#cachet

Doing a little art dump again.

I want to sketch out what Sannet looks like to me. And then I did the scene where Szeras shows up at solomnec in the silence and the storm.

The second image is just me goofing off, trying to find the way I like to draw Thaszar. My desire for putting necrons in pretty little dresses can never be quenched.

I had a hard time visualizing the clothes in Ghosts, other fanfic. So I just decided to illustrate them myself.

Below that one is a sketch of Obyron taking a nap on Nep’s chest ass the others are goofing around.

These two are very old and as you can clearly see unfinished. The first one is supposed to be the scene in severed where obyron and Zahndrekh are trying to figure out the riddle puzzle to get in to the core.

And the other one I made when the silence and the storm had a particular chapter released that made me emotional to the point of tears for the first time. Thanks Ghost 🫠👍

First one is just a reference I did for Imothk and the other one is my OC Cachet, they are a bit of a fashion geek. Don’t worry about the other fella up in the corner, they are now long gone, hopefully.

And down here below we have our favorite battle fleet armada necrons. I never got to see their full bodies in the play through of the game I saw, so I made the executive decision to try and imagine what their whole bodies look like on my own. I imagine Amarakun being pretty normal and uninteresting down there. And I decided that Zaa secretly has a little tail under a big skirt. Because as everyone know, all astromancers are cats to some degree. 

here you go anon *throws a bunch of new yorkers at you*

All of these gals are a part of the 20th Century Limited, a New York to Chicago passenger service that ran in the first half of the 1900s. They're in a love triangle and everyone else on the NYC is living for the drama. Main bulk of their story takes place in the late 40s.

Cachet

dignified, responsible, strait-laced

she'll make sure the mail gets where it needs to go no matter the cost - kind of an ends justify the means person

tends to be kind of stoic but has this vulnerable, softer side that emerges occasionally

has rizzed possibly the entire railroad, entirely by accident - she just has that much unintentional game

is forreal in love with Century Club, but doesn't know how to actually pursue a real relationship

the structure on her right arm is a mail hook, used for the bringing mail onto the train while in motion. In train form, it swings out, but here, it extends telescopically!

Century Club

sensual, big-hearted, bold

CeCe for short

possibly the loveliest person you've ever met - just really kind and open with people - always knows just what to say

has a trio of sisters that always have her back and will kill anyone that hurts her - CeCe is definitely the baby of the bunch - her sisters are Century Inn, Century Lounge, and Century Tavern

is technically a combination car but lounge car sounds better and that's what she tells people

big reader and writes poetry

started the year off in love with Carnegie, but is slowly shifting her affections towards Cachet

Carnegie

elegant, powerful, prideful

cold and beautiful like the lunar surface

Cachet's ex, currently trying to keep her and CeCe apart because she still has feelings

her and Cachet had an intense fling, Carnegie was more in love than Cachet was

is not in love with CeCe

not a bad person, just very very jealous

her and the other super hudsons all named themselves after prominent new york families after commodore vanderbilt (their older cousin and fellow hudson) was christened similarly - the others are Astor, Whitney, Roosevelt, Rockefeller, De Lancey, Morgan, Winthrop, Olyphant, and Goodyear

loves the theremin - listens to music out of the moon (album by les baxter, harry revel, and dr samuel hoffman) maybe every day

Here’s how it works: pile up stuff, call it “success,” and then spend your life convincing people to admire you for it. A yacht? Wow, you must be brilliant. A private jet? Incredible! Never mind the crushed souls in your wake—you're a visionary.

But hey, maybe you don’t feel like playing Monopoly with human lives. Maybe you'd rather not worship at the altar of stock options and CEO tear-downs. Lucky for you, there’s an alternative: stop treating "more" as a personality.

Here’s the trick: redefine cachet. Make it about how you treat people, not how many zeros are in your bank account. Build communities that thrive without squeezing the life out of others. Grow food, share skills, create things that last. Laughably radical, right? Almost like… humanity isn’t a product.

So over the last few weeks I've been working on Catch. With work and the festive period I haven't had a lot of time; I finally got the opportunity to finish it last night. :)

It has a medium rating but I wouldn't say it's due to the initial foothold and privilege escalation being difficult- it's more due to there being a couple of rabbit holes (all of which I fell into for a period!)

Enumeration

As always, a port scan kicks off the process. Unfortunately I can't show the output of the port scan as during the time I switched laptops and I'm too lazy to power my old one on. xD However, the results were roughly as follows:

Port 80: HTTP (Catch Global Systems main page)

Port 3000: Gitea(?)

Port 5000: Lets Chat(?)

Port 8000: Cachet status page system

Port 80 was the first location I checked. You're greeted with what appears to be Catch's main application:

The signup/login functionality isn't present; I did notice the ability to download a file. The file that downloads is an apk.

