Official Chemistry Discussion

This exploit allows files to be read by triggering the application’s payload. Set the appropriate port, appropriate payload folder and search the folders. I had a problem with this too. I didn’t think about it… Sometimes it’s better to figure it out yourself than to look for ready-made solutions…
Search the internet for how the exploit works and you will understand what the vulnerability is.

Took me all day but I finally got the user flag. The help on here and a little bit of thinking outside the box helped me. Now struggling to get the escalated working…

Finally got the root. For those struggling, read the comments in here that other people have left, that is what I used to hack my way through.

1 Like

Could you please help me with gaining root access or curl past the assets folder? I tried fuzzing and LFI but keep getting 403 and 404 return code. Thanks in advance!

Look on github and there is a few that will work. All I can say is play with the url as that is what caught me out.

Thanks for answering! I just figured it out by myself, turned out I didn’t SSH correctly to the internal port (using the wrong port that was in use). After that the payload worked perfectly.

For root flag, is there way to gain command execution? I can only read file arbitrarily but not executing command

id_rsa

Rooted it after a few hours. It is not as hard as it seems, just have to stay persistent. If anybody needs a nudge to the right direction feel free to message me.

Rooted and I have a question:

Why the user app cannot access localhost:8080?
Are there any settings to do so?

First ever HTB machine done and dusted :slight_smile:

1 Like

Forward port locally. Above in the answers it is written how.

I have already rooted this machine.
But I don’t know why the following happens.
When I execute the command curl localhost:8000 in app’s shell, the result is
curl: (7) Failed to connect to localhost port 8000: Connection refused .
But when I execute the same in rosa’s shell, a successful response is returned.

I don’t think the HTTP request contains the username (app or rosa).
So I wonder how this access control works.

Sorry for the lack of explanation.

Writing in apps shell, will you connect with your machine. The error is the result of a closed port 8000 on your local host. Doing the same in the Rosas shell a successful response is returned because the Chemistry port is open.
Your IP 127.0.0.1 thist it`s not the same as Chemistry 127.0.0.1.

The app does not provide root access. It only loads access to some of its resources on a DDoS basis. You do everything from Rosa.

If I didn’t understand the question, forward the port locally using netstat. Above, I asked a question about how to use it and received an answer.
Although I didn’t have to do it even after restarting the machine.

You will add a flag -i, you will have a name app in headers the site

Writing in apps shell, will you connect with your machine. The error is the result of a closed port 8000 on your local host. Doing the same in the Rosa s shell a successful response is returned because the Chemistry port is open.

I ran curl command on the remote host. So 127.0.0.1 means the target machine.

I only want to know how the machine controls access to the port 8000.

As I wrote. You are sending a request from the Rosa account curl -i localhost:8000(Although, as far as I remember, it was a slightly different port.). In the header you will have app. Read about it and you will understand why after logging in and not from the reverse shell.

How are we supposed to know to use a “certain” reverse shell? Is there an indication for the host OS from enumerating the web application? I couldn’t find any. I figured out which shell to use by reading this forum lol.

I solve the question myself.

There is a setting for the port 8080 in /etc/iptables/rules.v4:

root@chemistry:/# cat /etc/iptables/rules.v4 
# Generated by iptables-save v1.8.4 on Tue Jun 18 19:33:14 2024
*filter
:INPUT ACCEPT [16:792]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:1368]
-A OUTPUT -p tcp -m owner --uid-owner 1001 -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Jun 18 19:33:14 2024

Due to this setting, requests from the user app, whose uid is 1001, are rejected.

Thanks for replying!

2 Likes

can you help me please, I try many payload with lfi exploit but I can’t find anything other than the shadow and passwd files which are useless

edit:
Yessssssssssssssssss I finally success, I am an idiott !!:laughing::star_struck:

1 Like

You have a root? o,O Wow. I used a different vulnerability. :wink: