#!/usr/bin/env python # Written by Wesley Wineberg - 2017 import Crypto.Cipher.AES as AES import Crypto.Util.Counter import binascii import sys import base64 from Crypto.Util.strxor import strxor def usage(): print "./bamboo-secret-decrypt.py " print "cipher.key file is found in backups under /configuration/cipher/cipher.key_0" print "com.atlassian.restricted.instance.cipher.key and iv are found in the database under bandanaItems (or in the db backup)" print "ex: ./bamboo-secret-decrypt.py cipher.key_0 mQ2LXyFiH8Q6/tcg/s+SixhpWu9U2kL/1nlaRibR0N8= M+23WYC4K2fmGeSy9P9UDA== BAMSCRT@0@0@geWgsh/UrCNJNvL6bSngDA==" sys.exit(0) def main(): if len(sys.argv) != 5: usage() key = open(sys.argv[1],'rb').read() key2 = base64.decodestring(sys.argv[2]) iv = base64.decodestring(sys.argv[3]) # Actual key used for decryption is just a combination of the two input keys finalkey = strxor(key, key2) decryptor = AES.new(finalkey, AES.MODE_CBC, iv) # Check input data format encdata = sys.argv[4] if (encdata[:7] != "BAMSCRT"): print "Invalid encrypted credential format. Example encrypted credential: BAMSCRT@0@0@geWgsh/UrCNJNvL6bSngDA==" exit() encdata = base64.decodestring(encdata[12:]) # Decrypt (PKCS5 padding isn't accounted for, seems like it's easy enough to spot at the end of output and ignore though!) out = decryptor.decrypt(encdata) print out if __name__ == '__main__': main()