Welcome to another Hack the Box exercise. In this walkthrough, I have documented how I pwned the Chemistry machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel (https://www.youtube.com/@BoltechTechnologies1) and follow me on LinkedIn (https://www.linkedin.com/in/isiaq-ibrahim-468588156/) for more updates.
About the Machine
Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the pymatgen (CVE-2024-23346) Python library by uploading a malicious CIF file to the hosted CIF Analyzer website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as user rosa. For privilege escalation, I exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called AioHTTP (CVE-2024-23334) which is used on the web application running internally to read the root flag.
Like I have always done in my previous post, the first step in solving a machine is connecting the Kali Linux terminal with Hack the Box server by logging into HTB account and navigating to "Machines" and selecting the machine you want to pwn. In this case, I selected "Chemistry" and download the lab access file and renamed it to chemistry.ovpn
I love doing this because it allows me keep track of all the files I am downloading on my Linux system and also for simplicity (keeping the name short as possible.) After the file was downloaded, I created a directory "ChemistryHTB" on my desktop and moved the file into it. Then, I opened a new terminal and run the following command to connect my terminal with HTB server:
0 Comments