HackTheBox - Catch

00:00 - Intro 01:00 - Start of nmap, going over some standard cookies and knowing the web technology behind it 06:15 - Checking what the main webpage is, discovering an APK File 07:00 - Analysing the APK file with JADX-GUI 09:00 - Searching for strings, finding some tokens 10:15 - Looking at the Gitea API to discover how to use our token 14:15 - Looking at the Lets Chat API to discover how to use our token and dumping a list of rooms 16:30 - Using the Lets Chat API to dump messages from a room and discovering credentials 17:40 - Logging into the Catchet webserver finding the version and discovering known vulnerabilities 19:20 - Using a CVE-2021-39174 POC to dump the Catchet Configuration and get a password (SSTI) 23:50 - Logging into the box as will 25:40 - Discovering a script that has a command injection when verifying APK Files 29:00 - Using apktool to decompile the APK so we can change the name and repackage it 33:15 - Having trouble repacking our APK file,