Author: e-ukiyo
HackTheBox: Chemistry Write-Up
- T1046
- T1203
- T1003
Discovery
From thenmapscan we can see only 22 and5000ports are open
I try brute-force andsqliattacks but nothing so try just register and here is the dashboard.
Then we see an upload functionality that require a valid CIF file. Then click the example file.
Search for the cif cve and I found an exploitation. https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
I change the cif file and upload the system and starting netcat listener.
Then click view and trigger the file for reverse shell.
There is a database file that contain credentials of users, also credentials for rosa were inside it.
After cracking the hash withhashcat we can log in ssh as rosa.
Okay here is the user flag.
Then for root flag I try thesudo-lcommand but nothing.
Use netstat -l to see what else we have up on the machine. On 8080 it looks like there is some website.
Then I try the request.
I saw aiohttp then a google search, there isCVErelated to the server version.
So, we can read files by exploiting path traversal. Here you can read the root flag.