Unlock the Hack The Box Chemistry CTF with our step-by-step walkthrough. Learn hacking techniques and solve complex challenges to boost your cybersecurity skills!
Table of Contents
1. Introduction
Hacking isn’t just about breaking into systems—it’s about understanding how they work so you can defend or exploit them. If you’re a student, wannabe hacker, or script kiddie, CTF (Capture The Flag) challenges provide the fastest, most hands-on way to learn ethical hacking.
One of the best platforms for these challenges is Hack The Box (HTB), where vulnerable machines simulate real-world security flaws. Today, we’ll explore Chemistry, a medium-difficulty machine that tests your knowledge of Local File Inclusion (LFI) and privilege escalation via misconfigured sudo permissions.
By the end of this walkthrough, you’ll know:
- How LFI works and why it’s dangerous
- How privilege escalation can turn a small vulnerability into complete system control
- How to exploit and defend against these weaknesses
So, put on your hacker mindset, grab your terminal, and let’s dive into the real science of hacking.
2. Concept Explanation (Pathophysiology Equivalent)
2.1 Understanding the Core Vulnerabilities
Before we exploit Chemistry, let’s understand why it’s vulnerable—just like a doctor needs to know a disease before treating it.
Local File Inclusion (LFI): The Sneaky Backdoor
LFI occurs when a web application allows users to include files without properly validating inputs. This vulnerability can be exploited to read system files, leak credentials, and even gain remote code execution.
Here’s an example:
A website has a URL like this:
http://target.com/index.php?page=about.html
If it’s vulnerable to LFI, an attacker can modify it to:
http://target.com/index.php?page=../../../../etc/passwd
Now, instead of showing the about page, it dumps the passwd file containing system users.
Real-World Example:
Cisco’s Webex had a similar vulnerability (CVE-2018-0114), allowing attackers to read arbitrary files on servers.
Privilege Escalation via Misconfigured Sudo Permissions
After getting an initial foothold, escalating privileges is key. Chemistry allows a low-privilege user to run tar with sudo privileges, which we can abuse to gain root access.
The vulnerability lies in the –checkpoint-action option in tar, which lets us execute arbitrary commands as root.
Think of it like this:
- Regular user = Peasant
- Root user = King
- Misconfigured sudo permissions = A secret backdoor to the throne
By abusing tar, we can turn our peasant user into the king of the system.
Real-World Example:
Weak sudo configurations have been exploited in real Linux servers, allowing attackers to escalate privileges and gain full system control.
2.2 Why Learning This Matters?
LFI and Web Security
Many real-world web attacks start with LFI because it provides unauthorized access to system files. If you’re a penetration tester, security analyst, or web developer, understanding LFI is crucial for identifying and patching these vulnerabilities.
CTF as a Hands-On Learning Tool
Would you become a doctor by just reading books? No. You need practical experience. The same applies to cybersecurity.
CTFs offer a safe, legal way to practice real hacking techniques so you can:
✅ Build hacking skills quickly
✅ Learn how attackers think
✅ Prepare for real-world cybersecurity jobs
The Ethics of Hacking
Breaking into systems is illegal, but learning how to do it the right way makes you a valuable security expert. Companies pay ethical hackers to find and fix security flaws, making hacking a lucrative and legal career.
3. Causes & Risk Factors – Why is This Machine Vulnerable?
Alright, now that we understand the core vulnerabilities in Chemistry, let’s break down why this machine is just asking to be hacked. Think of this section like a forensic autopsy—we’re diagnosing the security flaws that made this system vulnerable in the first place.
3.1 Web Application Misconfigurations
Ever seen a website so badly built that it practically invites hackers in? That’s what happens when developers don’t validate user input properly.
How Poor Input Validation Leads to LFI
Local File Inclusion (LFI) happens when a web application takes user input and blindly processes it without filtering out malicious inputs. This means an attacker can trick the server into revealing files that should never be exposed.
For example, let’s say the website wants to load a page like this:
arduinoCopyEdithttp://chemistry.htb/index.php?page=home
If there’s no proper input validation, a hacker could replace “home” with:
bashCopyEdithttp://chemistry.htb/index.php?page=../../../../etc/passwd
Boom. Just like that, we’ve accessed system files, which could contain usernames, SSH keys, and other sensitive information.
Risks of Exposing Sensitive Files via Directory Traversal Attacks
This is like leaving your house key under the doormat. Sure, you know it’s there, but so does everyone else—including hackers.
