Chemistry (Easy)
Last updated
Was this helpful?
Last updated
Was this helpful?
Difficult -> Easy
OS -> Linux
State -> Retired
Tags -> Pending
Then I did an exhaustive scan to learn more about the services running on the open ports
I found the HTTP protocol running on port 5000, in this case, a Universal Plug and Play (UPNP) service that helps in network discovery. So to check it, I navigated to the direction using the browser, and there I found a simple site that seemed to be a program for processing files related to chemistry. I tried to register and log in, which sent me to a dashboard with an option to upload a Crystallographic Information File (CIF)
I didn't know about this type of file but the site also allowed me to download a sample file to check which parameters the page processed and the file format
With this, I crafted a modified version of the CIF file to execute commands remotely. In that case, I modify it by adding a script to gain the Reverse Shell
Then I navigated through the system checking for a possible way to do lateral movement or privilege escalations. I found that in the /home folder there was a folder for another user named rosa. I listed the files under this directory and found a user.txt file, but when trying to read its content I didn't have the proper permissions
In these circumstances, I needed to do lateral movement to gain access as rosa. Searching for any clue about how to do it, I found that under the /home/app/instance folder (which contained files of the web service), there was a database.db file, and checking its type with the file command, I confirmed it was a SQLite3 database
Knowing this, I interacted with it and retrieved some information. I queried information about the tables and found a user table, and reading its information I found some users and values that could be hashes for passwords. I noticed in this case there was also a user rosa in this database so I could assume it was the system user and try to crack the hash to obtain the password
Then, I tried to connect through SSH to the rosa user using this password and got in successfully. I also sanitized again the terminal to interact better with it
With that, I had proper reading permissions to read the user.txt file in the /home/rosa folder and retrieved the user flag
With that, I got the user flag
Answer: 4322e11a0bd69f9f5c49e46ce07b3f35
As it is locally deployed, I couldn't access the service directly through a browser, but as I had access to the system via SSH, I could try to make a tunnel via local port forwarding to access it from my machine. I did the tunneling process and to confirm it had worked, I accessed the service on the browser and observed the web service deployed correctly
I explored the site which seemed to be a statistics service, but after a while, I didn't find anything interesting, so I tried to retrieve information on the components. I used the curl command to send a petition and retrieve some information based on the headers of the response
Finally, as I was reading files as the root user, I tried accessing the /root folder and reading the content of the root.txt if existed, and with that, I luckily retrieved the root flag
With that, I got the root flag and pwned the machine
Answer: 861d48a12f6494bc174cca5585a3a3e1
I could also escalate privileges by retrieving information on the SSH keys for the root user. I checked for them in the standard /.ssh folder using the default name id_rsa, and fortunately, the file existed and leaked the private key
With this, I copied the key into a local file and used it to access the target via SSH. With that done, I could go to the /root folder and read the root.txt file to retrieve the root flag
I started doing an initial port scan using
To learn more about the HTTP protocol you can go
As the web let me modify and reupload the file, it could lead to a possible File Upload vulnerability, so I could try to leverage it to gain a Reverse Shell from the server. To do so, I checked on the web for possible CVEs and exploits. In this process, I found an interesting with a vulnerability that affected the 2024.2.8 or lower versions and could help me gain RCE on the target
To learn more about File Upload exploitation you can go
After that, I uploaded the file to the system and set a listener in my machine to receive the connection. Then, I clicked the View button to run the internal script, observing the page kept loading and checking that the listener had caught the shell from the host. I also sanitized the terminal to work more comfortably and checked which user I was. having now access as the app user, the one from the web server
To learn more about the sanitization process you can go
To do that, I used the online tool to recognize and break the hash, and I was lucky because it was a known MD5 hash that revealed the password unicorniosrosados
To learn more about MD5 or other hashes you can go
To learn more about the SSH protocol you can go
Then, I had to find a way to escalate privileges. I started searching but after a while, I didn't find anything. So to facilitate the process I tried using to help me find possible paths for the escalation. After importing it and running it, in the results obtained, I found there was a service running locally on port 8080, which is normally used for some web servers
I found the HTTP server was using the python library to deploy the web content and its corresponding version. With this, I searched for some possible related CVEs, and after some research, I found a GitHub with a POC for the CVE-2024-23334 which exploited a Local File Inclusion vulnerability on versions 3.9.1 or lower of aiohttp to read files as the root user
To learn more about Local File Inclusion exploitation you can go
I downloaded the exploit and used it to automatize the attack, but I needed to find a static route to execute the attack. With a little , I found some standard folders for static files. I tried some of them in the exploit and noticed that using the /assets route it worked
To learn in detail about the abuse of SSH keys for privilege escalation you can go
