Instant HackTheBox Walkthrough

Instant HackTheBox Walkthrough

Step 1: Initial Reconnaissance

Begin by analyzing the webpage structure and inspecting the elements’ properties. Use tools like wfuzz to discover hidden directories and files, including docs. Leverage the main page URL for clues; it may reveal important data. Probe for vulnerabilities in the XSL files or sensitive information leakage. Identify any exposed APIs or endpoints through which you can gather more intelligence. Check for any publicly available repositories on GitHub for potential weaknesses. Remember, thorough reconnaissance sets the foundation for a successful HackTheBox endeavor.

NMAP

Let’s perform an NMap Scan on the machine for open ports and services

Step 2: Identifying the Target

Identifying the target involves delving deeper into the system to pinpoint the specific vulnerabilities that can be exploited, including valid username issues. Understanding the operating systems and applications running on the target is crucial. Analyzing network traffic using tools like Wireshark can reveal valuable insights. Leveraging Nmap scans can identify open ports and services running on the target. Furthermore, conducting thorough reconnaissance by exploring the target’s main page, subdomains, and connected systems can provide valuable clues for successful exploitation.

Instant.htb Homepage

To get started, first, you need to add instant.htb to your /etc/hosts file; this step is crucial as it allows your system to recognize the domain and route it correctly. Once you’ve made this addition, proceed to visit the website by entering the URL in your browser. From there, locate the download section and download the .apk file, which is the Android application package you will be working with. After the download is complete, it’s time to utilize JADX, a popular decompiler, to convert the .apk file into readable Java code. This process will enable you to analyze, modify, and understand the underlying code structure of the application in a more manageable format. With these steps completed, you’re now ready to dive deeper into the application’s functionality and design.

JADX

A lot of recursive grep later, we get two important findings that greatly impact our understanding of the system’s security:
First, we discovered two distinct subdomains that appear to be linked to the operation of the application, making it critical to analyze their configurations and security settings thoroughly.
Second, we identified an admin JWT token hardcoded into the APK, which poses a significant risk, as this token could potentially grant unauthorized users access to sensitive administrative functionalities, making it crucial to eliminate any hardcoded secrets in the codebase to enhance security protocols.

Instant.htb APK Contents

Step 3: Exploiting Vulnerabilities

Leverage your NLP skills to exploit vulnerabilities effectively. Once reconnaissance is complete, dive deeper into the system. Exploit weaknesses, such as misconfigured services or unpatched software. Utilize tools like wfuzz to identify hidden directories and files. Look for common vulnerabilities like SQL injection or Cross-Site Scripting (XSS) in web applications. Remember, privilege escalation is crucial here. Gain access to critical files like the xsl file or users table. Tailor your approach based on the target’s technology stack and known vulnerabilities. Stay stealthy and cover your tracks to maintain access.

To successfully set up your environment for testing the APIs, you need to first configure your local machine’s /etc/hosts file to recognize the subdomains you’re working with. This can be achieved by adding the appropriate entries that point to the server’s IP address. In this specific case, you would add the subdomain swagger-ui.instant.htb to the /etc/hosts file.

To do this, you can use the following command in your terminal. Make sure to replace 10.10.11.10 with the actual IP address of your server if it differs:

sudo echo "10.10.11.10 swagger-ui.instant.htb" | sudo tee -a /etc/hosts

This command appends the necessary entry to your /etc/hosts file. With this configuration complete, you should be able to visit swagger-ui.instant.htb in your web browser.

Once you access the Swagger UI, you’ll be prompted to authorize your session using a JWT (JSON Web Token). It’s crucial to have a valid JWT token for authorization purposes to interact with the APIs effectively. After successfully logging in, you can begin exploring the various APIs available.

While testing these APIs, pay particular attention to the functionality that allows for file input. One of the endpoints stands out due to a potential Local File Inclusion (LFI) vulnerability. LFI can pose significant security risks by allowing malicious users to read sensitive files from the server. Thus, as you proceed with testing, ensure to look for any clues or indications that may suggest this vulnerability.

Step 4: Gaining Access

To gain access to the target system, employ various methods like using the acquired credentials or exploiting vulnerabilities. Understanding the system’s architecture and permissions is crucial. Consider leveraging NLP techniques or reverse engineering to uncover potential weak points. Utilize tools such as wfuzz to test for common vulnerabilities or misconfigurations. Exploring the user’s table or directory structure can provide valuable insights for successful access. Remember, persistence and creativity are key in navigating through security layers. Embrace the challenge and approach it with a strategic mindset.

Instant.htb User Flag

We can access the /etc/passwd file, which contains a list of all user accounts, navigate to the user shirohige, and examine the id_rsa file located in the .ssh directory.

Step 5: Escalating Privileges

Escalating privileges is a critical phase in Instant challenges on HackTheBox. After gaining access, you must elevate your permissions to reach the highest level of control within the target system. This often involves exploiting vulnerabilities in different operating systems to access sensitive information or functions. Common techniques include exploiting misconfigurations, privilege escalation exploits, or manipulating user privileges to gain elevated access. Understanding the nuances of privilege escalation is essential for mastering Instant challenges and advancing your skills in the realm of cybersecurity. Remember, thorough reconnaissance and precise execution are key to success.

To effectively retrieve the RSA Private key, first ensure that you have the necessary permissions and access to the secure storage location where it is kept. Once you have located the key, proceed by carefully copying the RSA Private key to your designated file, typically named id_rsa, ensuring that you maintain the key’s integrity throughout the process. It’s crucial to handle this key with care, as it is essential for authenticating secure communications and should be protected from unauthorized access to prevent any potential security breaches. After copying, verify that the private key has been successfully saved in the correct format, ready for use in your applications.

SSH Key of the user shirohige

Logged in as shirohige

Switching over to root will give you root flag.

Instant.htb Root Flag

Congrats!!!

Leave a comment

Please note, comments must be approved before they are published

This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.

Back to HackTheBox and TryHackMe Walkthroughs

You may also like View all

Exploring Ethical Hacking: The Journey of Daniel Svoboda aka BY7E.NET
Exploring Ethical Hacking: The Journey of Daniel Svoboda aka BY7E.NET
From 100 Days of Code to Full Stack Engineer: Embersunn’s Journey in Tech and Healthcare
From 100 Days of Code to Full Stack Engineer: Embersunn’s Journey in Tech and Healthcare
Interview with Ryan, aka Totally_Not_A_Haxxer: The 17-Year-Old Cybersecurity Whiz
Interview with Ryan, aka Totally_Not_A_Haxxer: The 17-Year-Old Cybersecurity Whiz