[HTB] Instant S6 User + Root Flag [You can Flex ]
by androidhacker1337 - Monday October 14, 2024 at 03:01 PM
Elite User

Posts: 147
Threads: 21
Joined: Apr 2024
Reputation: 1

#1
10-14-2024, 03:01 PM
Initial Foothold:
Decompile the .apk file and look through its files, you will find an admin JWT token and 1 subdomain in /res/xml/network_security_config.xml. Go to that subdomain and enter the JWT you just found there and utilize the read logs api to read shirohige id_rsa and get on the box!
Root Priv Esc:
For root priv esc, you'll find hashes in ~/projects/mywallet/Instant-Api/mywallet/instance/instant.db, crack them and you'll get a hit on shirohige password (shirohige:estrella) then looking at /opt you'll find /opt/backups/Solar-PuTTY/sessions-backup.dat you need to decrypt it and retrieve passwords from it using https://github.com/VoidSec/SolarPuttyDecrypt (You'll need a windows machine). Run this command and you'll find root password .\SolarPuttyDecrypt.exe .\sessions-backup.dat estrella
Root password: 12**24nzC!r0c%q12

Hidden Content
You must register or login to view this content.
Reply
Elite User

Posts: 147
Threads: 21
Joined: Apr 2024
Reputation: 1

#2
10-16-2024, 09:44 AM
This is the best solution Big Grin try it BUMP
Reply
Breached
Member
Posts: 45
Threads: 4
Joined: Oct 2024
Reputation: 30

#3
10-20-2024, 08:10 PM
i can't find the xml folder
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 91 7,541 1 hour ago
Last Post: ukaugse
  [Season10] ROOT Pterodactyl pulsebreaker 57 1,088 9 hours ago
Last Post: newcrucial
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 364 88,792 Yesterday, 07:41 PM
Last Post: napo22
  [Free] CDSA Path Flag -All RoanokeYehia 36 3,580 Yesterday, 04:58 AM
Last Post: lmg2334
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 2,354 03-28-2026, 03:30 AM
Last Post: lulaladrow



 Users browsing this thread: 1 Guest(s)