Instant

Port scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Instant Wallet
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Apk

We do have a option to download apk on the webpage

http://instant.htb/downloads/instant.apkinstant.htb

Static analysis

For static analysis, we can decompile our code. I used following website:

APK decompiler - decompile Android .apk βœ“ ONLINE βœ“www.javadecompilers.com

There's intresting API call under sources/com/instantlabs/instant/AdminActivities.java

Feeding the jwt token to jwt.io, we get values

We can try sending req to see what data we can get through this API,

Hmm, not much intresting.

With this we can find another sub-domain, (VHOST)

Upon visit we can see it provides API docs for the app

LFI (web)

Logs section is intresting,

There are API calls, 1. /api/v1/admin/view/logs 2. /api/v1/admin/read/log After looking at both, we can SEE it's a classic LFI. The read/log api doc revealed the username,

Let's grab ssh key,

VsCode was really helpful to clean/correct the id_rsa key

User shell

Root shell

There's a strange file in /opt/backups/Solar-puTTY

Upon googling what's the session file for, and it's vulnerabilites, I found this blog (and he's the author of this box)

LogoReverse Engineering Solar-PuTTY 4.0.0.47 - HackMDHackMD

Converting the script for C# to python from GPT was easy, with that we can have root data

Root password

______________________heapbytes' still pwning.

PreviousTricksterNextIClean

Last updated