Pretty Good Privacy (PGP)

Pretty Good Privacy or PGP was a popular program used to encrypt and decrypt email over the internet, as well as authenticate messages with digital signatures and encrypted stored files. PGP now commonly refers to any encryption program or application that implements the OpenPGP public key cryptography standard.

PGP in CTF

The idea is to import the PGP private key key.asc and then decrypt the encrypted PGP message credential.pgp. However, if we try importing the PGP private key, it asks for a password:

Import PGP Key

gpg --import key.asc

In some cases, it may require a passphrase to import the key.

#Please enter the secret key you need the passphrase:

Using John to crack the PGP Key passphrase

You need to convert the key to the john format.

gpg2john key.asc > hash.crack

Once you obtained the hash, use John to crack the hash:

john hash.crack --wordlist=/usr/share/wordlists/rockyou.txt

If it's cracked, it'll end up:

Warning: detected hash type "gpg", but the string is also recognized as "gpg-opencl"
Use the "--format=gpg-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1234             (jimbo)
Session completed

Now you can import your key and decrypt the secret message.

Decrypt File

gpg --import key.asc
#Enter the passphrase
gpg --decrypt credential.pgp