Catch

So over the last few weeks I've been working on Catch. With work and the festive period I haven't had a lot of time; I finally got the opportunity to finish it last night. :)

It has a medium rating but I wouldn't say it's due to the initial foothold and privilege escalation being difficult- it's more due to there being a couple of rabbit holes (all of which I fell into for a period!)

Enumeration

As always, a port scan kicks off the process. Unfortunately I can't show the output of the port scan as during the time I switched laptops and I'm too lazy to power my old one on. xD However, the results were roughly as follows:

Port 80: HTTP (Catch Global Systems main page)

Port 3000: Gitea(?)

Port 5000: Lets Chat(?)

Port 8000: Cachet status page system

Port 80 was the first location I checked. You're greeted with what appears to be Catch's main application:

The signup/login functionality isn't present; I did notice the ability to download a file. The file that downloads is an apk.

For those that are unfamiliar with mobile applications, apk is one of the file formats for an Android mobile application which uses XML and Java. Having a little experience with mobile applications, my first thought was to decompile the apk and check for any hidden hardcoded secrets, usually stored in strings.xml.

To decompile the apk, I used apktool.

$ apktool d catchv1.0.apk

This decompiles the apk to near it's original form and places the resulting files in ./catchv1.0/. From here, I viewed ./res/values/strings.xml and found 3 potentially usable tokens for other applications:

$ grep token catchv1.0/res/values/strings.xml <string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string> <string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string> <string name="slack_token">xoxp-23984754863-2348975623103</string>

Foothold

With these in hand, I started with Lets Chat at random. Lets Chat is an open-source chat application utilizing a REST api. With it being open-source, it didn't take long at all to find how to use the discovered token:

As you can see, a password for John is viewable in one of the chat rooms. This grants you access to another one of their applications called Cachet- open-source yet again.

Cachet is the last stop before system access; admittedly this is where I fell rabbit hole 1 as I did spend some time trying to use the gitea_token, more out of curiosity than anything. After spending some time on this, however, I gave up and focused on Cachet.

As it turns out, the version of Cachet in use had two pubicly known vulnerabilities related to interaction with the application's dotenv file. One allowed you to leak values set in dotenv while the other allowed you to add new values to dotenv which could be used to achieve remote command execution. This is done by hosting a redis server, altering the dotenv file to make the application use your hosted redis server as a session driver and finally changing the value of the session key after the initial connection to a payload generated by phpggc. Better detail off this is given here.

I did spend some time playing around with the RCE vulnerability here, more out of interest as I haven't had any experience with Redis prior to this and it took me a while to get RCE working as the video doesn't explicitly show the process step-by-step.

Originally, I was getting the token from the source code in the application, adding this as a key with the phpggc payload as the value and then altering the dotenv file to connect to my Redis Server. As the RCE occurs when the client connects the second time and reads the value from the original session token, this didn't work.

I did eventually get this working, uploaded a PHP web shell and upgraded this to a reverse shell; this ultimately proved to be a waste of time as you end up in a Docker instance with no ability to break out of it!

With a heavy heart, I turned to the second vulnerability and leaked the database password from the dotenv file. This grants us access to the server through SSH as WIll.

Privilege Escalation

Privilege escalation was actually quite easy! Some simple enumeration reveals the presence of world-writeable directory /opt/mdm/apk_bin. In /opt/mdm, there is a Bash file verify.sh.

verify.sh is used to verify the legitimacy of apks uploaded to apk_bin and is executed as part of a cronjob which is executed as root. While references to verify.sh cannot be directly found, there is reference to 'check.sh' in the root directory in running processes (netstat -ano.)

The interesting lines of the script are here:

app_check() { APP_NAME=$(grep -oPm1 "(?<=string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml") echo $APP_NAME ...

The function app_check is taking the app_name from strings.xml and echoing it back with no form of mitigation against command injection. For example, wrapping the variable name with ${} would have prevented this vulnerability being exploitable as this would have specified that only variable expansion was expected- the app name would have been echoed back as a string and not interpreted as a literal Bash command.

I tested this first by simply making the app name 'Catch; touch /opt/mdm/heuheu' and uploading it using python -m SimpleHTTPServer on my end and curl on Catch's end which achieved the expected outcome.

