00:00 - Intro
01:00 - Start of nmap, going over some standard cookies and knowing the web technology behind it
06:15 - Checking what the main webpage is, discovering an APK File
07:00 - Analysing the APK file with JADX-GUI
09:00 - Searching for strings, finding some tokens
10:15 - Looking at the Gitea API to discover how to use our token
14:15 - Looking at the Lets Chat API to discover how to use our token and dumping a list of rooms
16:30 - Using the Lets Chat API to dump messages from a room and discovering credentials
17:40 - Logging into the Catchet webserver finding the version and discovering known vulnerabilities
19:20 - Using a CVE-2021-39174 POC to dump the Catchet Configuration and get a password (SSTI)
23:50 - Logging into the box as will
25:40 - Discovering a verify.sh script that has a command injection when verifying APK Files
29:00 - Using apktool to decompile the APK so we can change the name and repackage it
33:15 - Having trouble repacking our APK file, need to update APKTool. Then getting root
38:00 - Showing another way to pop the Catchet server, by updating the Cache configuration to point to our REDIS instance and phpggc to create a deserialization gadget
Support the originator by clicking the read the rest link below.
