search

Instant

hashtag
Port scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Instant Wallet
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

hashtag
Apk

We do have a option to download apk on the webpage

http://instant.htb/downloads/instant.apkinstant.htbchevron-right

hashtag
Static analysis

For static analysis, we can decompile our code. I used following website:

LogoAPK decompiler - decompile Android .apk βœ“ ONLINE βœ“www.javadecompilers.comchevron-right

There's intresting API call under sources/com/instantlabs/instant/AdminActivities.java

Feeding the jwt token to jwt.io, we get values

We can try sending req to see what data we can get through this API,

Hmm, not much intresting.

With this we can find another sub-domain, (VHOST)

Upon visit we can see it provides API docs for the app

hashtag
LFI (web)

Logs section is intresting,

There are API calls, 1. /api/v1/admin/view/logs 2. /api/v1/admin/read/log After looking at both, we can SEE it's a classic LFI. The read/log api doc revealed the username,

Let's grab ssh key,

VsCode was really helpful to clean/correct the id_rsa key

hashtag
User shell

hashtag
Root shell

There's a strange file in /opt/backups/Solar-puTTY

Upon googling what's the session file for, and it's vulnerabilites, I found this blog (and he's the author of this box)

LogoReverse Engineering Solar-PuTTY 4.0.0.47 - HackMDHackMDchevron-right

Converting the script for C# to python from GPT was easy, with that we can have root data

hashtag
Root password

______________________heapbytes' still pwning.

PreviousTricksterNextIClean

Last updated