Read my writeup to Catch machine on:
TL;DR
User: Found status.catch.htb, gitea_token and lets_chat_token on catchv1.0.apk. Using lets_chat_token token we can use lets-chat API on port 5000, By using lets-chat API we get the credentials of john user, Using john credentials we connect to Cachet on port 8000, Using CVE-2021-39165 we get SQLi and fetch the api_key of john user to Cachet, Using the api_key we create an incident template and we get an RCE and found the password of will user on /var/www/html/Cachet/bootstrap/cache/config.php.
Root: By running pspy we found the following script /opt/mdm/verify.sh that running by root``, The script contains app_checkfunction that checks the application name and then runs another command that contains the application name, According to that, We decompiled thecatchv1.0.apkinject reverse shell command on the application name (onstrings.xml```).