b3dr0ck
b3dr0ck, THM. Bit contrived I guess but quite fun actually and a little different and therefore worth noting an aspect or two.
┌──(root💀kali)-[/opt/thm/b3dr0ck]
└─# nc 10.10.151.51 9009
You use this service to recover your client certificate and private key
What are you looking for? certificate
Sounds like you forgot your certificate. Lets find it for you...
-----BEGIN CERTIFICATE-----
# Cert here
-----END CERTIFICATE-----
What are you looking for? key
Sounds like you forgot your private key. Lets find it for you...
-----BEGIN RSA PRIVATE KEY-----
# key here
-----END RSA PRIVATE KEY-----┌──(root💀kali)-[/opt/thm/b3dr0ck]
└─# openssl s_client -cert cert.pem -key id_rsa -connect 10.10.151.51:54321
CONNECTED(00000003)
Cant use SSL_get_servername
depth=0 CN = localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:CN = localhost
i:CN = localhost
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 27 03:35:22 2022 GMT; NotAfter: Aug 27 03:35:22 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
# cert removed, for brevity
-----END CERTIFICATE-----
subject=CN = localhost
issuer=CN = localhost
---
Acceptable client certificate CA names
CN = localhost
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1348 bytes and written 1501 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
# ASCII art removed
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A716E8196D35BFD19364D0347B2E9E8A433E6F8A4686C5659A21F56A8D6BE0D4
Session-ID-ctx:
Resumption PSK: 846A3CCD7D398D6B70162679775D0DEC0D8B3552178C974D7E0F63CBD1D6855B092CEC27664F7A0EDDE64C3C1CD1B2F0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 9e 68 4e e0 5d e2 bc 85-e6 dd d7 21 c6 79 1a 37 .hN.]......!.y.7
0010 - 90 4a 57 70 b3 aa d4 a5-73 f4 ff 34 85 fa e2 8c .JWp....s..4....
0020 - d1 3b 3c f3 48 d6 64 99-e0 e8 bf 9c 59 b5 c2 ef .;<.H.d.....Y...
0030 - b4 6d 70 92 e5 17 61 11-99 b3 a4 3c 85 08 c2 bc .mp...a....<....
0040 - 85 3d c5 22 c4 18 12 2d-27 85 17 d4 14 7c 2c 7d .=."...-'....|,}
0050 - 45 98 f0 4a 62 3a 27 94-3a 93 fb 73 9c 38 33 bc E..Jb:'.:..s.83.
0060 - f6 40 57 64 4d f2 8f c7-a4 dd 33 a8 82 91 5e ae .@WdM.....3...^.
0070 - 44 78 25 fa c4 a4 b8 1f-75 8c 82 fa 27 67 78 b0 Dx%.....u...'gx.
0080 - b9 5b d9 03 b0 74 da 96-be f4 2a 08 4c 49 3e 28 .[...t....*.LI>(
0090 - 97 b4 b5 41 1a 96 b6 21-cb fc c0 60 a1 f0 24 e4 ...A...!...`..$.
00a0 - fe 71 62 d5 68 bf 8d a6-59 5b ae c8 de 78 aa 92 .qb.h...Y[...x..
00b0 - 1a f6 55 3a 8e 6d d4 06-d4 6c 9e 41 f6 e4 67 75 ..U:.m...l.A..gu
00c0 - 34 0a 9d e1 06 ec e4 25-d5 22 c2 03 59 42 18 2b 4......%."..YB.+
00d0 - 85 12 d6 19 e6 27 e9 bf-4e 80 db 7d c5 a2 a4 40 .....'..N..}...@
00e0 - 4c 42 82 66 67 29 ec b0-c1 51 f1 bf 3c 55 45 fa LB.fg)...Q..<UE.
00f0 - 64 0a 6f cf 45 69 f0 fb-26 9b c2 a2 0b b7 29 1e d.o.Ei..&.....).
0100 - 4b 76 55 82 68 d8 10 02-65 29 ae 66 58 bb 81 c0 KvU.h...e).fX...
0110 - 77 55 58 b5 89 ea 09 68-98 f0 f1 a7 76 3e 4d d2 wUX....h....v>M.
