💰Instant

Nmap recon

image.png

A bit of fuzzing as always

Have a look at the webpage

Nice, it lets us download an apk called instant.apk

unpack it with apktool

let's look around for something interesting

inside the second file there’s an hard coded URL and a JWT token

well, let's use those...

Let's try with burp

I wonder if this api endpoint is documented on swagger...

Now we kinda have a full view of the api calls, let's try enumerate users

the only useful one seems to be shirohige let's look a bit more...

it seems that the log files are pointed directly, let's check some more apis to see if we can exploit this

nice.

It's time to directory traverse to the flag!

Easy enough.

Let’s try some more...

but why not try to exfiltrate directly the id_rsa key, so we can directly log in!

let’s save this and ssh into the machine

let’s go

Time to find something to privesc

No SUID files, no crontab, no capabilities but there are some python processes and 2 ports open 8888 and 8808 used by swagger, nothing more

looking around a bit more there’s a putty session backup

let’s download that file and decrypt it to use it

scp -i insta_id_rsa shirohige@instant.htb:/opt/backups/Solar-PuTTY/session-backup.dat ./

i’ve found that really good script to decrypt the file:

GitHub - Wind010/SolarPuttyDecryptor: Just simple logic to brute force decrypt Solar PuTTY session.GitHub

so using rockyou wordlist it’s easy to discover the encryption password and decrypt the file.

python3 [SolarPuttyDecryptor.py](http://solarputtydecryptor.py/) ../sessions-backup.dat -wl /usr/share/wordlists/rockyou.txt

log again as shirohige and do a su to gain root

And we're done.