wtorek, 22 października 2024

Hack The Box - Instant

Few days ago I had a pleasure to check one of the Hack The Box 'Season 6' machine called Instant. Few details about it you will find below. Here we go...

Today we'll start here:


After connecting to VPN I started from 'usual' nmap scan to findout which ports (if any) are open on remote host (10.10.11.37 in case of this machine):


In the meantime - when I saw port 80 open I decided to check the web page. As you can see this webpage is not super-big but contains an APK app to download:

I decided to grab it and decompile on my Kali to check what's in the source. First I used 7z to extract APK file:

Next I also used apktool to extract some DEX files:

...to run it with dex2jar. Unfortunately I was unable to do that. After an error message and searching it on Google I found a tool called dex-tools:

Now when my new file instant-dex2jar.jar was created I was able to open in using JD-GUI and read more:

After a while I found few new hostnames (I added to /etc/hosts) as well as auth-header for admin :)

Next I tried to understand what else is hidden in the app and how we can later use it for our purposes:


As you can see on the screen below - I started to play with 'found functions of the app' - using Burp with my new-auth-header:

Few errors later...

I was able to make a proper request:


Watching links/requests from app I was able to grab a list of users:

When I was wondering about the next step I found a link to Instant-Swagger when I found few more hints about 'what can be done here'. For example:

Preparing and checking request:

Next step:
Checking if the 'read' is true:

Back to Swagger - I was wondering 'maybe I need to add a new admin too?' So I landed here for a moment:

And that moment was 'is this a LFI bug or not?' ;) Like this:

Now we should be somewhere here:

Indeed we can read more files in this server:


If (during the initial portscan) we found SSH port open - maybe we can do something with that information?
Checking:
...and...

Great :) Next step was to use a linpeas.sh script. Reading the output we can find that we're able to write to some interesting file. One of them is presented on the screen below:

Reading HTB Forum for some hint about this machine - I found a post from one of the user with the hint about the cracking process ;)

I decided to try it:

When password was ready to use I tried su and that's how I found a root.txt flag:

Looks like it's done.

See you next time! ;)


Cheers






Posted by at
Labels: , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)