0120 - 9a d9 f7 73 a7 31 67 d4-00 2d a4 8e c8 bb f4 1e ...s.1g..-......
0130 - 04 ad a3 e9 60 84 15 9c-28 63 3f bc c2 e7 25 e8 ....`...(c?...%.
0140 - c7 06 c1 07 01 05 79 69-9b 59 cc c1 16 20 2f 5d ......yi.Y... /]
0150 - 7d d8 d0 41 cd 8b 5e bf-c8 33 eb 9f a9 6c 2a 24 }..A..^..3...l*$
0160 - 74 1f 37 95 b1 38 49 13-9a bf a7 d4 75 ce 42 63 t.7..8I.....u.Bc
0170 - 6c e5 b4 a2 af 2d 44 fb-b8 e3 e0 67 0e 98 30 e3 l....-D....g..0.
0180 - 2c 0e 7c bd 91 10 04 e7-79 a0 8e 51 31 cc 69 09 ,.|.....y..Q1.i.
0190 - c8 23 13 f1 8b ea 7d fe-e0 1c 71 e5 3f e1 57 f0 .#....}...q.?.W.
01a0 - 4d 36 7a 5f 47 bc c2 6c-fb a3 bc 69 49 ef 80 e8 M6z_G..l...iI...
01b0 - 80 81 a4 7d c1 bf 83 0b-90 bc fb 28 96 10 76 28 ...}.......(..v(
01c0 - 16 5e 64 19 63 62 6a 2f-5e c1 42 69 3c c9 51 4f .^d.cbj/^.Bi<.QO
01d0 - 9d c9 eb 45 e8 ff 6d 60-ce 04 99 77 4f 91 e7 41 ...E..m`...wO..A
01e0 - 85 05 50 61 8c 72 41 0c-f9 6e b1 b2 4a 01 1c 25 ..Pa.rA..n..J..%
01f0 - 2c bd d8 18 c6 a1 1d 55-9c 5f 8e bf cb be 9e 8b ,......U._......
0200 - 70 a3 bf 4c 7a 08 1a 70-d4 b8 ac aa bb c8 e6 f7 p..Lz..p........
0210 - 79 a3 ea a2 0d 6f 0c d8-a6 54 12 05 eb 38 68 a9 y....o...T...8h.
0220 - 38 01 3f 70 8c 30 71 44-3e a3 48 c2 8c 6a aa 64 8.?p.0qD>.H..j.d
0230 - 13 2b 74 17 85 a2 22 ac-6f 30 ce 86 5b 3d 5d 2d .+t...".o0..[=]-
0240 - fd 87 76 c1 0f 84 9a fd-e8 15 b5 63 42 3e e1 a0 ..v........cB>..
0250 - 11 24 4c 52 4b be f7 5b-64 68 ae 00 3f 54 c1 29 .$LRK..[dh..?T.)
0260 - 5d 0d 82 f6 64 db 1a 35-13 11 45 61 8a 87 62 69 ]...d..5..Ea..bi
0270 - e2 06 34 39 cc 8b 3c 1f-40 4e 1c 9f b5 ba fc 31 ..49..<.@N.....1
0280 - c1 af 0c e4 bc e9 24 35-0e 5a 6c 49 45 1d 2f df ......$5.ZlIE./.
0290 - 22 c7 fb ef de ce 0c 97-b2 6d 29 c1 ca 3a 32 c2 "........m)..:2.
02a0 - b5 67 5f d8 e3 e9 b8 0b-4f 18 b4 3b 31 1e d3 c9 .g_.....O..;1...
02b0 - 82 38 8a b5 65 29 85 f5-35 72 94 98 9f 03 e8 13 .8..e)..5r......
02c0 - 49 78 dd ac 01 dd b4 0f-f9 89 09 b6 38 f2 45 54 Ix..........8.ET
02d0 - f5 de a4 62 62 25 f7 8f-42 fb 2d ab ce 98 bd e5 ...bb%..B.-.....
