Week 11. Instant
TL;DR
This is an Ubuntu 24.04 machine hosting a web site dedicated to a wallet application which is available for Android devices. After decompiling the APK package we obtain a JWT token that can be used to log in the API. This turns out to be vulnerable to path traversal, which allows us to dump a private key that provides an initial shell in the host. Regarding escalation, first we need to crack a Werkzeug hash contained in a SQLite database, then use this password to decrypt a Solar-PuTTy data file and get the root password.
KEYWORDS
Android, APK, Apktool, path traversal, SQLite, Werkzeug, Solar-PuTTy.
REFERENCES
https://stackoverflow.com/questions/76935900/werkzeug-password-encryption
https://github.com/AnataarXVI/Werkzeug-Cracker
https://voidsec.com/solarputtydecrypt
https://github.com/VoidSec/SolarPuttyDecrypt
ENUMERATION
Port scan.
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-21 12:44 EST
Nmap scan report for instant.htb (10.10.11.37)
Host is up, received user-set (0.038s latency).
Not shown: 57929 closed tcp ports (conn-refused), 7604 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 14.75 secondsEnumerate the open ports.
Add to hosts file and enumerate the site with Firefox. It looks like a site for making online money transactions. A mobile app called "Instant" is available, download the APK file.
USER
Decompile the Android APK package with apktool
Look for sensitive content in the resulting directories.
There is a JWT token in the file smali/com/instantlabs/instant/AdminActivities.smali
Furthermore, in the res/xml/network_security_config.xml file we find two API endpoint URLs.
Update hosts file with these URLs and enumerate with Firefox. The API documentation comes into view.
Use the JWT token to log in. To do this click on "Authorize 🔓", then enter the token.
Now try any of the endpoints, for example /api/v1/view/transactions. Capture the request, pay attention to how authorization is managed, take note of the header used for this purpose.
With this information we are in a position to query all the endpoints crafting our own requests with curl. For example, let's get a list of users.
In the documentation we see we can query log files, and choose the file path with the log_file_name parameter.
This is potentially vulnerable to path traversal. Let's try it.
The path traversal vulnerability is confirmed, and we see a potential username shirohige
Dump his private key.
And use it to open a shell and collect the user flag.
ROOT
Start from the low-priv shell and take the opportunity to enumerate the user and the system.
Use linpeas.sh to find useful info. An SQLite database appears in /home/shirohige/projects/mywallet/Instant-Api/mywallet/instance/instant.db
Further enumerate the database, there are two hashes in the wallet_users table.
I couldn't find hash type pbkdf2:sha256:600000 in the Hashcat examples database, so I made a further search for this type of hashes. It seems these are Werkzeug hashes (https://stackoverflow.com/questions/76935900/werkzeug-password-encryption). And a password cracker is available here: https://github.com/AnataarXVI/Werkzeug-Cracker
It is capable of cracking one of the hashes.
This password will be useful soon, take note of it and continue enumerating the host.
There is a Solar-PuTTy backup file here /opt/backups/Solar-PuTTY/sessions-backup.dat
The application source code has been reversed and is explained here: https://voidsec.com/solarputtydecrypt/. Also, a decrypter for the DAT files is available here: https://github.com/VoidSec/SolarPuttyDecrypt
Let's run it run it (needs Windows) with the password we have just disclosed. The decryption is successful and the root password appears.
The only thing that's left is to su to root account.
You are root.
Last updated