Official Chemistry Discussion

No it isnt. where do I put it? I’ve been moving it around for a while. are you on discord?

Is there any hint for root user as i can see multiple CVE but not able exploit it. any hint would be much appreciated

i trying to use the CVE-2024-23334-PoC, u can check that in github and posibly can see any hint

how did you identified this CVE as this was not mentioned in my lin*** scan report ?

You will have to port forward the :5000 and access the page, there will be a visible vulnerability in the headers of the requests, you will be able to exploit that vulnerability very easily to find root.txt and no machine access is needed at that point whatsoever. No privilege escalation too…

Nice box. My thoughts:

• Foothold was frustrating, but only because I saw immediately what I needed to do but could not get any payloads to work. I could successfully execute commands on the target but none of the potential reverse shells I tried to spawn would execute successfully. After looking in the forum here I noticed someone pointing to a particular web site and, after trial and error, found a reverse shell command that worked. I don’t know I would have ever found that on my own.
• User flag was very easy. I found the file, immediately pulled out the strings I needed and noticed a user account I’d created was listed. I knew what password I’d used when I made the account and a quick echo -n [password] | [another program] confirmed my suspicions about how passwords were saved. I could have gotten the user creds without understanding this but I liked that I noticed right away how passwords worked in that app.
• Root was a little frustrating again…and again because I saw so clearly what I needed to do but could not get the exploit to trigger, even after enumerating, because of a faulty assumption I was making. After some testing and thinking, “Well, it probably won’t work but I’ll try it anyway,” … it worked. Instead of just immediately grabbing the root flag, which I could have done here, I decided to enumerate a bit more and very quickly found what I needed to securely get a root shell.

So, yeah, some frustrations, but some nice discoveries along the way.

Satisfaction… sips

image698×632 109 KB

I tried

browsing into parent directory but all the time it’s 404
How do you exploit the vulnerability ?

Only use whatweb for analyze the web to is on Listener and check about the technologies versions but only you need to forward the port.

Anyone have issues with the website not redirecting? I am able to get through most of it by stopping the page and refreshing to load it but after uploading the file I am unable to get to where I assume I can click “view” for the file.

same here

I figured out how to format the reverse shell script but when I hit v***, it takes a bit and then 500s. can someone please help me out?

Check your firewalls

revshells.com has a GET-based API where you can obtain each payload: If you click on the Raw button at the bottom of the screen on any payload, you’ll see how it works.

After this box, I might consider putting together a script for it…

Man im struggling to get the foothold. Im trying different shell commands for the payload and nothing is happening for me. I was able to execute a ping command so the POC seems to be working but it’s these shells that aren’t. Even the Busybox one. Any tips?

You don’t need to use the example file. The POC file with the correct payload works as well.

How were you able to find assets? Given that port forwarding kept getting blocked, fuzzing was super troublesome; any tips on how to go about finding the right directory without it are appreciated!

Having issues, below is hidden for spoilers.

I’m pretty much brand new to this and have spent the last 7 hours on this, the time suddenly hit 4am and now my brain is fried.

Wouldn’t be possible without this forum especially the foothold.
This is my 2nd machine pwned.

Thank you all!