CyberPulse Security

HackTheBox -Topology

HackTheBox -Topology

1NF1N17YX's photo
1NF1N17YX
·

3 min read

Table of contents

Enumeration:

sudo nmap -sS -sV -sC -T4 --min-rate 5000 10.10.11.217 -vv

Scanning topology.htb (10.10.11.217) [1000 ports]
Discovered open port 22/tcp on 10.10.11.217
Discovered open port 80/tcp on 10.10.11.217
Completed SYN Stealth Scan at 18:40, 0.45s elapsed (1000 total ports)
Initiating Service scan at 18:40
Scanning 2 services on topology.htb (10.10.11.217)
Completed Service scan at 18:40, 6.37s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.217.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:40
Completed NSE at 18:40, 2.81s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:40
Completed NSE at 18:40, 1.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:40
Completed NSE at 18:40, 0.00s elapsed
Nmap scan report for topology.htb (10.10.11.217)
Host is up, received echo-reply ttl 63 (0.096s latency).
Scanned at 2023-10-14 18:40:11 EDT for 11s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 dcbc3286e8e8457810bc2b5dbf0f55c6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC65qOGPSRC7ko+vPGrMrUKptY7vMtBZuaDUQTNURCs5lRBkCFZIrXTGf/Xmg9MYZTnwm+0dMjIZTUZnQvbj4kdsmzWUOxg5Leumcy+pR/AhBqLw2wyC4kcX+fr/1mcAgbqZnCczedIcQyjjO9M1BQqUMQ7+rHDpRBxV9+PeI9kmGyF6638DJP7P/R2h1N9MuAlVohfYtgIkEMpvfCUv5g/VIRV4atP9x+11FHKae5/xiK95hsIgKYCQtWXvV7oHLs3rB0M5fayka1vOGgn6/nzQ99pZUMmUxPUrjf4V3Pa1XWkS5TSv2krkLXNnxQHoZOMQNKGmDdk0M8UfuClEYiHt+zDDYWPI672OK/qRNI7azALWU9OfOzhK3WWLKXloUImRiM0lFvp4edffENyiAiu8sWHWTED0tdse2xg8OfZ6jpNVertFTTbnilwrh2P5oWq+iVWGL8yTFeXvaSK5fq9g9ohD8FerF2DjRbj0lVonsbtKS1F0uaDp/IEaedjAeE=
|   256 d9f339692c6c27f1a92d506ca79f1c33 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIR4Yogc3XXHR1rv03CD80VeuNTF/y2dQcRyZCo4Z3spJ0i+YJVQe/3nTxekStsHk8J8R28Y4CDP7h0h9vnlLWo=
|   256 4ca65075d0934f9c4a1b890a7a2708d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaM68hPSVQXNWZbTV88LsN41odqyoxxgwKEb1SOPm5k
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Miskatonic University | Topology Group
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ffuf -w /home/ghost/Documents/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -H "host: FUZZ.topology.htb" -u http://10.10.11.217 -fs 6767

modify hosts file as follows

sudo nano /etc/hosts

we checked the subdomain latex subdomain and it looks intersting. i predicted that it's vulnerable to command injection after researching ... it's vulnerable to latex injection. Latex is a document preparation system used for the communication and publication of scientific documents.

/var/www/dev/.htpasswd

create a file and save the hash

john --wordlist=/home/ghost/Documents/rockyou.txt hash.txt

the password for user vdaisley is calculus20

use the credentials to log into ssh

capturing the user flag

Privilege Escalation:

Downloading linpeas and running it the target system

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh

we found unexpected app in /opt folder that has write permission and executed root.

We have write permission on a folder that has root privileges. We can create files in the gunplot directory using a set of commands that will take advantage of the system's execution as root.
Resources
devdocs
wikibooks

nano priv.plt
Copy

Add the following line to the file

This will set the SUID bit on the /bin/bash file, this will grant it the privileges of the root user. Eventually we gonna force it to do so with /bin/bash -p to run the shell as the effective user and getting the root flag.

CTF#HackTheBoxhackingpenetration testinghtb