Hacking Insights by Max Bautista

Chemistry writeup

Box name: Chemistry

Difficulty: Easy

OS: Linux

Overview: Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the pymatgen (CVE-2024-23346) Python library by uploading a malicious CIF file to the hosted CIF Analyzer website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as rosa user. For privilege escalation, we exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called AioHTTP (CVE-2024-23334) which is used on the web application running internally to read the root flag.

Link: https://app.hackthebox.com/machines/Chemistry?sort_by=created_at&sort_type=desc

Machine IP: 10.129.231.170

Ran rustscan against the machine.

rustscan -a 10.129.231.170 –ulimit 5000 -b 2000 — -A -Pn

Checked out port 5000’s http server.

Registered with an account kami:kami. Looks like we can upload a CIF file.

Google a CIF reverse shell and found this. https://github.com/ex-cal1bur/CIF_Reverse_shell/blob/main/CIF_example.cif. Edited that with my IP and port and got a shell.

Stabilized my shell. Read app.py and there’s a secret key in there and mentions of a SQL database. MyS3cretCh3mistry4PP

Checked out /home and there is a user rosa, but no access to user.txt. Tried that Secret key for rosa but didn’t get in. Went back to the path I landed in and poked around and found a database.db file.

Put the hashes in a files hashes.txt and ran hashcat.

hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

I got some passwords back.

rosa:unicorniosrosados

victoria:victoria123

peter:peterparker

carlos:carlos123

I tried password reuse on root just in case. Logged into rosa and got user.txt

Couldn’t find anything from manual enumeration. Dropped linpeas on the victim machine. So I looked at this but missed it the first time. In /opt there is a monitoring service file but I didn’t have read permissions and I initially ignored it. I also did look at the servers but missed on port 8080 there is something internal that is interesting. Port forwarded with SSH so we can see what that is.

ssh -L 8080:127.0.0.1:8080 rosa@10.129.231.170

That brings us to some site monitoring service.

I got stuck here after some looking around and research so I peeked at the writeup. I could’ve rescanned the port.

nmap -p 8080 -sV -sC 127.0.0.1

This shows us the version. This is vulnerable to CVE 2025-23334 https://www.exploit-db.com/exploits/52474. Found this github https://github.com/z3rObyte/CVE-2024-23334-PoC. Edited the code and ran it but it did not work. Got stuck here again so I looked at the write for the remainder. Apparently the needs to be ran at /assets instead while the script was doing it at /static. Reran it and I got the flag.

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 22 (SSH) and 5000 (HTTP). Browsed to port 5000 and found a CIF file analyzer web application. Registered an account and found a file upload feature.

rustscan -a 10.129.231.170 –ulimit 5000 -b 2000 — -A -Pn

2 – Initial Access – pymatgen malicious CIF file RCE – CVE-2024-23346 Researched CIF file exploitation and found CVE-2024-23346, a remote code execution vulnerability in the pymatgen Python library triggered by processing a malicious CIF file. Found a public malicious CIF template, edited it with the attack machine IP and port, uploaded it through the web application, and caught a reverse shell.

3 – Database credential extraction and lateral movement Stabilized the shell and read app.py which contained a hardcoded secret key and a reference to a SQLite database. Located database.db and extracted MD5 password hashes for multiple users. Cracked them with Hashcat using rockyou. Tried rosa’s password via SSH and authenticated successfully. Retrieved user.txt.

hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

Credentials recovered: rosa:unicorniosrosados

4 – Internal service discovery and port forwarding LinPEAS identified an internal service on port 8080. SSH port forwarded to access it from the attack machine. Found a site monitoring web application. Rescanned the forwarded port with Nmap to identify the service version running on aiohttp.

ssh -L 8080:127.0.0.1:8080 rosa@10.129.231.170 nmap -p 8080 -sV -sC 127.0.0.1

5 – Root flag via aiohttp path traversal – CVE-2024-23334 Identified the aiohttp version as vulnerable to CVE-2024-23334, a path traversal leading to arbitrary file read. Used a public PoC but initially failed because the script targeted /static rather than the correct /assets endpoint. Adjusted the endpoint and successfully read root.txt directly from the server without obtaining an interactive root shell.

---

Key Takeaways

1. pymatgen malicious CIF file RCE – CVE-2024-23346 (CVSS 8.8 High) – The web application processed user-uploaded CIF files using a vulnerable version of pymatgen that allowed arbitrary Python code execution embedded in the file. File upload endpoints that parse complex file formats must use sandboxed processing environments and must be kept fully patched. User-supplied files must never be processed in the same context as the web application.
   
2. Hardcoded secret key in application source code – The Flask secret key was hardcoded in app.py and readable after gaining a foothold. Hardcoded secrets must be removed from source code and injected at runtime via environment variables or a secrets management solution. Application source files must have restrictive permissions to limit exposure after a compromise.
   
3. MD5 password hashes in application database – User passwords were stored as unsalted MD5 hashes, crackable in seconds with a GPU and rockyou. MD5 is not a suitable algorithm for password storage and must be replaced with bcrypt, scrypt, or Argon2. Database files must have permissions restricting access to the application service account only.
   
4. Weak passwords crackable with rockyou – Multiple user passwords including rosa’s were in the rockyou wordlist. All user account passwords must meet complexity requirements that resist dictionary attacks regardless of the hashing algorithm in use.
   
5. aiohttp path traversal enabling arbitrary file read – CVE-2024-23334 (CVSS 7.5 High) – The internal monitoring service was running a vulnerable version of aiohttp that allowed path traversal through static file serving, enabling unauthenticated reading of arbitrary files including root.txt. Internal services must be kept patched and must not run as root when serving static content accessible to lower-privilege processes.
   

---

Remediation

[Immediate] Patch pymatgen to remediate CVE-2024-23346 (CVSS 8.8 High) Update pymatgen to the latest patched version immediately. Implement file type validation and content scanning on all uploaded CIF files. Process user-uploaded files in an isolated sandbox with no network access and no ability to affect the host application. Restrict the upload feature to authenticated users only.

[Immediate] Patch aiohttp to remediate CVE-2024-23334 (CVSS 7.5 High) Update aiohttp to the latest patched version immediately. Restrict the internal monitoring service to localhost only and ensure it does not run as root. Apply firewall rules preventing access to port 8080 from any untrusted source. If the service has no business requirement, remove it entirely.

[Immediate] Remove hardcoded secrets from application source code Remove the Flask secret key from app.py and rotate it immediately. Inject all application secrets at runtime using environment variables or a secrets manager such as HashiCorp Vault. Audit all application source files for hardcoded credentials, API keys, and secret values and remediate any findings.

[Immediate] Replace MD5 password hashing with a modern algorithm Migrate all stored password hashes from MD5 to bcrypt, scrypt, or Argon2 with appropriate cost factors. Force a password reset for all affected accounts after migration. Audit all application databases for weak or unsalted hash algorithms.

[Short-term] Enforce strong passwords across all accounts Multiple user passwords including rosa’s were crackable with rockyou. Enforce a minimum password length of 14 characters with complexity requirements across all application and OS accounts. Audit existing passwords against common wordlists and force resets where weak passwords are identified.

[Long-term] Implement sandboxed file processing and a dependency patch management program Establish a policy requiring all user-uploaded file processing to occur in an isolated environment with no access to application resources or the host OS. Include all Python library dependencies in regular vulnerability scans using tools such as pip-audit or Safety. Define patch SLAs for high and critical severity dependency vulnerabilities and integrate dependency auditing into the CI/CD pipeline.