02e0 - 2a 49 22 b9 a7 a3 97 3b-8d 80 81 01 ce 10 72 61 *I"....;......ra
02f0 - 20 86 e4 4d fb 39 57 0f-be 29 2f 6d 42 d1 72 12 ..M.9W..)/mB.r.
0300 - 3b 2a 4c ea e2 0f 35 2b-9e 7c a4 16 0d 0c 39 ef ;*L...5+.|....9.
0310 - 38 35 8c f8 c9 2c 75 6b-3a 6e 21 1e 20 c0 d8 6f 85...,uk:n!. ..o
0320 - eb a3 34 26 a5 d1 fc d0-09 86 14 6c a0 76 24 c3 ..4&.......l.v$.
0330 - bd da ed 08 51 84 18 63-48 05 11 04 12 d2 0b 12 ....Q..cH.......
0340 - fc 2c 7c ee 00 69 4f 37-ed 52 49 62 93 32 93 41 .,|..iO7.RIb.2.A
0350 - 88 c6 bc 9a 49 ca f1 fa-fe e8 3d 5e 5e 23 64 b7 ....I.....=^^#d.
0360 - 79 a8 16 07 b8 3a d0 49-0a fa 29 41 96 22 d8 de y....:.I..)A."..
0370 - f0 9a ff 4e 7b 98 1a f9-d6 76 a5 e0 89 7c 58 32 ...N{....v...|X2
0380 - 0f 4b f5 99 85 b0 7d 71-d5 d9 3c 41 dc 8d 19 c6 .K....}q..<A....
Start Time: 1661572317
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6584B19DBC875F22F987F0DDBF32A8EDC035583093701F974453F4E6F2FEBB12
Session-ID-ctx:
Resumption PSK: 76B3288EC7E30FF90F1F638C822B8D9350C8CEB73E4D63F939B94FA9A58E0168894BD8AE3D2EE16B299E680ACFFF9E67
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 9e 68 4e e0 5d e2 bc 85-e6 dd d7 21 c6 79 1a 37 .hN.]......!.y.7
0010 - 0f 84 3e b9 4f 9b 08 62-e6 d5 27 e7 c6 12 2b 03 ..>.O..b..'...+.
0020 - 5e ad 54 18 e0 f0 18 14-b6 64 93 42 5e cd 42 38 ^.T......d.B^.B8
0030 - b5 a5 5b 23 d6 5d 1a 80-73 b7 d1 f3 94 03 b2 74 ..[#.]..s......t
0040 - a6 b0 a2 40 5e aa 41 b2-f0 7f 46 4a c3 22 31 1c ...@^.A...FJ."1.
0050 - 7c a4 41 82 d9 03 82 20-cc 20 00 36 f3 89 d2 25 |.A.... . .6...%
0060 - 31 32 72 ff ec a3 72 eb-d6 12 a2 e8 73 48 e8 89 12r...r.....sH..
0070 - 08 e4 81 61 72 26 03 c8-fb a8 cf 81 7c 9e 1f c1 ...ar&......|...
0080 - 8c 7b 76 60 55 d9 d8 2d-e4 2b 51 df 1a fc e0 ba .{v`U..-.+Q.....
0090 - e9 ba 6a 80 de 6d 17 c2-33 45 25 6d e4 ba 38 79 ..j..m..3E%m..8y
00a0 - 77 05 9f e2 c3 cf 6e f3-01 6d 63 22 14 67 80 07 w.....n..mc".g..
00b0 - f3 84 8a 01 c2 d4 fe 45-08 4b 09 24 79 47 17 1a .......E.K.$yG..
00c0 - 33 cb 0c 58 76 d7 e7 41-a1 a4 f4 43 46 f7 0a 4b 3..Xv..A...CF..K
00d0 - fb ff df 7e ca a1 00 33-f1 66 ba a1 a9 fa 94 54 ...~...3.f.....T
00e0 - 37 3e 41 2d 47 56 ee 12-3c 03 16 1f 8e 0d 68 51 7>A-GV..<.....hQ
00f0 - dc 6c c7 17 d8 8f 47 e0-5a 9e 65 b7 ee 22 95 8f .l....G.Z.e.."..
