Key Files and Directories

  • Apache Config: Holds information about virtual hosts.
  • HT Access Authorization: Found paths for user files.
  • Directory Structure: Useful directories like temp for temporary files.

Cracking Passwords

  • HT Access File: Extracted hash from it and cracked with Hashcat.
    • Example: V Diasley’s password - calculus20.
    • Usage: Can SSH into the server.

Exploiting CRON Jobs

  • GNU Plot: Detected running every minute via cron job.
    • Potential for code execution by creating malicious .plt files.
  • Plot File Executions: Exploit through GNU Plot command (system command for running system commands).
    • Example Payload: Reverse shell code placed in .plt file.

Full Access and Debugging

  • Root Access: Achieved through crafting malicious plot files to get reverse shell access.
    • Verifications and debugging include executing commands manually and checking outputs to ensure exploits work.

Tools and Techniques

  • Nmap: Network scanning for discovering open ports.
  • Fuff: For fuzzing and discovering available commands/blocks in the syntax.
  • Linpeas: To identify potential privilege escalations and running processes.
  • Hashcat: For cracking password hashes.

General Steps for Next Time

  • Always automate recon (e.g., finding subdomains, services).
  • Systematic filter bypass attempts with wordlists.
  • Regular saving and verifying discovered configurations and hashes.

Useful Links

Conclusion

  • Methodical approach from enumeration to exploitation.
  • Importance of double-checking with manual commands and toolkits.
  • Enjoyed solving the box, demonstrating critical thinking and systematic testing.

Full transcript