In this post, I would like to share a walkthrough of the Catch Machine from Hack the Box

This room will be considered as a medium machine on Hack The box

What will you gain from the Catch machine?

For the user flag, you will need to

As for the root flag, you need to

Information Gathering on Catch Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

I have noticed that there are a lot of ports open by looking at the nmap result.

Let’s check the website interface on all those ports

The first website using the port 80

I notice that we can download a file called catchv1.0.apk into our machine

Let’s move the file into our htb directory

Android Investigate

We can extract the apk file by using apktool which can be used for the android file format.

Let’s investigate the /res/value directory which looks weird to me.

Let’s open and read the strings.xml

We should analyze the string

I notice there’s a let’s chat token that has been embedded inside the code

Let’s access another website interface that uses port 3000

Let’s access another website interface that uses port 5000 and if you are not aware, the website interface show let’s chat.

However, let’s move on from now.

Let’s access another website interface that uses port 8000 and we have noticed that it’s a cachet login page. Sadly, we don’t have any credentials to login in.

We can use curl to try to inspect the packet using the let’s chat interface.

The Burpsuite interface will look something like the above when we try to inspect the packet from the curl command.

As a result, we managed to see the details when we try to access the API endpoints

There is some id that we can use from rooms endpoints

The response to the messages looks promising

We found some messages stating on “text”

Finally, we managed to obtain one credential

We have tried the credential within the two previous websites, but we retrieve “username or password is incorrect”

On the cachenet website interface, the credentials work and we got a dashboard

I notice the cachenet version is 2.4.0-dev which might be useful to exploit.

Let’s do some research on the internet

Cachet 2.4: Code Execution via Laravel Configuration Injection (

We got the username will by entering ${DB_USERNAME}

We got the password by entering ${DB_PASSWORD}

Let’s access the machine via ssh service

We can read the user flag by slamming the command “cat user.txt

Escalate to Root Privileges Access

As usual, let’s use common privileges but it says that the user will not run sudo on catch

Let’s execute the pspy64 to see what is running in the background

There is a file such as to that has been stored inside /opt/mdm

Let’s analyze the source code that we need to put one file an apk file inside /opt/mdm/apk_bin

Let’s throw a reverse shell on the source code

Sadly, the source code cannot be compiled back to apk file format

Let’s change it into a command that give us a SUID binary to us

At last, we can compile the source code

We are required to create a key where we can use keytool for this activity

The key has been created

Let’s sign the apk by using jarsigner

Let’s transfer the file into our victim’s machine

We can move the file into /opt/mdm/apk_bin

As a result, let’s monitor the activity by running pspy64 tool

Finally, the /bin/bash file has changed into SUID Binary

We can read the root flag by running the command “cat /root/root.txt”

Leave a Reply

Your email address will not be published. Required fields are marked *