(10-13-2024, 01:59 PM)Synntek0xe9 Wrote:(10-13-2024, 10:24 AM)mrdot457 Wrote:(10-13-2024, 07:38 AM)wakandaforeva Wrote: Decompile the .apk file and search its contents.
Look for an admin JWT token and 1 subdomain inside /res/xml/network_security_config.xml.
Visit the subdomain, use the JWT token, and access the read logs API to extract shirohige's id_rsa and gain access to the system.
Navigate to ~/projects/mywallet/Instant-Api/mywallet/instance/instant.db to find hashes.
Crack the hashes to reveal the password shirohige:estrella.
In /opt/backups/Solar-PuTTY/sessions-backup.dat, decrypt the file using SolarPuttyDecrypt (requires a Windows machine).
Run the command:
.\SolarPuttyDecrypt.exe .\sessions-backup.dat estrella
How did you crack the pass?
I tried john and hashcat and still no reasults
I made a script to transform werkzeug pbkdf2 : sha256 hashes. It required a bit of research in documentation of werkzeug and some inspiration from hashcat forums
import base64 fin = open('hash_werkzeug_raw.txt','r') hashes = [ line.strip() for line in fin.readlines() if line != '\n'] reformated = [""] * len(hashes) for i, hash in enumerate(hashes): parts = hash.split('$') if len(parts) != 3: print('unsupported hash') exit() method = parts[0].split(':') salt, hash = parts[1:] if len(method) != 3: print('unsupported hash') exit() if method[0] != 'pbkdf2' or method[1] != 'sha256' or not method[2].isdigit(): print('unsupported hash') exit() base64salt = salt base64salt = base64.b64encode(salt.encode()).decode() base64hash = base64.b64encode(bytes.fromhex(hash)).decode() reformated[i] = 'sha256:'+method[2] +":"+base64salt+":"+base64hash for refel in reformated: print(refel)
Then you can brute it with hashcat 10900
I keep getting 'separator unmatched' errors in hashcat. Initially, I tried to use the hash as is from the .db file (using Sqlite Browser), then I tried formatting the hash (replacing : with $ as suggested by other sources) but that still getting 'separator unmatched' errors. This required transforming a werkzeug hash? Is there something that gives it away in the hash. I want to understand this for when I run into other hashes in the future.
