JOIN BREACHFORUMS NEW TELEGRAM
[HTB] Instant S6 User + Root Flag [You can Flex ]
by androidhacker1337 - Monday October 14, 2024 at 03:01 PM
Elite User

Posts: 168
Threads: 21
Joined: Apr 2024
Reputation: 1
#1
Oct 14, 2024, 03:01 PM
Initial Foothold:
Decompile the .apk file and look through its files, you will find an admin JWT token and 1 subdomain in /res/xml/network_security_config.xml. Go to that subdomain and enter the JWT you just found there and utilize the read logs api to read shirohige id_rsa and get on the box!
Root Priv Esc:
For root priv esc, you'll find hashes in ~/projects/mywallet/Instant-Api/mywallet/instance/instant.db, crack them and you'll get a hit on shirohige password (shirohige:estrella) then looking at /opt you'll find /opt/backups/Solar-PuTTY/sessions-backup.dat you need to decrypt it and retrieve passwords from it using https://github.com/VoidSec/SolarPuttyDecrypt (You'll need a windows machine). Run this command and you'll find root password .\SolarPuttyDecrypt.exe .\sessions-backup.dat estrella
Root password: 12**24nzC!r0c%q12

Hidden Content
You must register or login to view this content.
Reply
Elite User

Posts: 168
Threads: 21
Joined: Apr 2024
Reputation: 1
#2
Oct 16, 2024, 09:44 AM
This is the best solution Big Grin try it BUMP
Reply
Breached
Member
Posts: 53
Threads: 4
Joined: Oct 2024
Reputation: 30
#3
Oct 20, 2024, 08:10 PM
i can't find the xml folder
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Season10] ROOT Pterodactyl pulsebreaker 58 2,086 1 hour ago
Last Post: Evocator
  Powerful-Android-RAT-2026 opsecmaster67 0 50 2 hours ago
Last Post: opsecmaster67
  Hackers Cave 4 Static Android Blogs opsecmaster67 0 46 2 hours ago
Last Post: opsecmaster67
  Android-Hacker-DEV Mtigating Security In Android opsecmaster67 0 44 2 hours ago
Last Post: opsecmaster67
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 53 4,595 5 hours ago
Last Post: 0xlc13n

Forum Jump:


 Users browsing this forum: 1 Guest(s)