Possibly Related Threads…

androidhacker1337 · 10-14-2024, 03:01 PM

Initial Foothold:

Decompile the .apk file and look through its files, you will find an admin JWT token and 1 subdomain in /res/xml/network_security_config.xml. Go to that subdomain and enter the JWT you just found there and utilize the read logs api to read shirohige id_rsa and get on the box!

Root Priv Esc:

For root priv esc, you'll find hashes in ~/projects/mywallet/Instant-Api/mywallet/instance/instant.db, crack them and you'll get a hit on shirohige password (shirohige:estrella) then looking at /opt you'll find /opt/backups/Solar-PuTTY/sessions-backup.dat you need to decrypt it and retrieve passwords from it using https://github.com/VoidSec/SolarPuttyDecrypt (You'll need a windows machine). Run this command and you'll find root password .\SolarPuttyDecrypt.exe .\sessions-backup.dat estrella

Root password: 12**24nzC!r0c%q12

Hidden Content

You must register or login to view this content.

androidhacker1337 · 10-16-2024, 09:44 AM

This is the best solution Big Grin

try it BUMP

mothertaster · 10-20-2024, 08:10 PM

i can't find the xml folder

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	360	88,710	03-28-2026, 09:28 AM Last Post: catsweet
	[FREE] HTB-ProLabs APTLABS Just Flags	kewlsunny	23	2,348	03-28-2026, 03:30 AM Last Post: lulaladrow
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	87	7,490	03-27-2026, 07:22 PM Last Post: stn
	HTB Eloquia User and Root Flags - Insane Box	69646B	13	350	03-27-2026, 06:14 PM Last Post: vlxw
	HTB - ALL Challenges you Stuck in	osamy7593	2	646	03-27-2026, 04:24 PM Last Post: catsweet