Return to forum

percyjacking · March 26, 2022 at 7:23 AM

access let'chat api with credentials at /res/values/strings.xml after that you can see john's password in the room and then use this credential access to cachet system

___user___ · March 27, 2022 at 4:14 AM

(March 26, 2022, 07:23 AM)percyjacking Wrote: access let'chat api with credentials at /res/values/strings.xml after that you can see john's password in the room and then use this credential access to cachet system

got that. after that i need help. working with the exploit.

skyweasel · March 27, 2022 at 7:44 AM

(March 25, 2022, 09:56 AM)percyjacking Wrote: https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection

Got User:John's Password and test change env config file according to this website it doesn't work, can you recommend anything?

Version: 2.4.0.-dev
yea, drop the ${} querires in the Mail from address.. e.g. ${DB_Username}

refresh, and it populates the field.

else you can intercept the mail set request and change the mail_driver to the value you want ${DB_USERNAME}, run a test on the page and then check the logs - you'll see the value in there too.

## Cachet ENV Variables
https://docs.cachethq.io/docs/installing-cachet

Then SSH as will

percyjacking · March 27, 2022 at 9:48 AM

(March 27, 2022, 07:44 AM)skyweasel Wrote:
(March 25, 2022, 09:56 AM)percyjacking Wrote: https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection

Got User:John's Password and test change env config file according to this website it doesn't work, can you recommend anything?

Version: 2.4.0.-dev
yea, drop the ${} querires in the Mail from address.. e.g. ${DB_Username}

refresh, and it populates the field.

else you can intercept the mail set request and change the mail_driver to the value you want ${DB_USERNAME}, run a test on the page and then check the logs - you'll see the value in there too.

## Cachet ENV Variables
https://docs.cachethq.io/docs/installing-cachet

Then SSH as will

Thanks bro.

___user___ · March 30, 2022 at 4:59 AM

anyone please share the root part.

___user___ · April 1, 2022 at 10:48 AM

Any one having the root hash?

https://fdlucifer.github.io/2022/03/23/catch/

oxninja · April 1, 2022 at 2:39 PM

well done. Thanks for your efforts.

inferno7us · April 2, 2022 at 1:46 PM

how to get root on the machine?

koil · April 8, 2022 at 10:18 AM

can someone help me run the exploit on catchet?
the instructions not working properly

john2 · April 8, 2022 at 12:19 PM

(April 8, 2022, 10:18 AM)koil Wrote: can someone help me run the exploit on catchet?
the instructions not working properly

which instruction , explain further