search
GitHub
Page cover

linuxWeek 11. Instant

hashtag
TL;DR

This is an Ubuntu 24.04 machine hosting a web site dedicated to a wallet application which is available for Android devices. After decompiling the APK package we obtain a JWT token that can be used to log in the API. This turns out to be vulnerable to path traversal, which allows us to dump a private key that provides an initial shell in the host. Regarding escalation, first we need to crack a Werkzeug hash contained in a SQLite database, then use this password to decrypt a Solar-PuTTy data file and get the root password.

hashtag
KEYWORDS

Android, APK, Apktool, path traversal, SQLite, Werkzeug, Solar-PuTTy.

hashtag
REFERENCES

https://stackoverflow.com/questions/76935900/werkzeug-password-encryptionarrow-up-right

https://github.com/AnataarXVI/Werkzeug-Crackerarrow-up-right

https://voidsec.com/solarputtydecryptarrow-up-right

https://github.com/VoidSec/SolarPuttyDecryptarrow-up-right

hashtag
ENUMERATION

Port scan.

> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-21 12:44 EST
Nmap scan report for instant.htb (10.10.11.37)
Host is up, received user-set (0.038s latency).
Not shown: 57929 closed tcp ports (conn-refused), 7604 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack
 
Nmap done: 1 IP address (1 host up) scanned in 14.75 seconds

Enumerate the open ports.

Add to hosts file and enumerate the site with Firefox. It looks like a site for making online money transactions. A mobile app called "Instant" is available, download the APK file.

hashtag
USER

Decompile the Android APK package with apktool

Look for sensitive content in the resulting directories.

There is a JWT token in the file smali/com/instantlabs/instant/AdminActivities.smali

Furthermore, in the res/xml/network_security_config.xml file we find two API endpoint URLs.

Update hosts file with these URLs and enumerate with Firefox. The API documentation comes into view.

Use the JWT token to log in. To do this click on "Authorize 🔓", then enter the token.

Now try any of the endpoints, for example /api/v1/view/transactions. Capture the request, pay attention to how authorization is managed, take note of the header used for this purpose.

With this information we are in a position to query all the endpoints crafting our own requests with curl. For example, let's get a list of users.

In the documentation we see we can query log files, and choose the file path with the log_file_name parameter.

This is potentially vulnerable to path traversal. Let's try it.

The path traversal vulnerability is confirmed, and we see a potential username shirohige

Dump his private key.

And use it to open a shell and collect the user flag.

hashtag
ROOT

Start from the low-priv shell and take the opportunity to enumerate the user and the system.

Use linpeas.sh to find useful info. An SQLite database appears in /home/shirohige/projects/mywallet/Instant-Api/mywallet/instance/instant.db

Further enumerate the database, there are two hashes in the wallet_users table.

I couldn't find hash type pbkdf2:sha256:600000 in the Hashcat examples database, so I made a further search for this type of hashes. It seems these are Werkzeug hashes (https://stackoverflow.com/questions/76935900/werkzeug-password-encryptionarrow-up-right). And a password cracker is available here: https://github.com/AnataarXVI/Werkzeug-Crackerarrow-up-right

It is capable of cracking one of the hashes.

This password will be useful soon, take note of it and continue enumerating the host.

There is a Solar-PuTTy backup file here /opt/backups/Solar-PuTTY/sessions-backup.dat

The application source code has been reversed and is explained here: https://voidsec.com/solarputtydecrypt/arrow-up-right. Also, a decrypter for the DAT files is available here: https://github.com/VoidSec/SolarPuttyDecryptarrow-up-right

Let's run it run it (needs Windows) with the password we have just disclosed. The decryption is successful and the root password appears.

The only thing that's left is to su to root account.

You are root.

PreviousWeek 9. CicadaNextWeek 12. Chemistry

Last updated