Chemistry
Application discovery, CIF abuse, database inspection, and a forwarded dashboard path.
Hello. I’m Shrijesh Pokharel. Here is my Chemistry - HackTheBox writeup.
A network scan exposes ports 5000 and 22. The web app requires registration, and after clicking through to the next page I could download a CIF file for closer inspection.
I modified the CIF input and used the vulnerability path to obtain a shell as app@chemistry. From there I explored instance/database.db with SQLite, found user details, and cracked the password for rosa.
SSH access as rosa gave me the user flag. Later, linpeas highlighted an internal service on port 8080, so I forwarded it locally with SSH and inspected the dashboard from my browser.
That path led into a path-traversal style exploit against the local service, which exposed root.txt and completed the machine.
Key sequence: nmap -sC -sV → CIF inspection → shell as app → sqlite3 database.db → crack rosa → ssh rosa → ssh -L 8080 → path traversal