Hackthebox - Chemistry

(Updated: )
,

Chemistry

10.10.11.38
info-card

app.py

/home/app/app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
app = Flask(__name__)
app.config['SECRET_KEY'] = 'MyS3cretCh3mistry4PP'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///database.db'
app.config['UPLOAD_FOLDER'] = 'uploads/'
app.config['ALLOWED_EXTENSIONS'] = {'cif'}

...

@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        username = request.form.get('username')
        password = request.form.get('password')
        if User.query.filter_by(username=username).first():
            flash('Username already exists.')
            return redirect(url_for('register'))
        hashed_password = hashlib.md5(password.encode()).hexdigest()
        new_user = User(username=username, password=hashed_password)
        db.session.add(new_user)
        db.session.commit()
        login_user(new_user)
        return redirect(url_for('dashboard'))
    return render_template('register.html')

可知用户表存储在 sqlite 数据库中,下载 /home/app/instance/database.db 得到用户 rosa 的密码 MD5 Hash 63ed86ee9f624c7b14f1d4f43dc251a5
crackstation
可知用户凭据 rosa:unicorniosrosados
ssh-login
成功登陆用户 rosa

提权

pspy

pspy
看看 /opt
permission-denied
权限不足

linpeas.sh

CVEs

cves
均利用失败

Ports

ports
看看 8080 

1
$ ssh -L 8080:127.0.0.1:8080 [email protected]

8080-service
aiohttp-version
aiohttp/3.9.1 存在路径穿越漏洞,验证 CVE-2024-23334:
poc
只是读取 /root/root.txt 到这里就够了,接下来看看怎么获得 root shell
root_id_rsa
root-shell