HackTheBox - Chemistry Writeup
Chemistry is an easy Hack The Box Linux machine highlighting RCE in the pymatgen library (CVE-2024-23346) via a malicious CIF file upload. Cracked credentials allow SSH access as rosa. Privilege escalation is achieved by exploiting a path traversal in AioHTTP (CVE-2024-23334) for arbitrary file read, revealing the root flag.
ssh-port-forward sqlite-dump CVE-2024-23346 CVE-2024-23334 aiohttp-3.9.1 crackstation lfi rce cif-file