Post

HTB Linux Easy: Topology

Topology is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Topology

Nmap

Pasted image 20240715110445.png

Initial foothold

On the main page there is a link to http://latex.topology.htb/equation.php. Pasted image 20240715110435.png

Add the newly found domain and subdomain to the hosts file. Pasted image 20240715110431.png

On the equation.php page we are able to enter LaTeX formulas. Pasted image 20240715110423.png

Using ffuf we find a dev subdomain. Pasted image 20240715110417.png

Add the new subdomain to hosts file too. Pasted image 20240715110412.png

Trying to access dev.topology.htb results in a login prompt, info could be stored in a .htpasswd file? Pasted image 20240715110406.png

Use a LaTeX formula for LFI: /var/www/html/dev returned an error, however /var/www/dev works! Pasted image 20240715110401.png

Hash found. Pasted image 20240715110357.png

Use JohnTheRipper to crack the hash: calculus20. Pasted image 20240715110351.png

SSH: vdaisley:calculus20. Pasted image 20240715110346.png

Priv Esc

Linpeas reveals software that was put in the /opt directory. Pasted image 20240715110341.png

Since we have write permissions in the gnuplot directory we can easily create a file with a reverse shell payload that will be executed as root. Pasted image 20240715110335.png

After waiting for a few seconds we get a shell. Pasted image 20240715110328.png

User.txt

Pasted image 20240715110322.png

Root.txt

Pasted image 20240715110318.png

Pwned

Pasted image 20240715110312.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.