This is an Ubuntu 24.04 machine hosting a web site dedicated to a wallet application which is available for Android devices. After decompiling the APK package we obtain a JWT token that can be used to log in the API. This turns out to be vulnerable to path traversal, which allows us to dump a private key that provides an initial shell in the host. Regarding escalation, first we need to crack a Werkzeug hash contained in a SQLite database, then use this password to decrypt a Solar-PuTTy data file and get the root password.
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-21 12:44 EST
Nmap scan report for instant.htb (10.10.11.37)
Host is up, received user-set (0.038s latency).
Not shown: 57929 closed tcp ports (conn-refused), 7604 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 14.75 seconds
Enumerate the open ports.
> nmap $target -p22,80 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-21 12:46 EST
Nmap scan report for 10.10.11.37
Host is up, received user-set (0.037s latency).
Scanned at 2024-11-21 12:46:44 EST for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3183eb9f15f840a5049ccb3ff6ec4976 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMM6fK04LJ4jNNL950Ft7YHPO9NKONYVCbau/+tQKoy3u7J9d8xw2sJaajQGLqTvyWMolbN3fKzp7t/s/ZMiZNo=
| 256 6f6603470e8ae00397675b41cfe2c7c7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+zjgyGvnf4lMAlvdgVHlwHd+/U4NcThn1bx5/4DZYY
80/tcp open http syn-ack Apache httpd 2.4.58
|_http-title: Did not follow redirect to http://instant.htb/
|_http-server-header: Apache/2.4.58 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 8.28 seconds
Add to hosts file and enumerate the site with Firefox. It looks like a site for making online money transactions. A mobile app called "Instant" is available, download the APK file.
USER
Decompile the Android APK package with apktool
> apktool d instant.apk
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
I: Using Apktool 2.10.0 on instant.apk with 8 thread(s).
I: Baksmaling classes.dex...
I: Loading resource table...
I: Decoding file-resources...
I: Loading resource table from file: /home/kali/.local/share/apktool/framework/1.apk
I: Decoding values */* XMLs...
I: Decoding AndroidManifest.xml with resources...
I: Regular manifest package...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory
Look for sensitive content in the resulting directories.
There is a JWT token in the file smali/com/instantlabs/instant/AdminActivities.smali
Furthermore, in the res/xml/network_security_config.xml file we find two API endpoint URLs.
Update hosts file with these URLs and enumerate with Firefox. The API documentation comes into view.
Now try any of the endpoints, for example /api/v1/view/transactions. Capture the request, pay attention to how authorization is managed, take note of the header used for this purpose.
With this information we are in a position to query all the endpoints crafting our own requests with curl. For example, let's get a list of users.
