InfoSec LAB

University_GnuPG-wao-dc.university.htb

Created: 2 min read

GnuPG

The presence of GPG(GnuPG) was initially discovered through PEAS as the current user, wao, has AllAccess to the installation directory; C:\Program Files (x86)\gnupg\bin

*Evil-WinRM* PS C:\Users\WAO\AppData\Roaming> ls
 
    Directory: C:\Users\WAO\AppData\Roaming
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/17/2024   1:55 AM                gnupg
d---s-        2/23/2024  11:04 AM                Microsoft

There is the gnupg directory in the Appdata\Roaming

*Evil-WinRM* PS C:\Users\WAO\AppData\Roaming> cd gnupg ; ls
 
 
    Directory: C:\Users\WAO\AppData\Roaming\gnupg
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/17/2024   1:55 AM                private-keys-v1.d
d-----        9/16/2024   6:14 AM                public-keys.d
-a----        2/16/2024  11:42 PM             13 common.conf
-a----        2/17/2024   1:55 AM              0 gnupg_spawn_agent_sentinel.lock
-a----        2/17/2024   1:55 AM              0 gnupg_spawn_keyboxd_sentinel.lock
-a----        2/17/2024   1:55 AM           1200 trustdb.gpg
-a----        2/17/2024   1:55 AM              0 trustdb.gpg.lock

The directory is populated

*Evil-WinRM* PS C:\Users\WAO\AppData\Roaming\gnupg\private-keys-v1.d> ls -Hidden
*Evil-WinRM* PS C:\Users\WAO\AppData\Roaming\gnupg\public-keys.d> ls
 
    Directory: C:\Users\WAO\AppData\Roaming\gnupg\public-keys.d
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/16/2024   6:14 AM          77824 pubring.db
-a----        2/17/2024   1:55 AM              0 pubring.db.lock

There are some public keys available

*Evil-WinRM* PS C:\Users\WAO\AppData\Roaming\gnupg> gpg -k
[keyboxd]
---------
pub   rsa3072 2023-12-19 [SC] [expires: 2025-12-18]
      5017E93C3BDA7742BF5AFCD5EBB04FD7AC888F55
uid           [ unknown] mohammed1997 <aitac2hi.uchiha@gmail.com>
sub   rsa3072 2023-12-19 [E] [expires: 2025-12-18]
 
pub   rsa3072 2024-09-15 [SC] [expires: 2026-09-15]
      77FCCD026B7489A048865DB5AFA92D3CACA6DE47
uid           [ unknown] spectra <spectra@test.htb>
sub   rsa3072 2024-09-15 [E] [expires: 2026-09-15]
 
pub   rsa3072 2024-01-02 [SC] [expires: 2026-01-01]
      81FE9F82EFFFDB31CD117FD17F4594ABE30D2838
uid           [ unknown] mhd1234 <mhd1234@gmail.com>
sub   rsa3072 2024-01-02 [E] [expires: 2026-01-01]
 
pub   rsa3072 2023-12-19 [SC] [expires: 2025-12-18]
      A3CB1D369B9B6B790ED12858B30BCDF16D498449
uid           [ unknown] mohammed1997 <aitac2hi.uchiha@gmail.com>
sub   rsa3072 2023-12-19 [E] [expires: 2025-12-18]
 
pub   rsa3072 2023-12-21 [SC] [expires: 2025-12-20]
      D082233EA23A218B9A24D2FEF8730854E83C8A3D
uid           [ unknown] mohammed1 <Camellia@athento.com>
sub   rsa3072 2023-12-21 [E] [expires: 2025-12-20]

All the listed keys include both primary keys ([SC], for signing and certification) and subkeys ([E], for encryption). This might come in handy as I would be able to perform forgery or impersonation

Interactive Graph View

Backlinks