For those that are unfamiliar with mobile applications, apk is one of the file formats for an Android mobile application which uses XML and Java. Having a little experience with mobile applications, my first thought was to decompile the apk and check for any hidden hardcoded secrets, usually stored in strings.xml.

To decompile the apk, I used apktool.

$ apktool d catchv1.0.apk

This decompiles the apk to near it's original form and places the resulting files in ./catchv1.0/. From here, I viewed ./res/values/strings.xml and found 3 potentially usable tokens for other applications:

$ grep token catchv1.0/res/values/strings.xml <string name="gitea_token">b87bfb6345ae72ed5ecdcee05bcb34c83806fbd0</string> <string name="lets_chat_token">NjFiODZhZWFkOTg0ZTI0NTEwMzZlYjE2OmQ1ODg0NjhmZjhiYWU0NDYzNzlhNTdmYTJiNGU2M2EyMzY4MjI0MzM2YjU5NDljNQ==</string> <string name="slack_token">xoxp-23984754863-2348975623103</string>

Foothold

With these in hand, I started with Lets Chat at random. Lets Chat is an open-source chat application utilizing a REST api. With it being open-source, it didn't take long at all to find how to use the discovered token:

As you can see, a password for John is viewable in one of the chat rooms. This grants you access to another one of their applications called Cachet- open-source yet again.

Cachet is the last stop before system access; admittedly this is where I fell rabbit hole 1 as I did spend some time trying to use the gitea_token, more out of curiosity than anything. After spending some time on this, however, I gave up and focused on Cachet.

As it turns out, the version of Cachet in use had two pubicly known vulnerabilities related to interaction with the application's dotenv file. One allowed you to leak values set in dotenv while the other allowed you to add new values to dotenv which could be used to achieve remote command execution. This is done by hosting a redis server, altering the dotenv file to make the application use your hosted redis server as a session driver and finally changing the value of the session key after the initial connection to a payload generated by phpggc. Better detail off this is given here.

I did spend some time playing around with the RCE vulnerability here, more out of interest as I haven't had any experience with Redis prior to this and it took me a while to get RCE working as the video doesn't explicitly show the process step-by-step.

Originally, I was getting the token from the source code in the application, adding this as a key with the phpggc payload as the value and then altering the dotenv file to connect to my Redis Server. As the RCE occurs when the client connects the second time and reads the value from the original session token, this didn't work.

I did eventually get this working, uploaded a PHP web shell and upgraded this to a reverse shell; this ultimately proved to be a waste of time as you end up in a Docker instance with no ability to break out of it!

With a heavy heart, I turned to the second vulnerability and leaked the database password from the dotenv file. This grants us access to the server through SSH as WIll.

Privilege Escalation

Privilege escalation was actually quite easy! Some simple enumeration reveals the presence of world-writeable directory /opt/mdm/apk_bin. In /opt/mdm, there is a Bash file verify.sh.

verify.sh is used to verify the legitimacy of apks uploaded to apk_bin and is executed as part of a cronjob which is executed as root. While references to verify.sh cannot be directly found, there is reference to 'check.sh' in the root directory in running processes (netstat -ano.)

The interesting lines of the script are here:

app_check() { APP_NAME=$(grep -oPm1 "(?<=string name=\"app_name\">)[^<]+" "$1/res/values/strings.xml") echo $APP_NAME ...

The function app_check is taking the app_name from strings.xml and echoing it back with no form of mitigation against command injection. For example, wrapping the variable name with ${} would have prevented this vulnerability being exploitable as this would have specified that only variable expansion was expected- the app name would have been echoed back as a string and not interpreted as a literal Bash command.

I tested this first by simply making the app name 'Catch; touch /opt/mdm/heuheu' and uploading it using python -m SimpleHTTPServer on my end and curl on Catch's end which achieved the expected outcome.

I did this with APK Editor Studio after encountering some errors trying do manually decompile and then recompile with apktool. Note that you also need to create a key for signing the APK as verify.sh uses jarsigner to verify this.

will@catch:/opt/mdm/apk_bin$ ls -al .. total 16 drwxr-x--x+ 3 root root 4096 Jan 6 21:55 . drwxr-xr-x 4 root root 4096 Dec 16 2021 .. drwxrwx--x+ 2 root root 4096 Jan 6 22:03 apk_bin -rw-r--r-- 1 root root 0 Jan 6 21:55 heuheu -rwxr-x--x+ 1 root root 1894 Mar 3 2022 verify.sh

From here, I went old school and just made /etc/passwd fully accessible by everyone before changing root's password to 'mwaha'

Generating the password:

$ openssl passwd mwaha KW56XEY7wxZuU

Where the password is added in /etc/passwd:

root:KW56XEY7wxZuU:...