I did this with APK Editor Studio after encountering some errors trying do manually decompile and then recompile with apktool. Note that you also need to create a key for signing the APK as verify.sh uses jarsigner to verify this.

will@catch:/opt/mdm/apk_bin$ ls -al .. total 16 drwxr-x--x+ 3 root root 4096 Jan 6 21:55 . drwxr-xr-x 4 root root 4096 Dec 16 2021 .. drwxrwx--x+ 2 root root 4096 Jan 6 22:03 apk_bin -rw-r--r-- 1 root root 0 Jan 6 21:55 heuheu -rwxr-x--x+ 1 root root 1894 Mar 3 2022 verify.sh

From here, I went old school and just made /etc/passwd fully accessible by everyone before changing root's password to 'mwaha'

Generating the password:

$ openssl passwd mwaha KW56XEY7wxZuU

Where the password is added in /etc/passwd:

root:KW56XEY7wxZuU:...

There you go. ^-^

Not gonna lie, they did a good job with this ad

(via Nodejs Cron Job Scheduler & Cron Expression Tutorial in JavaScript with Examples for Developers) Full Video Link       https://youtu.be/yI_xAky_-3c        Hello friends, new #video on #cronjob #jobscheduler #scheduler #cronexpression in #nodejs #javascript #projeect #application #tutorial #examples is published on #codeonedigest #youtube channel.  @java #java #aws #awscloud @awscloud @AWSCloudIndia #salesforce #Cloud #CloudComputing @YouTube #youtube #azure #msazure  #codeonedigest @codeonedigest  #nodejs #cronjob #javascript #nodejstutorial #learnnodejs #node.js #nodejsandexpressjstutorial #cronjobexample #jobscheduling #jobscheduler #cronjobscheduler #javascriptcronjob #javascriptjobscheduler #javascripttutorialforbeginners #javascripttutorial #javascriptfullcourse #cronscheduler #cronjobschedulerexpression #cronexpression #cronexpressioninjavascript #nodejscronexpression #nodejsjobscheduler #nodejscronjob #nodejstutorial #job

How MoizWordpress Automated a Gaming Console Inventory with WooCommerce and Google Sheets

A few months ago, we took on a project that would challenge our creativity and technical expertise in ways we hadn't anticipated. Our client, an ambitious retailer of gaming consoles, approached us with a unique problem: they needed to streamline their inventory management, which was becoming increasingly cumbersome. The solution? A seamless integration between Google Sheets and WooCommerce that would automatically update their online store with the latest products, taxonomies, and tags. And to make it even more exciting, the entire process had to be automated through a cron job that would run at a specific time every month.

The Challenge

From the outset, we knew this project was going to be interesting. The client was managing their gaming console inventory in a Google Sheet. Every time they wanted to update their online store, they had to manually input the data into WooCommerce—a tedious process that was eating up valuable time and resources.

The goal was clear: we needed to create a system where all product data, including details like console types, storage capacities, and even color options, would be automatically imported from Google Sheets into WooCommerce. But it didn’t stop there. We also had to generate the correct taxonomies and product tags, ensuring everything was organized and searchable. And the best part? This all needed to happen on autopilot, triggered by a monthly cron job.

Crafting the Solution

We began by diving deep into the Google Sheet where the client kept all their data. Each row represented a gaming console, with columns for various attributes like brand, model, operating system, RAM, and more. We knew that every piece of information in this sheet had to find a home in WooCommerce, so we mapped out how each column would correspond to a product property, taxonomy, or tag in the store.

The first step was to create a custom WooCommerce integration that could read the Google Sheet data. We developed a script that would pull the information directly from the sheet, process it, and then push it into WooCommerce. This wasn’t just about creating products; we needed to ensure that each product was categorized correctly, with all relevant taxonomies and tags.

To make the shopping experience even better, we added a feature that allowed users to compare prices and features across different gaming consoles. This comparison tool would enable customers to make well-informed decisions, comparing specs like storage capacity, operating system, and price points—all at a glance.

We then turned our attention to the cron job. The client wanted the store to be updated automatically at a specific time each month, reflecting any changes made to the Google Sheet. To achieve this, we set up a cron job on their server that would trigger our script at the designated time. This cron job would fetch the latest data, compare it with what was already in WooCommerce, and make any necessary updates—whether it was adding new products, modifying existing ones, or deleting items no longer available.

