In this post, I would like to share a walkthrough of the Catch Machine from Hack the Box
This room will be considered as a medium machine on Hack The box
What will you gain from the Catch machine?
For the user flag, you will need to
As for the root flag, you need to
Information Gathering on Catch Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
I have noticed that there are a lot of ports open by looking at the nmap result.
Let’s check the website interface on all those ports
The first website using the port 80
I notice that we can download a file called catchv1.0.apk into our machine
Let’s move the file into our htb directory
Android Investigate
We can extract the apk file by using apktool which can be used for the android file format.
Let’s investigate the /res/value directory which looks weird to me.
Let’s open and read the strings.xml
We should analyze the string
I notice there’s a let’s chat token that has been embedded inside the code
Let’s access another website interface that uses port 3000
Let’s access another website interface that uses port 5000 and if you are not aware, the website interface show let’s chat.
However, let’s move on from now.
Let’s access another website interface that uses port 8000 and we have noticed that it’s a cachet login page. Sadly, we don’t have any credentials to login in.
We can use curl to try to inspect the packet using the let’s chat interface.
The Burpsuite interface will look something like the above when we try to inspect the packet from the curl command.
As a result, we managed to see the details when we try to access the API endpoints
There is some id that we can use from rooms endpoints
The response to the messages looks promising
We found some messages stating on “text”
Finally, we managed to obtain one credential
We have tried the credential within the two previous websites, but we retrieve “username or password is incorrect”
On the cachenet website interface, the credentials work and we got a dashboard
I notice the cachenet version is 2.4.0-dev which might be useful to exploit.
Let’s do some research on the internet
Cachet 2.4: Code Execution via Laravel Configuration Injection (sonarsource.com)
We got the username will by entering ${DB_USERNAME}
We got the password by entering ${DB_PASSWORD}
Let’s access the machine via ssh service
We can read the user flag by slamming the command “cat user.txt“
Escalate to Root Privileges Access
As usual, let’s use common privileges but it says that the user will not run sudo on catch
Let’s execute the pspy64 to see what is running in the background
There is a file such as to verify.sh that has been stored inside /opt/mdm
Let’s analyze the source code that we need to put one file an apk file inside /opt/mdm/apk_bin
Let’s throw a reverse shell on the source code
Sadly, the source code cannot be compiled back to apk file format
Let’s change it into a command that give us a SUID binary to us
At last, we can compile the source code
We are required to create a key where we can use keytool for this activity
The key has been created
Let’s sign the apk by using jarsigner
Let’s transfer the file into our victim’s machine
We can move the file into /opt/mdm/apk_bin
As a result, let’s monitor the activity by running pspy64 tool
Finally, the /bin/bash file has changed into SUID Binary
We can read the root flag by running the command “cat /root/root.txt”
No responses yet