Directory traversal attacks allow hackers to move up the directory tree and access sensitive files, such as:
/etc/passwd(User accounts)/var/www/html/config.php(Database credentials)/root/.ssh/id_rsa(Private SSH keys)
Once an attacker gets access to these, it’s only a matter of time before things get ugly.
3.2 System Privilege Issues
Finding LFI is just the first step. Once inside, the next goal is escalating privileges to gain full control of the machine.
How a Misconfigured Sudo Binary (tar) Allows Privilege Escalation
The developers of Chemistry made a classic mistake: they allowed a low-privilege user to execute tar with sudo permissions.
This means an attacker can run commands as root by abusing the tar --checkpoint-action feature. Here’s how it works:
- Regular users aren’t allowed to run privileged commands.
- But this machine lets anyone use
sudo tar—big mistake. - With a simple trick, an attacker can run any command as root and gain full control.
This is like handing a thief a copy of your house keys and expecting them not to use it.
Why Least Privilege Principles Are Crucial for Security
If developers followed the principle of least privilege (PoLP), this wouldn’t happen. The idea is simple:
- Users should only have the permissions they absolutely need.
- No unnecessary sudo privileges.
- No insecure configurations.
Ignoring PoLP is like giving your intern access to company bank accounts and hoping they won’t do anything stupid. Bad idea.
3.3 Attack Surface – Why Target This?
When a hacker looks at a system, they see it as an attack surface—a collection of vulnerabilities that can be exploited. The bigger the attack surface, the easier the target.
The Role of Port Scanning, Directory Fuzzing, and Enumeration
A good hacker doesn’t blindly attack a system. They scan, analyze, and plan before striking.
- Port scanning helps find entry points (open services).
- Directory fuzzing helps find hidden files and directories.
- Enumeration gathers critical system information before launching an attack.
A hacker who skips enumeration is like a doctor who operates without an X-ray—you might get lucky, but chances are, you’ll miss something important.
How Attackers Chain Multiple Weaknesses for a Full Compromise
In the real world, hackers rarely break into a system using just one vulnerability. They chain multiple weaknesses together:
- Find LFI → Read sensitive files → Extract credentials.
- Use stolen credentials → Gain low-privileged access.
- Privilege escalation (sudo tar abuse) → Become root.
This is how a small vulnerability snowballs into complete system takeover.
4. Tools & Setup (Investigations Equivalent – Why We Use These Tools?)
Now that we know what to look for, let’s talk about the tools of the trade. Every hacker (or ethical hacker) has a go-to toolkit—just like a forensic investigator has a magnifying glass, fingerprint powder, and DNA tests.
Here’s what we’ll use for Chemistry:
| Tool | Purpose | Why This Instead of Alternatives? |
|---|---|---|
| Nmap | Scans open ports and services | Faster and more detailed than manual scanning |
| Gobuster | Finds hidden directories | Automates directory brute-forcing, making it faster |
| Burp Suite | Modifies and intercepts HTTP requests | Essential for testing web vulnerabilities like LFI |
| Python & Bash | Custom scripting for exploitation | More control over exploits than using Metasploit |
Why These Tools?
- Nmap: The Recon King
Without Nmap, finding vulnerable services is like looking for a needle in a haystack. Nmap automates this process by scanning for open ports and revealing potential attack vectors. - Gobuster: The Directory Detective
Many websites hide sensitive files in forgotten directories. Gobuster brute-forces these paths, finding hidden admin panels, config files, and entry points. - Burp Suite: The Web Hacker’s Swiss Army Knife
If a website has an input field, Burp Suite lets us tamper with requests, inject payloads, and uncover security flaws like LFI and SQL injection. - Python & Bash: The Ultimate Exploitation Tools
Why write our own scripts instead of using Metasploit? Because custom scripts give us full control. While Metasploit is powerful, real-world hackers prefer handcrafted exploits for flexibility.
5. Attack Execution (Assessment Equivalent – Step-by-Step Exploit Process)
Now that we’ve identified what makes Chemistry vulnerable, it’s time to actually break into the machine and see if we can capture that precious root flag. This section will walk through each step of the attack, just like a medical assessment—except here, instead of diagnosing a disease, we’re diagnosing bad security practices and exploiting them.
5.1 Initial Reconnaissance – Identifying Weaknesses
Before you can exploit a machine, you need to understand it. That’s why hackers start with reconnaissance—the hacking equivalent of taking a patient’s vitals before surgery.
