Advertisement

Main Ad

Chemistry HTB Walkthrough

Ibrahim Isiaq Bolaji November 22, 2024

Welcome to another Hack the Box exercise. In this walkthrough, I have documented how I pwned the Chemistry machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel (https://www.youtube.com/@BoltechTechnologies1) and follow me on LinkedIn (https://www.linkedin.com/in/isiaq-ibrahim-468588156/) for more updates.


About the Machine

Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the `pymatgen` (CVE-2024-23346) Python library by uploading a malicious `CIF` file to the hosted `CIF Analyzer` website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as `rosa` user. For privilege escalation, we exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called `AioHTTP` (CVE-2024-23334) which is used on the web application running internally to read the root flag.

chemistry htb writeup

Like I have always done in my previous post, the first step in solving a machine is connecting the Kali Linux terminal with Hack the Box server by logging into HTB account and navigating to "Machines" and selecting the machine you want to pwn. In this case, I selected "Chemistry" and download the lab access file and renamed it to chemistry.ovpn 

I love doing this because it allows me keep track of all the files I am downloading on my Linux system and also for simplicity (keeping the name short as possible.) After the file was downloaded, I created a directory "ChemistryHTB" on my desktop and moved the file into it. Then, I opened a new terminal and run the following command to connect my terminal with HTB server:

sudo openvpn chemistry.ovpn

The sudo openvpn chemistry.ovpn command connected my Kali Linux terminal and Hack the Box server together. Once the connection has been successfully established, I performed Nmap enumeration to scan for open ports that are available on the target machine. This step is crucial to know what the machine is all about and what the next step to perform is.

I right-clicked on the terminal and chose “split terminal vertically” to open a new terminal. Then, I typed the following command to find the open ports on the target machine IP address:

nmap -sCV -A 10.10.11.38

The nmap scan revealed two opened port: Port 22/tcp (which indicates the target machine is a web app), port 5000/tcp (default port for web servers that run Python-based web applications. It is also used by some network backup software and for running decentralized applications on the Ethereum blockchain network)

nmap scan revealed two open ports

nmap scan revealed two open ports: port 22/tcp and port 5000/tcp-udp

After the nmap enumeration has been completed, I added the target IP address to the etc/host file by running the following command:


To exit the GNU interface, simply hold “Ctrl + X” and press “Y” and “Enter” on the keyboard to save and exit from the GNU editor. Next, I navigated to my Firefox browser and visited 10.10.11.38 or chemistry.htb and the following output was gotten from my visit.

chemistry.htb 10.10.11.38

10.10.11.38:5000 was the response from the webpage (with an attached port) The website interface presented two buttons, one for logging in and another to register. So I registered an account with a username and password submission and I tried to login with the same credential.

On the dashboard, the system provided a button to upload a file and also a button to submit it.

Chemistry CIF Analyser










After gaining rosa@chemistry shell, I listed all the files in the directory and found three files which include the user.txt and I opened the file by running:

cat user.txt

There I found the user flag. The next step was trying to obtain the root flag. The first thing I did was to check the list of active listening network connections along with the associated processes by running the following command: 

netstat -nltp

I noticed something interesting in the localhost:8080 address and decided to dig deeper. Then, I tried setting up a local port forwarding tunnel via SSH by running the following command in the terminal:

ssh -L 7000:127.0.0.1:8080 rosa@10.10.11.38

It connects to the remote machine at 10.10.11.38 as user rosa, and forwards the local port 7000 to 127.0.0.1:8080 on the remote machine.

Afterwards, I sent an HTTP HEAD request to localhost on port 8080 by running the following command:

curl localhost:8080 --head

This is useful for quickly checking if a server is up and what headers it returns (status code, content-type, etc.) Then I tried to exploit the path traversal vulnerability, which happens when a server improperly handles file paths and allows an attacker to access files outside the intended directory by running the following command:

curl


Breakdown:

  1. curl -s: Runs curl silently.
  2. --path-as-is: Tells curl not to normalize the URL path.
  3. http://localhost:8080/assets/../../../../root/root.txt: The URL attempts to go up four directories (../../../../) and access /root/root.txt.


Hurry!!! I got our root flag

Congratulations if you made it this far. If you enjoy reading my writeups, kindly subscribe to my channel and follow me on my social media handles:

YouTube channel: https://m.youtube.com/@BoltechTechnologies1

LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Twitter at https://x.com/BoltechNG

Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib

Tags
Ibrahim Isiaq Bolaji

Posted by Ibrahim Isiaq Bolaji

I am currently pursing a double master's degree program through the prestigious Erasmus Mundus Joint Master's Programme in Applied Cybersecurity between three consortium universities: Kadir Has University, Istanbul, Turkiye | Saints Cyril and Methodius University in Skopje, North Macedonia | SRH University of Applied Science, Berlin, Germany. Before beginning my master's program, I worked as a cybersecurity instructor at Aptech Education, Gwarinpa, FCT Abuja. Prior to that, I obtained my Bachelor of Technology (B.Tech) degree from Kebbi State University of Science and Technology, Aliero, Nigeria, where I graduated with a Bachelor of Technology degree with a first class honours. Upon finishing my master's degree in August 2025, I will be awarded an MSc Applied Cybersecurity from Kadir Has University and an MSc Computer Science from Saints Cyril and Methodius University in Skopje. My area of research interests are in: Software Vulnerabilities Discovery | Digital Forensics and Incident Response | Malware Analysis | Reverse Engineering | Cyber Threat Intelligence | OSINT | Computer & Network Security | Security & Privacy | Penetration Testing | Ethical Hacking

Post a Comment

0 Comments