Overcoming the Hurdles

Like any project, we encountered our share of challenges. One of the biggest was ensuring that the data transfer was both accurate and efficient. Google Sheets is a fantastic tool, but when you're dealing with large amounts of data, things can get a little tricky. We had to carefully manage how the data was read and processed to avoid any potential issues like timeouts or incomplete transfers.

Another challenge was making sure that the cron job ran smoothly without interrupting the client's site. We tested the process extensively, running it at different times and with varying amounts of data to ensure that everything would work as intended when it went live.

The Outcome

When we finally deployed the solution, the results were exactly what the client had hoped for. Their WooCommerce store was now fully integrated with Google Sheets, and the monthly cron job was keeping everything up to date without any manual intervention. The client could focus on growing their business, confident that their online store was always accurate and up-to-date.

The addition of the price and features comparison tool was a game-changer. Customers could now easily weigh their options, helping them choose the console that best suited their needs and budget. This not only enhanced the shopping experience but also built trust and transparency with their audience.

Final Thoughts

This project was a testament to what the MoizWordPress team can achieve with the right mix of creativity and technical know-how. By thoroughly understanding our client’s needs and leveraging the power of automation, we delivered a solution that not only met but exceeded their expectations. The seamless integration of Google Sheets with WooCommerce, coupled with the addition of a price and features comparison tool, truly transformed their online store.

If you’re looking to streamline your own processes, enhance your e-commerce platform, or simply want to learn more about how we can help bring your ideas to life, we’d love to hear from you. Get in touch with us today to explore how MoizWordPress can elevate your business to the next level.

sometimes i love my hyperfixation because it allows me to solely focus on stuff and ignore any distractions, but other times it's just plainly disruptive ;;;; can't even sit down for one day to properly finish setting up a server & deploy a project, but managed to enhance my tumblr reblogger script to auto-queue my latest writing post for a defined number of times & bump a certain amount on the top of the queue (╥_╥)

copying this one run is fucking killing me. what do you mean its not even half done. 5000 files more to go??? i literally logged on over the weekend to let the copy process run for a few hours at a time. how much longer do i have to wait???

How to run automatic nightly backups of your computer:

Linux: Set up a cronjob to run rsync or borgbackup or install a Flatpak to do it. All of this is gratis and libre, of course.

Macintosh: Use Time Machine which is included with the operating system.

Windows: "Well, Microsoft removed the backup feature from Windows 10 to sell more OneDrive plans so your best option is to use either MeeVee Reflect (doesn't do what you asked for), SoftSponge™ DataSquirt™ (proprietary and $175), or RecRxWxBackCopy (last updated in 2007)."

Valentine's Guide for Care and Feeding of Annoying Shitbird Rockerboys

Should you find yourself unhappily occupying the same brainpan as a man who blew up a few blocks of your city half a century ago, consider applying the following two-pronged approach to curb your rockerboy's urge to go on long angry rants and ruin everyone's day and give you the worst tension headache anyone has ever had in their life:

Do Not Engage

The first and most important technique is also the hardest. Take care not to react strongly to anything the rockerboy may say, especially if he says it in a mocking tone. While it's true that he expresses this behavior as a function of his feelings of inadequacy and general frustration at the direction his life and the world has taken, it's no excuse for bad behavior, and it must not be rewarded.

Take for instance: "Fucking corps never can be satisfied until they've got everyone crushed under their heel."

Acceptable general responses:

"Uhuh."

"I've never heard that before."

"Yes, you're right, that's very interesting."

These may generate a variety of unpleasant replies, but remember: Do Not Engage. You may be unable to stop yourself from reacting emotionally, but also remember that these emotions may not be your own. Simply remain quiet and keep working, until your rockerboy tires himself out. It's important to stay consistent when confronting this behavior, until he learns that it is unproductive as well as unsatisfying.

2. Reward Good Etiquette

It's not enough to simply ignore bad behavior. Good behavior must be encouraged if you wish to properly socialize your grubby egomaniacal brain parasite. Even if you are tired, in pain, and almost certainly going to die in a few weeks, that's no excuse not to keep up your work.

Take for instance the neutral statement: "Huh. Haven't heard that song playing in a while."