Nmap Scan – Finding Open Ports and Services
We start with an Nmap scan to see what services are running on the target machine. Running:
graphqlCopyEditnmap -sC -sV -oN chemistry.nmap 10.10.10.X
This tells us:
- Which ports are open (possible entry points).
- What services are running (potential vulnerabilities).
- What versions those services are (so we can look up exploits).
If a system exposes too many unnecessary services, it’s like leaving your house doors unlocked and hoping no one walks in.
Gobuster – Hunting for Hidden Directories
Next, we run Gobuster to look for hidden files and directories:
rubyCopyEditgobuster dir -u http://10.10.10.X -w /usr/share/wordlists/dirb/common.txt
This reveals /lab.php, which looks interesting. Anytime you find a random PHP file exposed on a web server, it’s a good bet that it has some serious issues.
5.2 Exploiting Local File Inclusion (LFI)
Now that we have a potential target (/lab.php), we check for Local File Inclusion (LFI) by modifying the URL:
bashCopyEdithttp://10.10.10.X/lab.php?file=../../../../etc/passwd
If we see a list of system users, that means LFI is working. It’s like walking into a hospital records room and realizing the filing cabinets aren’t locked.
Extracting Sensitive Files to Find Credentials
Once we confirm LFI, we dig deeper:
- Checking web server logs for stored credentials.
- Reading configuration files like
config.phpor.envfor database usernames and passwords. - Looking for SSH private keys in home directories.
A weakly secured LFI vulnerability is like a leaky faucet—it might start with just one file, but if you keep looking, you’ll find way more than you expected.
5.3 Gaining Initial Access – Exploiting System Weaknesses
Now that we have credentials, the next step is logging into the system. If we found an SSH username and password, we try:
sqlCopyEditssh [email protected]
If SSH isn’t available, we might need to:
- Use other login methods (FTP, database admin panels).
- Crack password hashes if we found them in configuration files.
Once inside, we check what permissions this user has:
nginxCopyEditsudo -l
If the system lets us run certain commands with sudo (especially tar), we have an easy privilege escalation path.
5.4 Privilege Escalation – Exploiting Misconfigured Tar Permissions
And now, the moment of truth—we go from a regular user to root.
Since we found that tar has sudo privileges, we can exploit this with a simple command:
bashCopyEditsudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
Why This Works?
- The
--checkpointoption tells tar to execute a command at a specific point. - We abuse this by making it execute /bin/bash, effectively spawning a root shell.
- Since the system trusts tar, it doesn’t question why it’s suddenly launching a bash shell.
This is like convincing a hospital receptionist to let you into the restricted surgery wing because you’re “just delivering supplies.” Once you’re inside, you own the place.
Achieving Root Access and Capturing the Flag
After running the command, we check:
bashCopyEditwhoami
If it returns root, congratulations—you now own the system. From here, the last step is capturing the root flag:
bashCopyEditcat /root/root.txt
That’s it. Machine pwned. But now, let’s talk about how we fix these security issues—because a system this broken shouldn’t even be online.
6. Defense & Mitigation (Treatment – How to Fix These Issues?)
If a hospital keeps having patients with preventable diseases, they don’t just keep treating symptoms—they fix the root causes. The same applies to cybersecurity. Here’s how to prevent the vulnerabilities we exploited.
| Vulnerability | Mitigation Strategy |
|---|---|
| Local File Inclusion (LFI) | – Sanitize user input (never let users directly request files) – Restrict file access (limit which directories can be included) – Disable allow_url_include in PHP |
| Weak Sudo Permissions | – Follow the principle of least privilege (PoLP) – Don’t allow unnecessary sudo access – Regularly audit sudo configurations |
| Exposed Sensitive Files | – Store credentials securely (use environment variables instead of hardcoded config files) – Use permission-based access controls (limit who can read sensitive files) |
Why This Matters?
If these security measures had been in place, the Chemistry machine wouldn’t have been so easy to hack. It’s like washing your hands to prevent infection—simple, but critical.
7. Ethical Considerations & Legal Implications
Before we wrap up this walkthrough of the Hack The Box Chemistry challenge, let’s take a moment to talk about the ethics and legalities involved in the world of hacking. It’s easy to get lost in the excitement of breaking systems (and let’s face it, who doesn’t love the thrill of a successful exploit?), but we must always be mindful of the responsibilities that come with this power.
