Author: e-ukiyo
HackTheBox: Instant Write-Up
- T1046: Network Service Scanning
- T1070: Indicator Removal on Host
- T1071: Application Layer Protocol
- T1003: Credential Dumping
- T1552: Unsecured Credentials
From the nmap scan we can see only 22 and 80 ports are open.
I found a download link for a mobile app. I use apktool and decompiled this file. This revealed the application code and assets, including smali files that contain the app’s logic.
I focused onAdminActivities.smalifile likely releated on admin avtivities and there is a hardcoded JWT token embedded for admin user. This token could potentially grant unauthorized users access to sensitive administrative functions.
To successfull set up the environment for testing the APIs you should add the subdomain swagger-ui.instant.htb to the /etc/hosts file.
curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=..%2F.ssh%2Fid_rsa" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA"
Using this command we can successfully extracted the private ssh key.
Setting the correct permissions and connect ssh with this key.
I found here a sql database, inside usernames and hashed passwords.
Then I found a .dat file.
We can crack this with solar putty decrypt tool. https://github.com/VoidSec/SolarPuttyDecrypt
And finally switch the user withsu rootcommand and cat the flag.