Introduction to Chemistry:

In this writeup, we will explore the “Chemistry” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Chemistry” machine from Hack The Box by achieving the following objectives:

User Flag:

Exploiting CVE-2024-23346: Remote Code Execution via Malicious CIF File

This process demonstrates how a vulnerability in Pymatgen (CVE-2024-23346) can be exploited through a Crystallographic Information File (CIF) to achieve Remote Code Execution (RCE) and gain unauthorized system access. The attack begins by injecting malicious code into a CIF file’s _space_group_magn.transform_BNS_Pp_abc field. Once the modified file is uploaded to the dashboard, nothing happens initially. Further investigation reveals that execution is triggered by clicking the View button. This interaction successfully executes the payload, establishing a reverse shell connection to the attacker’s system.

With remote access secured, SQLite3 is used to inspect the database, revealing multiple user credentials and password hashes. After successfully cracking the hash, the plaintext password is obtained. Finally, using the command “cat user.txt”, the user flag is retrieved, marking the successful completion of the exploitation process.

Root Flag:

Exploiting aiohttp for Privilege Escalation

After discovering a service running on port 8080, an attempt was made to gather information about the server and access the assets directory, which returned a 403 Forbidden status. Further analysis revealed that the server was running aiohttp/3.9.1, prompting a search for known exploits.

Leveraging a Local File Inclusion (LFI) attack on the assets directory, it was possible to obtain the SSH key. With this access, further privilege escalation allowed for reading the root flag from the root.txt file.

Enumerating the Chemistry Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.38

Nmap Output:

|   RTSPRequest: 
|     
|     
|     
|     
|     Error response
|     
|     
|     Error response
|     Error code: 400

|     Message: Bad request version ('RTSP/1.0').

|     Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.

|     
|_    
9000/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.94SVN%I=7%D=3/1%Time=67C3C758%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,38A,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.3\x
SF:20Python/3\.9\.5\r\nDate:\x20Sun,\x2002\x20Mar\x202025\x2002:50:05\x20G
SF:MT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x
SF:20719\r\nVary:\x20Cookie\r\nConnection:\x20close\r\n\r\n\n\n\n\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20Chemist
SF:ry\x20-\x20Home\n\x20\x20\x20\x20\n\n\n\x20\x20\x20\x20\n\x20
SF:\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20C
SF:hemistry\x20CIF\x20Analyzer\n\x20\x20\x20\x20\x20\x20\x20\x20We
SF:lcome\x20to\x20the\x20Chemistry\x20CIF\x20Analyzer\.\x20This\x20tool\x2
SF:0allows\x20you\x20to\x20upload\x20a\x20CIF\x20\(Crystallographic\x20Inf
SF:ormation\x20File\)\x20and\x20analyze\x20the\x20structural\x20data\x20co
SF:ntained\x20within\.
\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<
SF:a\x20href=\"/login\"\x20class=\"btn\">Login\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20Reg
SF:ister\n\x20\x20\x20\x20\x20\x20\x20\x20

\n\x20\x20\x2 SF:0\x20

\n\n<")%r(RTSPRequest,1F4,"\n\n\x20\x20\x20 SF:\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20 SF:\x20\x20\x20Error\x20response\n\x20\x20\x20\x20\n SF:\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20

Error\x20re SF:sponse

\n\x20\x20\x20\x20\x20\x20\x20\x20

Error\x20code:\x20400\n\x20\x20\x20\x20\x20\x20\x20\x20

Message:\x20Bad\x20request\x20ve SF:rsion\x20\('RTSP/1\.0'\)\.

\n\x20\x20\x20\x20\x20\x20\x20\x20

Erro SF:r\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20req SF:uest\x20syntax\x20or\x20unsupported\x20method\.

\n\x20\x20\x20\x20\n\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Mar 1 21:51:49 2025 -- 1 IP address (1 host up) scanned in 933.16 seconds" style="color:#abb2bf;display:none" aria-label="Copy" class="code-block-pro-copy-button">

┌─[dark@parrot]─[~/Documents/htb/chemistry]
└──╼ $ nmap -sC -sV -oA initial 10.10.11.38
# Nmap 7.94SVN scan initiated Sat Mar  1 21:36:16 2025 as: nmap -sC -sV -oA initial 10.10.11.38
Nmap scan report for 10.10.11.38
Host is up (0.35s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_  256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.9.5
|     Date: Sun, 02 Mar 2025 02:50:05 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 719
|     Vary: Cookie
|     Connection: close
|     DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Chemistry - Home</title>
|     <link rel="stylesheet" href="/static/styles.css">
|     </head>
|     <body>
|     <div class="container">
|     class="title">Chemistry CIF Analyzer</h1>
|     <p>Welcome to the Chemistry CIF Analyzer. This tool allows you to upload a CIF (Crystallographic Information File) and analyze the structural data contained within.
|     <div class="buttons">
|     <center> href="/login" class="btn">Login</a>
|     href="/register" class="btn">Register</a></center>
|     </div>
|     </div>
|     </body>
|   RTSPRequest: 
|     DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
9000/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.94SVN%I=7%D=3/1%Time=67C3C758%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,38A,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/3\.0\.3\x
SF:20Python/3\.9\.5\r\nDate:\x20Sun,\x2002\x20Mar\x202025\x2002:50:05\x20G
SF:MT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x
SF:20719\r\nVary:\x20Cookie\r\nConnection:\x20close\r\n\r\n
SF:ml>\n\"en\">\n\n\x20\x20\x20\x20\"
SF:UTF-8\">\n\x20\x20\x20\x20\"viewport\"\x20content=\"width
SF:=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20Chemist</span></span>
<span class="line"><span style="color: #61AFEF">SF:ry\x20-\x20Home\n\x20\x20\x20\x20\"stylesheet\"\x2
SF:0href=\"/static/styles\.css\">\n\n\n\x20\x20\x20\x20\n\x20
SF:\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20\
SF:"container\">\n\x20\x20\x20\x20\x20\x20\x20\x20\"title\">C
SF:hemistry\x20CIF\x20Analyzer\n\x20\x20\x20\x20\x20\x20\x20\x20We
SF:lcome\x20to\x20the\x20Chemistry\x20CIF\x20Analyzer\.\x20This\x20tool\x2
SF:0allows\x20you\x20to\x20upload\x20a\x20CIF\x20\(Crystallographic\x20Inf
SF:ormation\x20File\)\x20and\x20analyze\x20the\x20structural\x20data\x20co
SF:ntained\x20within\.
\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:\"buttons\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<
SF:a\x20href=\"/login\"\x20class=\"btn\">Login\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\"/register\"\x20class=\"btn\">Reg
SF:ister\n\x20\x20\x20\x20\x20\x20\x20\x20