Importance of Ethical Hacking and Responsible Disclosure
Ethical hacking, often called white-hat hacking, is the practice of probing systems to find vulnerabilities before the bad guys do. It’s like being a cybersecurity detective—solving problems by finding weaknesses and then fixing them. However, it’s crucial to act within the boundaries of the law. Ethical hackers don’t go around randomly attacking systems just for fun—they always have permission from the system owners to conduct tests.
One way to practice responsible disclosure is by alerting organizations about their security flaws, and working with them to address vulnerabilities before they’re exploited by malicious actors. This is like finding a broken lock on someone’s door and saying, “Hey, you might want to fix this before it gets worse.”
In short: Always get consent before you hack. Without that, you’re walking a fine line between hero and villain.
Legal Consequences of Unauthorized Hacking
Now, let’s talk about the elephant in the room—the legal implications. Hacking without permission is not just a bad idea; it’s illegal. In the United States, for example, the Computer Fraud and Abuse Act (CFAA) makes unauthorized hacking a federal crime. If you exploit a vulnerability on a system that isn’t yours, you could face heavy fines and even prison time. Yikes, right?
Similarly, in Europe, the General Data Protection Regulation (GDPR) lays out strict rules on how data should be handled, and unauthorized access to data can lead to hefty fines, especially if personal data is exposed. Imagine having your name, email, or financial info stolen because someone hacked without permission. Not cool. Always remember: hacking without authorization is illegal and could lead to serious consequences.
How Organizations Can Use CTF Challenges to Train Cybersecurity Teams
Now, here’s the good news: organizations don’t need to wait until a hacker exploits a weakness in real life. Instead, they can use Capture The Flag (CTF) challenges to simulate attacks and train their cybersecurity teams. CTFs are like digital obstacle courses that give professionals hands-on experience in exploiting vulnerabilities safely and legally.
By using platforms like Hack The Box, organizations can simulate real-world attacks and vulnerabilities in a controlled environment. This helps teams practice ethical hacking, improve their skills, and stay prepared for when an actual attack happens. Think of it like taking a fire drill: you get the practice, but you don’t have to deal with actual flames.
8. Conclusion – Key Takeaways from Chemistry Walkthrough
Importance of Reconnaissance Before Attacking
Let’s summarize what we’ve learned from the Hack The Box Chemistry walkthrough. First things first: reconnaissance is critical. Just like a doctor wouldn’t perform surgery without understanding the patient’s history, a hacker shouldn’t attack a machine without first conducting thorough reconnaissance. Scanning with tools like Nmap and Gobuster helps uncover open ports and hidden directories, setting the stage for a successful exploit.
Chaining Multiple Vulnerabilities
Another key lesson is how vulnerabilities often don’t stand alone. In the case of Chemistry, we exploited Local File Inclusion (LFI) to grab credentials and then chained that with privilege escalation using a misconfigured sudo binary. This is like diagnosing a multi-faceted illness—one symptom leads to another, and before you know it, you have a full-blown compromise. It’s essential to remember that attackers often exploit multiple weaknesses in quick succession.
Real-World Application
In the real world, LFI vulnerabilities and misconfigured sudo permissions are not just theoretical problems—they exist in countless web applications and Linux systems. These types of flaws are common, and the best way to defend against them is by proactively testing systems with ethical hacking practices. You don’t want to wait until your network is under attack to realize that a simple configuration error has left you vulnerable.
Future Learning Paths
So, what’s next for you? The Chemistry machine has laid the foundation, but there are many advanced techniques to explore, like post-exploitation, advanced privilege escalation, and pivoting between systems. Privilege escalation is a powerful skill, and the more you practice, the better you’ll get at finding weaknesses and exploiting them—ethically, of course.
Final Thoughts: CTF Challenges Bridge the Gap Between Theory and Practice
CTF challenges like Chemistry are a fantastic bridge between theoretical learning and real-world hacking. They allow aspiring hackers to get their hands dirty, understand the vulnerabilities that plague modern systems, and, most importantly, learn how to fix them. This is why hands-on practice is so vital in cybersecurity education. You can read all the books you want, but nothing beats the experience you gain from actually exploiting a system—and fixing it afterward.
So, whether you’re just starting out or looking to sharpen your skills, CTF challenges are a great way to grow and learn in a safe, legal environment. As the saying goes: practice makes perfect—and if you want to be a cybersecurity pro, it’s time to start practicing.
What do you think? Have you tried the Hack The Box Chemistry machine? What’s your favorite CTF challenge so far? Let us know in the comments below. Don’t forget to share this article with your fellow security enthusiasts and follow us on Instagram and Twitter for more hacking tips and updates. The adventure doesn’t stop here!
