Introduction to Instant:

In this writeup, we will explore the “Instant” machine from Hack The Box, which is categorized as a medium-difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Instant” machine from Hack The Box by achieving the following objectives:

User Flag:

User Flag Captured: API Abuse to SSH Access

At first glance, the website looked normal, but a “Download Now” button led to an APK file. Decompiling it with apktool uncovered network_security_config.xml, revealing two subdomains: mywalletv1.instant.htb and swagger-ui.instant.htb. The Swagger UI exposed API documentation, leaking several endpoints, though most required authentication.

Digging deeper, we found a test admin section containing a valid authorization token. Using cURL, we queried the view/profile and admin/view/logs endpoints, confirming access to sensitive data. While direct access to mywalletv1 returned a 404 error, further enumeration paid off—we managed to retrieve an SSH private key, even without knowing the user’s directory. With SSH access secured, we explored the system and successfully captured the user flag.

Root Flag:

Access, Exploration, and Privilege Escalation

Authorized access was gained, leading to a thorough examination of directories and processes. A .dat file was discovered in the /opt/backup directory, appearing to be encoded. It was transferred to a local machine for further analysis.

Attempts to decrypt the file using a Python script were unsuccessful. Given that passwords are typically not displayed for security reasons, two methods were considered: using an SSH honeypot to intercept credentials or reverse engineering the software. A decryption script was downloaded from SolarPuttyDecrypterPy, but while the outdated SolarPuttyCracker tool worked, the newer SolarPuttyDecrypt script failed.

Privilege escalation was achieved using the password “1224nzC!r0c%q12“, granting root access and enabling retrieval of the root.txt file.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oN nmap_initial.txt 10.10.11.37

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/instant]
└──╼ $nmap -sC -sV -oA initial 10.10.11.37 
# Nmap 7.94SVN scan initiated Tue Feb 25 08:27:54 2025 as: nmap -sC -sV -oA initial 10.10.11.37
Nmap scan report for 10.10.11.37
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
|_http-title: Did not follow redirect to http://instant.htb/
|_http-server-header: Apache/2.4.58 (Ubuntu)
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 25 08:28:38 2025 -- 1 IP address (1 host up) scanned in 44.39 seconds

Analysis:

  • Port 22 (SSH): Running OpenSSH 9.6p1 on Ubuntu, allowing secure remote access. The server supports ECDSA and ED25519 host keys.
  • Port 80 (HTTP): Apache HTTP server (version 2.4.58) is running, with a redirect pointing to http://instant.htb/. The server header confirms it is hosted on Ubuntu Linux.

Web Enumeration:

Exploitation

Perform web enumeration to discover potentially exploitable directories and files.

It appears to be a standard website interface but includes a “Download Now” feature.

The page contains little useful data except for a download link to an APK file. Grab the APK, then use apktool to decode and inspect its contents.

I’ve written several walkthroughs covering Android application and API exploitation, including HTB Pikatwoo (Insane Difficulty), HTB Catch (Medium Difficulty), and HTB RouterSpace (Easy Difficulty). Each challenge involved analyzing APK files, decompiling them for vulnerabilities, and leveraging exposed credentials or misconfigurations to escalate access. You can check them out here:

What is APK and APKTOOL?

An APK (Android Package Kit) is the file format for Android apps. It contains all necessary components for installation and execution.

APKTool is a reverse engineering tool that decompiles, modifies, and rebuilds APKs, making it useful for security analysis and app modifications.

Install APKTool on Any Linux Operating System

wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool
wget https://github.com/iBotPeaches/Apktool/releases/latest/download/apktool.jar
sudo mv apktool apktool.jar /usr/local/bin/
sudo chmod +x /usr/local/bin/apktool
apktool --version  # Verify installation

Now, you can use APKTool to analyze APK files.

We’ll decompile the APK using apktool d <filename> to extract its contents. Then, we’ll analyze the files for sensitive data, such as hardcoded credentials, API keys, or configuration details.

