Official Catch Discussion

dragonista · March 24, 2022, 8:30pm

Thanks for answering, I have since found my way in, I wasn’t looking in the right place !

PaulStat · March 24, 2022, 11:56pm

Boom, rooted soooooo pleased

dronf · March 25, 2022, 1:25am

Really nice box, thank you for this!
This was fun - took me two whole nights but it was only my third one on here.

dronf · March 25, 2022, 2:15am

I think I saw you on there, PaulStat.
Got it too, in the end!

cptphil · March 25, 2022, 8:40pm

gitea_token is the right way?

M00nz · March 27, 2022, 3:12pm

Rooted finally! Great machine!
It was hard a bit but I’ve obtained a hint and all were enlighted!

TonyParadise · March 27, 2022, 3:31pm

Edit: Yeah… wasted 3 days due to company’s VPN.

JO7 · March 27, 2022, 7:10pm

I am new to this field. I got the tokens cant find away around would appreciate some hints)

dragonista · March 27, 2022, 7:24pm

Edit : Oopsie.

dylvie · March 28, 2022, 11:23pm

For foothold, a token can be used as is. Just read docs for service authentication.

There’s a script to get bcrypt hashes. Is it useful to crack admin password?

Snappie · March 29, 2022, 10:07am

I found the creds for a certain status page

I’ve been at it for two days now, but I cannot get the new line injection to work to inject redis server configuration, am I digging at a rabbit hole?

tinv33043 · March 29, 2022, 10:30am

I read the blog, but I got stuck there.
Is it correct to use the leaked information?

nullbyte900 · March 29, 2022, 4:42pm

Hey i m trying to get an initial foothold for the Catch machine.
The only think i found is tree tokens … i tried to insert that tokens for authentication but nothing
Is the right way or there’s a particular cve ?

NullByteZero · March 30, 2022, 12:47pm

Make sure you enumerate all of the services running on machines IP address

sudogetgud · March 30, 2022, 5:20pm

I’m stuck attempting to get a foothold on this machine. I’ve found the creds I need to log in to the vulnerable service/exploit it but I know that the R*** is not the way to go. I can’t seem to wrap my head around how I go about leaking the desired data I need.

windsurfer · April 1, 2022, 3:29pm

Hello everybody,
I have login access to the vulnerable service, and 3 CVEs for the version. However i can’t find any poc or exploits to move on and i searched everywhere for like hours… If anyone care to hint me on the poc i would be grateful.

V01D · April 2, 2022, 6:19am

I have all the necessary tokens to read API endpoints, tried all authentication headers but still doesn’t work. Reverted the box just in case someone tampered with the box but leads nowhere. Any nudge if someone still active on this box?

dylvie · April 3, 2022, 3:55pm

Thank you @MrR3boot ! It was an interesting machine.

FOOTHOLD : don’t be a fool like me. You have all what you need in your first immediate Recon. No calculations or cracking needed. There are many rabbit holes and unuseful services.

USER : Grab the flag.

ROOT : Look at obvious directories and check content. One variable can be manipulated. All tools needed are in the box.

sudogetgud · April 3, 2022, 7:37pm

Can someone point me in the right direction for leaking the desired information from the vulnerable service? I have the required access into the settings, but I seem to be really bad at understanding how I move on from here.

notKakarotButVegeta · April 5, 2022, 3:39am

If you are viewing the blog which covers the three vulnerabilities, use the one which is about nested variables and to be more specific try the ones, it suggests would have impact.
And then use that for a password reuse attack.