This walkthrough covers the Chemistry machine. The chain moves from web app abuse to local enumeration, then privilege escalation via a vulnerable local service.
Recon
Initial scan showed:
22/tcp- OpenSSH5000/tcp- Flask/Werkzeug web app
The web app was Chemistry CIF Analyzer, with registration/login and CIF file upload functionality.
Initial foothold (CIF parser abuse)
After testing CIF upload behavior, I found that malicious content in CIF fields could trigger code execution during parsing.
Using a crafted CIF payload in _space_group_magn.transform_BNS_Pp_abc, I executed a reverse shell and gained command execution as the app user.
App and credential discovery
On the target, app.py revealed:
- Flask app configuration
- SQLite backend at
sqlite:///database.db - user data in a local DB under the
instancedirectory
I dumped the user table and recovered multiple password hashes.
Credential access and SSH pivot
One hash was crackable (rosa), yielding a valid SSH password.
After SSH login as rosa, I confirmed user access and captured user.txt.
Privilege escalation path
linpeas showed an internal-only service on 127.0.0.1:8080.
A local curl check identified Python/3.9 aiohttp/3.9.1.
That version was vulnerable to path traversal behavior (CVE-2024-23334 class issue).
Using curl --path-as-is, I read sensitive files through traversal and retrieved root.txt.
Example pattern:
curl -s --path-as-is "http://localhost:8080/assets/../../../../../root/root.txt"
Key takeaways
- Treat file parsing features as high-risk attack surface, especially complex scientific formats.
- Never store password hashes or secrets where compromised app users can read them directly.
- Internal services are part of the attack surface; localhost-only is not a complete defense.
- Patch vulnerable framework versions quickly, including dependencies not directly internet-facing.