Instant HTB - Writeup
all in all this was a very fun box that taught me lots of things!
during initial enumeration, you'll find an apk that (i found through dirbusting but turns out it's right there on the site anyways)
if you've made an android app before, there are few interesting places to look: the xml files and the java files
after decompiling the apk using jadx, you'll find an interesting string in the AdminActivities file
from the addHeader, you can assume it's to be added to the request header inside one of the xmls, you'll fine an xml file that contains 2 more subdomains to look at
the swagger-ui subdomain contains interesting api requests you can make, but you should make them with the mywalletv1 one instead
from here we can use burp to create a cURL command to easily use in bash and append the Authorization to it, along with Content-Type: application/json as it's outputted in json
here's an example of the users, but we can't do much with these as they don't have any passwords
however - you can read the logs through this, and from the url you can tell it'll have something to do with directory traversal
from here, we can grab the id_rsa file
it's hard to use as is so just cyberchef or use vim to f&r
then, just chmod 700 the id_rsa and ssh in
once you're in, you'll find in the /opt/backups a sessions-backup.dat. i think previously there was only the option to decrypt this on windows, but there's a very useful tool that lets you just do this on python
once you have that, su root in and enter the password (the one on the bottom)
and there you have it!