11 min read hackthebox

HackTheBox - Instant Walkthrough

HackTheBox - Instant Walkthrough

Introduction

Yeah, it's been a while since posting...

Today, I am going to walk through Instant on Hack the Box, which was a medium-rated machine created by tahaafarooq. The machine started off with a pretty basic web page that didn't offer a lot of functionality other than to download an APK. We then had to explore that APK to discover additional information to gain an initial foothold and then vertically escalate to root.

Without further ado, let's do this.

Initial Enumeration

As always, I started off with an initial Nmap scan to identify open ports on the host. After the scan completed, there were only two ports open - 22 and 80.

# Nmap 7.94SVN scan initiated Mon Nov  4 21:46:38 2024 as: /usr/lib/nmap/nmap -T4 -p- -vvv -oN scans/instant-initial 10.10.11.37
Nmap scan report for 10.10.11.37
Host is up, received echo-reply ttl 63 (0.072s latency).
Scanned at 2024-11-04 21:46:38 EST for 16s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

I ran a new Nmap scan, but this time running default scripts and version detection while only scanning the open ports.

# Nmap 7.94SVN scan initiated Mon Nov  4 21:47:17 2024 as: /usr/lib/nmap/nmap -sC -sV -p22,80 -oN scans/instant-openports 10.10.11.37
Nmap scan report for 10.10.11.37
Host is up (0.053s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
|_http-title: Did not follow redirect to http://instant.htb/
|_http-server-header: Apache/2.4.58 (Ubuntu)
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

22 - SSH

SSH is almost never going to be the initial way into a machine, so I skipped it until I had either credentials or a private key to authenticate with.

80 - HTTP

Port 80 was trying to redirect to http://instant.htb, so I added the domain to my hosts file and then scanned just port 80, but this time with the domain name.

# Nmap 7.94SVN scan initiated Mon Nov  4 21:49:41 2024 as: /usr/lib/nmap/nmap -sC -sV -p80 -oN scans/port80-vhost instant.htb
Nmap scan report for instant.htb (10.10.11.37)
Host is up (0.050s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.58
|_http-title: Instant Wallet
|_http-server-header: Apache/2.4.58 (Ubuntu)
Kyle Gray

Kyle Gray

Hey there 👋 Certs - ITILv3, eJPT, PNPT, CRTP, CRTE, PJPT, CRTO