Read my writeup to Catch machine on:
TL;DR
User: Found status.catch.htb
, gitea_token
and lets_chat_token
on catchv1.0.apk
. Using lets_chat_token
token we can use lets-chat
API on port 5000
, By using lets-chat
API we get the credentials of john
user, Using john credentials we connect to Cachet
on port 8000
, Using CVE-2021-39165
we get SQLi and fetch the api_key
of john
user to Cachet
, Using the api_key
we create an incident template and we get an RCE and found the password of will
user on /var/www/html/Cachet/bootstrap/cache/config.php
.
Root: By running pspy
we found the following script /opt/mdm/verify.sh
that running by root``, The script contains
app_checkfunction that checks the application name and then runs another command that contains the application name, According to that, We decompiled the
catchv1.0.apkinject reverse shell command on the application name (on
strings.xml```).