Hi,

let's open discussion about new machine catch 10.10.11.150

Focus on the APK for a good starting point. Static analysis is fine no need to run the app.
Hunt for strings in the standard places bad coders might leave shit.
Once done, u'l have some API keys - go find where onlty one of them work and be sure to check in all the "places" inside that system - u'l some more creds.
Now find a place that takes those creds. Once logged in, hunt for an exploit based on that web apps version. There's a good writeup out there that talks about how to reference other variables in this framework. And no, its not SQLi.
Once you're successful there u'l find user creds for ssh and he user flag.
lastly, hunt from scripts and read them carefully, you can exploit a part of with when you play around with the APK and the file with the creds you found earlier.

Rep me if this was helpful

(March 19, 2022, 06:20 AM)skyweasel Wrote: Focus on the APK for a good starting point. Static analysis is fine no need to run the app.
Hunt for strings in the standard places bad coders might leave shit.
Once done, u'l have some API keys - go find where onlty one of them work and be sure to check in all the "places" inside that system - u'l some more creds.
Now find a place that takes those creds. Once logged in, hunt for an exploit based on that web apps version. There's a good writeup out there that talks about how to reference other variables in this framework. And no, its not SQLi.
Once you're successful there u'l find user creds for ssh and he user flag.
lastly, hunt from scripts and read them carefully, you can exploit a part of with when you play around with the APK and the file with the creds you found earlier.

Rep me if this was helpful

Rep ++

(March 19, 2022, 06:20 AM)skyweasel Wrote: Focus on the APK for a good starting point. Static analysis is fine no need to run the app.
Hunt for strings in the standard places bad coders might leave shit.
Once done, u'l have some API keys - go find where onlty one of them work and be sure to check in all the "places" inside that system - u'l some more creds.
Now find a place that takes those creds. Once logged in, hunt for an exploit based on that web apps version. There's a good writeup out there that talks about how to reference other variables in this framework. And no, its not SQLi.
Once you're successful there u'l find user creds for ssh and he user flag.
lastly, hunt from scripts and read them carefully, you can exploit a part of with when you play around with the APK and the file with the creds you found earlier.

Rep me if this was helpful

can you please send me your discord or telegram account in pm

guys did anyone get anything realted to this machine i can't find the hard coded info

guys can anyone share the root hash if he solve the machine to get the writeup

(March 24, 2022, 03:12 AM)john2 Wrote: guys did anyone get anything realted to this machine i can't find the hard coded info

decompile/dump the APK with apktool
locate and look in /res/values/strings.xml
There's API keys there, find which one works and where.

(March 24, 2022, 10:44 PM)skyweasel Wrote:

(March 24, 2022, 03:12 AM)john2 Wrote: guys did anyone get anything realted to this machine i can't find the hard coded info

decompile/dump the APK with apktool
locate and look in /res/values/strings.xml
There's API keys there, find which one works and where.

thank you i will try again

https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection

Got User:John's Password and test change env config file according to this website it doesn't work, can you recommend anything?

how to exploit cve-2021-39173. any idea to get user.