While this may seem like the bare minimum of polite conversation, it is a crucial first step in creating a bearable level of social interaction with the thing that is slowly overwriting your sense of self. Never let it be said that you are a poor manager of your resources, whether they be useful cronjob scripts or the person who is involuntarily killing you, minute by minute and neuron by neuron.

Suggested Responses:

"I've never heard it before. Is it a favorite of yours?"

"It's not bad. Got a catchy bass line."

(Stop and listen to the song.)

Remember: only you can save you. And you can't be saved. Might as well try to make the best of it!

i recharge mana faster at 3am from the ambient cronjobs being triggered

It looks like some of the cronjobs that would normally maintain NextCloud Memories are not set up by the kube pod that they use for apps so I am learning things about Kubernetes against my will. Committing crimes by running shells inside pods.

When I learned about Docker against my will I also turned out to think that was pretty neat so, you know. Kubernetes can use Docker but this one doesn't.

tbh as much as I miss my ex-girlfriend's company we just weren't working out as a girlfriend-girlfriend couple. but I do appreciate her taking the time out of her day to talk to me about my new job and help me out with cronjob/MySQL stuff.

here's the extremely cursed way i'm automating my art sideblog:

use tumblr's built-in discord webhook setting to post all of my tumblr posts to discord.

a discord bot sends the post id to a cloudflare worker.

the cloudflare worker checks if it's tagged "my art", then does the job of authenticating with a tumblr application & reblogging the post.

you may be wondering: why the fuck am i doing it this way?

i didn't want to run a cronjob or run something 24/7 waiting for posts, and it just so happens that tumblr has a discord webhook setting. i have a lot of experience with discord bots, so uh. oops

and i didn't want to host a discord bot myself, so i'm using pylon. storing tumblr credentials in a random bot is bad, so cloudflare worker it is. pylon can't sign requests as easily anyways.

don't worry, i'm going to do this properly later, this is just a temporary hack lmfao

Tempo hari, diminta kampus untuk mindah salah satu server yang dari workstation biasa ke server kampus. Karena pakai infrastruktur nya virtual-machine, walhasil tinggal pindah virtual-harddisk (VHD) settingan ikut, tinggal disesuaikan dikit.

Hari pertama setelah selesai pindah, masih ada kendala bahwa server tidak dapat diakses di jaringan lokal. Walaupun dari hoating sudah diarahkan ke alamat IP public terkait dan di reverse proxy ke alamat IP sesungguhnya. Masalah teratasi keesokan harinya setelah network engineer saya minta untuk tambahkan IP static atau ganti IP DNS (DHCP) dengan public DNS.

Namun sangat disayangkan, catu daya mati di siang hari sesaat saya konfirmasi bahwa jaringan lokal sudah dapat mengakses server dengan domain terkait. Masalah selanjutnya datang, yakni setelah dinyalakan server tidak otomatis mem-booting VM. Namun hal tersebut dapat teratasi karena sudah diantisipasi dengan melakukan setting pada BIOS supaya mainboard dapat menyala sesaat setelah mendapat catu daya.

Tinggal masalah terakhir bahwa dari VM sendiri tidak dapat menjalankan cronjob maupun booting otomatis melalui VBoxManage. Hingga akhirnya jalan terakhir adalah menjadikan action tersebut sebuat service yang berjalan sesaat setelah booting hypervisor selesai.

Dan benar, Hari ini terjadi pemadaman listrik. Setelah pemadaman, hypervisor dan VM booting kembali secara normal.

Baru saja, saya menambahkan auto-mount ke harddisk bawaan servernya. Mungkin besok saat restart server akan dicoba dan dilihat hasilnya.

Fin.

Surakarta, Jumat, 31 Maret 2023

Rhesa

Referensi :

[1] https://kifarunix.com/autostart-virtualbox-vms-on-system-boot-on-linux/

[2] https://www.linuxbabe.com/desktop-linux/how-to-automount-file-systems-on-linux

MariaDB - Creating an Event and Procedure

Taking some time today to share a simple example of how to create an Event and a Stored Procedure in MariaDB. Use Case / Benefits: Executes an Stored Procedure on a set schedule (like a cronjob) Using a Stored Procedure in conjunction with an event allows you to change the code associated with the procedure without having to recreate the Event if something needs to be added Example – Stored…

View On WordPress