Introduction
Today I will go through HTB Topology machine . It’s easy level machine by HTB .
![](http://techyrick.com/wp-content/uploads/2023/06/Topology-1024x775.png)
Recon
Nmap
As always two ports are open Port 22 & 80 .
![](http://techyrick.com/wp-content/uploads/2023/06/image-15.png)
Enumeration
Subdomain Enumeration
By visiting the site we can see that the domain is topology.htb
.
![](http://techyrick.com/wp-content/uploads/2023/06/image-16.png)
After viewing source code I found another subdomain i.e. latex.topology.htb
.
![](http://techyrick.com/wp-content/uploads/2023/06/image-17.png)
![](http://techyrick.com/wp-content/uploads/2023/06/image-18.png)
found two more subdomains dev , stats
Add it to /etc/hosts file
Web Enumeration
![](http://techyrick.com/wp-content/uploads/2023/06/image-19.png)
dev.topology.htb
requires authorization . Let’s visit latex.topology.htb
I see possibility of latex injection here
![](http://techyrick.com/wp-content/uploads/2023/06/image-20-815x1024.png)
Foothold
There are two ways and easiest one is to read the .htapasswd file from dev dir
I will use the easy one………..If you are intrested in learning other method you can DM me .
Now we have to read file using Latex injection
$\lstinputlisting{/var/www/dev/.htpasswd}$
This will give the hash for the user
You can extract the text from the image and crack it using hashcat ………
![](http://techyrick.com/wp-content/uploads/2023/06/image-21.png)
User
vdaisley:$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0
After cracking that hash you can log in as vdaisley using ssh
Advertisement
The cracked hash is calculus20
![](http://techyrick.com/wp-content/uploads/2023/06/image-22.png)
Priv-Esc
Priv esc is pretty interesting
I found gnuplot in /opt directory which has write and execute permission
After few min I ran PSPY and found there is one process is running and executing .plt files in the directory as a root 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/image-23.png)
//Run this cmd
echo 'system "chmod u+s /bin/bash"' > /opt/gnuplot/privesc.plt
After running this cmd Wait for few min and then run /bin/bash -p
to get root
![](http://techyrick.com/wp-content/uploads/2023/06/image-24.png)
This was very easy machine
Hope you enjoyed my writeup 🙂
Conclusion
Overall this is a good machine . I would like to rate 4/10 compared to easy level
Jai Shree Krishna ❤️