It looks like the network_security_config.xml file references two subdomains:

  1. mywalletv1.instant.htb – Direct access to the mywalletv1 subdomain results in a 404 error, suggesting that the resource is unavailable or restricted.
  3. swagger-ui.instant.htb – This indicates a Swagger UI, a web interface for API documentation and testing. If exposed, it might reveal API endpoints, authentication methods, and request formats, which could be useful for further analysis.

These subdomains could provide attack surfaces for enumeration or security testing.

There is nothing noteworthy to investigate.

Exploitation

Web Application Exploration:

Authorization is required to make modifications.

A test admin section of the code contains an authorization token. Using this token, we send a CURL request to the view/profile endpoint and successfully retrieve some information.

We have successfully obtained authorized access.

Let’s modify the value by replacing it with our data to reflect the necessary changes.

Finally, we successfully registered a user.

We successfully logged in with the newly registered user. Unfortunately, this token cannot be leveraged for further access.

Read the file on the log on the Instant Machine

Let’s attempt to read the /etc/passwd file.

Unfortunately, we are unauthorized to read the file.

Using the previously discovered token, we successfully accessed and read the /etc/passwd file.

One user just caught my attention—this could be interesting!

We successfully retrieved the SSH private key.

Despite not knowing the user’s directory, we were still able to retrieve the SSH key successfully. This highlights a potential security flaw, as accessing such credentials should typically require more specific knowledge or permissions.

Wow! We can fetch and read the user flag this way!

Fetching the output using the CURL command

These cURL commands interact with two API endpoints, using an authorization token to gain access.

  1. Fetching Profile Information 
curl -X GET "http://mywalletv1.instant.htb/api/v1/view/profile" \ -H "Authorization: <token>"

This sends a GET request to the mywalletv1 API to retrieve profile details. The Authorization header includes a JWT token, which acts as a key to authenticate the request.

  1. Retrieving Admin Logs 
curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/view/logs" \ -H "accept: application/json" \ -H "Authorization: <token>"

This command queries the swagger-ui API for admin logs. The request specifies accept: application/json to format the response as JSON. The

Authorization token provides access, potentially exposing system activity logs.

Both requests demonstrate how APIs authenticate users while also restricting access based on token privileges. This process ensures that only authorized users can perform specific actions, enhancing overall security.

We can achieve the same output using the cURL command.

This method also enabled the retrieval of the SSH key.

We can retrieve and read the user flag using this method.

Escalate to Root Privileges Access

Privilege Escalation:

We attempted to retrieve the malicious binary using sudo -l, but found nothing.

There is no information on the process itself.

There are no noteworthy findings in the /var/www/ directory.

A .dat file is present in the /opt/backup directory, which we can investigate further.

The contents of the Solar-PuTTY sessions-backup.dat file seem to be encoded.

Analysis on .dat for Instant Machine

We need to transfer the .dat file to our local machine for further analysis.

In standard software design, passwords are typically not displayed within applications due to security concerns.

For instance, when storing an SSH password in certain software, the application allows users to connect to SSH but does not reveal the originally entered password.

To address this, two approaches were proposed in the initial article:

  1. SSH Honeypot Method – This technique involves using an SSH honeypot to capture credentials. When a device connects to the honeypot, it bypasses the original server’s signature verification, allowing the interception of SSH usernames and passwords by redirecting the destination IP address.
  2. Reverse Engineering Method – This approach entails directly analyzing the software through reverse engineering and developing a decryption tool to retrieve stored credentials.

The script can be downloaded from the following link: SolarPuttyDecrypterPy

Although the outdated SolarPuttyCracker tool still functions, switching to the more recent SolarPuttyDecrypt was necessary. However, the newer script failed to work as expected.

It works with the older Python script but not with the modern one.

Attempting to switch to the root user using the password 1224nzC!r0c%q12” successfully granted access.

From there, I was able to retrieve the root.txt file.

Tags: , , , , , , , , , , ,
Categories: