$ nmap -p- --min-rate 5000 10.129.84.253
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 03:36 EDT
Nmap scan report for 10.129.84.253
Host is up (0.0098s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
5000/tcp open upnp
8000/tcp open http-alt
Lots of HTTP ports it seems.
Catch Global Systems
Typical corporate page:
I tried enumerating, but I could not find much here. The only thing was the Download Now button, which downloaded an APK file to my machine. Interesting, but we can move on.
Gitea
Port 3000 was a Gitea instance:
No repositories present, but tehre was one user:
Nothing much there. However, Gitea does have an API present at the bottom, and clicking it loads an empty page:
Check the page source, it seems that there's a subdomain that needs to be added:
Once added to the /etc/hosts file, we can see that the page loads some documentation:
Still, nothing much.
Let's Chat
On port 5000, there was another application, and this time with a login page:
Default credentials don't work...so there's again nothing here.
Incident Reporter
On port 8000, there was an incident reporter, kind of like a SIEM or something:
Attempting to visit the dashboard revealed that this is running Cachet:
Cachet DID have some vulnerabilities present (finally!). Most notably, there is an information leak and a RCE exploit possible:
We can upload the APK file we downloaded and let it analyse it for us. What's great about this is that it also checks for secrets and passwords alike. At the bottom of the page, we would see these tokens:
I didn't really know what to do even if I had Gitea access, so let's exploit the Let's Chat Token
Let's Chat Token
This was a Base64 token, so let's try to use an Authorization HTTP header as the token. Also, at the very bottom of the page, there was a Github Repository present (which I missed the first time).
Each entity here is a 'room'. So we can enumerate the messages sent in each room at /room/<ID>/messages. When viewing the messages in the Cachet room, we would find a password:
In the SonarLink blog, it is stated that we could potentially leak the configuration of the dotenv file, which is the basis of the RCE. In this case, it supports nested variable assignment. This would mean that ${NAME} is accepted and will run.
Following the PoC, we can use ${DB_USERNAME} and ${DB_PASSWORD} within Settings > Mail in the Mail Host and Mail From Address fields.
When we reload the page, this would appear:
Great! Testing this with ssh reveals that this is indeed the password of the user will. Skipped the RCE!
Privilege Escalation
There are 2 users within the machine:
will@catch:/home/git$ ls -la
total 16
drwxr-xr-x 3 git git 4096 Dec 14 2021 .
drwxr-xr-x 4 root root 4096 Dec 14 2021 ..
-rw-r--r-- 1 git git 162 Dec 14 2021 .gitconfig
drwx------ 2 git git 4096 Dec 14 2021 .ssh
No sudo privileges or others to exploit. So, I ran a pspy64 to enumerate what was going on within the machine.
The script seems to do some checking on whether the file is legit or not. However, within the app_check() function, there's an Command Injection Vulnerability.
The APP_NAME variable has to have the word 'Catch' within it, and then this parameter is passed directly to a command without sanitisation. We can use a $() expression to inject here since subshells would be processed before the rest of it.
Now, we need to create a valid file to be used. Using the APK we had earlier, we can decompile is using apktool:
$ java -jar apktool_2.6.1.jar d catchv1.0.apk -o decompiled
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.6.1 on catchv1.0.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/kali/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
Then, we edit the app_name variable located within res/values/strings.xml: