Great Machine! Took me 6 days to Root xD. Getting the foothold was hard for me. Root is easy but its tedious.
PM me if anyone needs help. And let me know what all You have tried.
Hi, i found token: gitea_token, this is correct?
Could you give me a hint of the next step after finding the token?:
I rooted the machine. I think it was built logically.
User: Frustrating when something doesnāt work. You have to try the solutions one by one and sooner or later one will be good. (One solution was so elegant that I thought it would be the solution. It didnāt work at all. I ended up putting up the right service locally and trying it out there.)
So Iāve managed to get the foothold, and Iāve found the blog people are hinting at. I can do the last one ok (but I have the same issue as what follows). The main one I canāt seem to get working though, watched the brief video in the blog, not sure I understand how the payload is pulled from the cache store thoughā¦
Rooted! User is a bit frustrating because the rabbit holes.
Finally managed to get RCE as www-data, struggling with an appropriate payload though. Any hints?
same hereā¦ i tried a lot of times adding new payload to post request but no luckā¦ any hint?
Yes got the user flag 
Please tell me I donāt have to run another ā ā ā ā ā ā ā APK fileā¦
1 Like
Got stuck looking for a foothold, I pulled the relevant tokens from the APK but I canāt get a working login yet.
You donāt 
Use them on the right service 
I believe Iām targeting the right service but I keep getting ātoken is requiredā when I try and interact with it. Iāve been reading the documentation of said service and Iām really not sure why it wonāt accept the token / I am receiving a token not found message to my requests.
2 Likes
I found 3 different ways. 2 donāt work and 1 seems to go absolutely nowhere.
If anyone has a hint for me, because if I read that blog again and watch one more time that video itāll drive me nuts ><
How in ā ā ā ā can you do that in less than 45 minutes ? ā¦
Edit : Seriously, you censor h e l l ?
1 Like
So Iāve managed to grab creds from one of the services but Iām stuck as to where to use them.
Are the creds for jn used to access s***.catch.htb from the apk?
Any nudge is welcomed
Anyone have an clues for the root priv esc? I believe itās to do with automated copying of a familiar file type from an accessible directory for the user. But my experiment failed.
try reverting the box, when I first tried it that exploit seemed to be tampered with by someone else and slowed me down. go back and try again with some common words that you could pull from there
read it carefully. pull out the relevant things and work backwards
Iām struggling with the initial foothold / user. After abusing the 3rd CVE, my attempts at exploiting the 1st CVE get rejected due an invalid value (@ sā¦3 to change the Cā¦Dā¦R, as indicated in the blogpost). Iāve reset the box and still no luck.