Machine Synopsis

Catch is a medium difficulty Linux machine that features several web applications listening on different ports. Port `80` provides a potential attacker with an `APK` file. Inside the `APK` file are leftover tokens for various other services/applications. On port `3000` there is an instance of `Gitea` running. Unfortunately, the token for `Gitea` that was found inside the `APK` is no longer valid and there is no way to progress further on this port. Next, on port `5000` there is a `Let's chat` application present. The token that was inside the `APK` for this application works and an attacker is able to dump clear text credentials for the user `john`. Finally, on port `8000` there is an instance of the `Cachet` application. It is found that the credentials for the user `john` are valid for this application and that the version present on the system suffers from a remote command execution vulnerability. Leveraging this vulnerability, an attacker is able to get a reverse shell inside a Docker container on the remote machine. Enumerating the container an attacker will find clear text credentials for the user `will`. Trying to SSH to the host machine using the credentials for the user `will` is a success. Enumerating the remote machine an attacker is able to find that a script that validates `APK` files is executed every minute by the user `root`. Analyzing the script it is found that it's vulnerable to command injection. Thus, an attacker is able to craft a malicious `APK` file, wait for `root` to execute the script and ultimately get a shell as the user `root`.