🧪Chemistry

Start with some recon

Screenshot 2025-02-14 121222.png
Screenshot 2025-02-14 121248.png

What is a .cif file?!

come again with some fuzzing

image.png

Pretty much everything was discoverable simply by using the app...anyways

let's register and check if there's more

We see a download example on the main page.

Another interesting information is that the app is using werkzeug 3.0.3; let's look for werkzeug 3.0.3 .cif upload vuln

We found a good CVE blogpost that could lead us somewhere, this is a malicious .cif example

LogoArbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_stringGitHub

We change our url and port and setup a listener to interact with it.

Set up the listener, upload the file and....

There we go.

We're just some service account, so we still need to pivot into the actual user, let's look around

Found a sqlite db

let's crack the hash and see if this password is still useful

There we go. Let's look around for something useful to privesc

There's an open socket that we can't see, let's forward it to our local machine and see what it is

ok it's a custom (?) python app, a bit of scannig to see more

It uses aiohttp 3.9.1, i wonder if there's some vulnerability associated to that version

LogoGitHub - wizarddos/CVE-2024-23334: Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1GitHub

of course.

$ python3 exploit.py -u [url] -f [file] -d [static directory]

So we need a static directory, let's fuzz a bit to see if something useful comes up

nice, let's use this

and it worked quite well

Crack it with

hashcat -a3 -m 1800 unshadow.txt /usr/share/seclists/Passwords/darkc0de.txt

ssh as root and we got the flag. ALTERNATIVE: we could've exfiltrate the id_rsa of root and ssh directly using it.

Last updated