0100 - 63 fb 41 4e fc 06 16 05-f3 ae 99 9a 29 02 49 27 c.AN........).I'
0110 - fe e9 a1 d1 33 19 a0 e9-e0 37 13 3e 68 52 73 7f ....3....7.>hRs.
0120 - ec d3 f7 4b ea ab 00 bb-99 e8 bc 17 05 0c ec 5e ...K...........^
0130 - 82 13 39 90 e6 11 b0 83-60 ab 1f 4f b2 cc 75 b0 ..9.....`..O..u.
0140 - ee fb f4 c1 97 8d 09 d5-82 90 39 fe ff 5b 8c 3f ..........9..[.?
0150 - 95 39 ad 23 49 05 a9 4c-00 9c 77 85 3f bf 4c 1a .9.#I..L..w.?.L.
0160 - 93 67 7d bd 0e b5 c2 65-d5 08 6b 7d 4f 98 49 a8 .g}....e..k}O.I.
0170 - d4 26 89 09 cb 56 98 7d-7a 13 f7 ac 18 8a c7 a3 .&...V.}z.......
0180 - a8 1e 09 a1 0d 91 eb 5a-61 7e 66 66 d8 d7 3d b1 .......Za~ff..=.
0190 - 40 50 df 3c 12 51 97 e9-0e f2 2a 3e 01 1d 81 e2 @P.<.Q....*>....
01a0 - c1 b7 db 22 85 4d 4e 96-84 57 b4 e3 d1 53 d8 7a ...".MN..W...S.z
01b0 - 18 2b 55 b7 74 06 1e f6-53 7b ec 27 77 23 ec 21 .+U.t...S{.'w#.!
01c0 - 16 23 31 6e 59 8e c8 aa-46 e7 31 f9 45 22 e8 22 .#1nY...F.1.E"."
01d0 - a9 49 b4 7f ea 95 69 1f-ca e5 b3 8a f4 37 f4 77 .I....i......7.w
01e0 - 71 7b ef b2 bf 5d 5e 7f-36 64 5d c4 b4 30 e6 3b q{...]^.6d]..0.;
01f0 - 08 3b 65 3e f6 2f c7 8e-62 e0 70 15 63 2d 82 ca .;e>./..b.p.c-..
0200 - 17 d8 04 e8 de 41 48 26-57 63 1e e2 a9 ce 25 1f .....AH&Wc....%.
0210 - 70 6c 39 a0 14 b1 f3 d7-bc 77 ee ca 03 e6 05 48 pl9......w.....H
0220 - 67 9e 31 45 2a 76 cc 6c-6c 5d 04 48 a2 a0 2e 6f g.1E*v.ll].H...o
0230 - ed d6 2c 03 ba 4a 79 d2-30 a2 47 f0 6e 97 e3 19 ..,..Jy.0.G.n...
0240 - 14 5d 91 90 a9 5d 7a b3-59 72 0e a6 5c b2 eb 0e .]...]z.Yr..\...
0250 - 2c 8c 64 8d e0 bb f2 dd-77 9e ec a6 42 d7 42 28 ,.d.....w...B.B(
0260 - af 8e ac 7d e4 c4 a6 d4-0b c3 d2 8c a4 5c 42 ee ...}.........\B.
0270 - fb 5c a6 d2 b6 b1 29 ac-43 b8 59 32 1e 4a f6 59 .\....).C.Y2.J.Y
0280 - 5b 6f b4 ad 05 d3 83 b8-ad 36 3b dd 1b 8a 6b 17 [o.......6;...k.
0290 - 39 2c 6b 20 37 f5 d0 99-77 8b 05 88 37 9f d3 10 9,k 7...w...7...
02a0 - 1c bc a0 cb 8b c2 a6 49-c3 96 16 f4 4d ae 9a dd .......I....M...
02b0 - d2 19 fc 96 7c 2e c6 a7-90 45 06 a4 a0 be 5a 0d ....|....E....Z.
02c0 - 88 fd de 0d 29 41 a7 9b-57 2c 0d ac 48 fc 42 e8 ....)A..W,..H.B.
02d0 - 24 a1 b1 cc 38 af cb ca-1c dd b8 47 08 29 7a 9b $...8......G.)z.
02e0 - 96 0d dc 13 1e 99 45 aa-9d c9 c8 f6 25 75 a8 25 ......E.....%u.%
02f0 - b3 34 c7 02 18 ff 4a 04-8a cf 4a c2 38 be 61 7e .4....J...J.8.a~
0300 - 5b 90 fc ee 1f 02 ca a6-88 3e cf ad 5b 6b f8 ac [........>..[k..
0310 - 85 fb e6 23 48 d0 80 6f-6d 29 9b 60 57 71 d0 41 ...#H..om).`Wq.A
0320 - 88 28 77 7e b0 70 25 44-05 28 89 55 7b b7 c8 90 .(w~.p%D.(.U{...
0330 - 18 80 aa a3 2c d4 b1 86-c9 9b 74 dd 56 20 e0 0c ....,.....t.V ..
0340 - 05 df 31 81 36 51 51 15-ff 56 59 c5 1d 6f 56 bf ..1.6QQ..VY..oV.
0350 - 07 ae bf dd 70 62 6c 29-b3 b7 74 ac 35 8a d2 3a ....pbl)..t.5..:
0360 - 2d 27 f2 8f f3 01 a2 59-1f 0d c2 1e 42 27 8b 69 -'.....Y....B'.i
0370 - e5 9e 08 55 11 eb 6e 73-89 e0 4f f7 64 53 2f 93 ...U..ns..O.dS/.
0380 - 3c bc 3a 65 4a e9 92 1b-04 09 b1 d2 e9 7a 66 05 <.:eJ........zf.
Start Time: 1661572317
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Welcome: 'Barney Rubble' is authorized.
b3dr0ck> id
Unrecognized command: 'id'
This service is for login and password hints
b3dr0ck> help
Password hint: d1ad7c0a3805955a35eb260dab4180dd (user = 'Barney Rubble')
b3dr0ck> barney@b3dr0ck:/tmp$ sudo -l
Matching Defaults entries for barney on b3dr0ck:
insults, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User barney may run the following commands on b3dr0ck:
(ALL : ALL) /usr/bin/certutil
barney@b3dr0ck:/tmp$ sudo -u root /usr/bin/certutil ls
Current Cert List: (/usr/share/abc/certs)
------------------
total 56
drwxrwxr-x 2 root root 4096 Apr 30 21:54 .
drwxrwxr-x 8 root root 4096 Apr 29 04:30 ..
-rw-r----- 1 root root 972 Aug 27 03:35 barney.certificate.pem
-rw-r----- 1 root root 1674 Aug 27 03:35 barney.clientKey.pem
-rw-r----- 1 root root 894 Aug 27 03:35 barney.csr.pem
-rw-r----- 1 root root 1678 Aug 27 03:35 barney.serviceKey.pem
-rw-r----- 1 root root 976 Aug 27 03:35 fred.certificate.pem
-rw-r----- 1 root root 1678 Aug 27 03:35 fred.clientKey.pem
-rw-r----- 1 root root 898 Aug 27 03:35 fred.csr.pem
-rw-r----- 1 root root 1678 Aug 27 03:35 fred.serviceKey.pembarney@b3dr0ck:/tmp$ sudo -u root /usr/bin/certutil -O fred
Generating credentials for user: O (fred)
Generated: clientKey for O: /usr/share/abc/certs/O.clientKey.pem
Generated: certificate for O: /usr/share/abc/certs/O.certificate.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAzug7pDJCH/nz/mq2afGi99A9N5GklEeJBY1zN72IaB6JvWJ6
DjbBI+XlLkVYKL1HQS/xHl4EHrEQtboXimkgQb2GqFNjpHIplpHY/WZXY4C468te
0bpf9XZ+b9utp62H/CTW9Md8vfTpAwCie4gHoAvLmTyl04WYpTx1CHpyKttsHIy0
# etcAnd it’s back through the loop above with the new cert/key and then an unrelated privesc with a multiply encoded and hashed password that’s not in rockyou