Possible to get cleartext password?

Solution 1:

The code provided by Giulio isn't helpful, here's a Python script that actually works. Requires PyCrypto (python-crypto). Assumes that Plesk secret key is stored at /etc/psa/private/secret_key. Just run it and pass in encrypted passwords as arguments:

./deplesk.py '$AES-128-CBC$T82uDt6NSdytfhjQaOIKGg==$CMJ6FIdAD8zJ0PgwQ3DosA=='

Script:

#!/usr/bin/env python
import sys
import base64
from Crypto.Cipher import AES

key = open('/etc/psa/private/secret_key', 'rb').read()

for pw in sys.argv[1:]:
    lead, typ, iv, ct = pw.split('$')
    iv = base64.b64decode(iv)
    ct = base64.b64decode(ct)
    assert typ == 'AES-128-CBC'
    plain = AES.new(key, mode=AES.MODE_CBC, IV=iv).decrypt(ct).rstrip(b'\0')
    print(plain.decode('utf8'))

Solution 2:

Why not just figure out what hashing algorithm Plesk uses, and replicate that functionality in your PHP application? You don't need the un-ecrypted version of a password to authenticated against it, and you never really want to store a password in the clear, or with a reversible encryption.

Solution 3:

Theoretically, if the program can get the encryption password, yes, you can get back the password in plain text.
EDIT: added decryption code.

function decrypt_password($pass,$key)
{

$base64encoded_ciphertext = $pass;

$res_non = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($base64encoded_ciphertext), ‘ecb’);

$decrypted = $res_non;
$dec_s2 = strlen($decrypted);

$padding = ord($decrypted[$dec_s2-1]);
$decrypted = substr($decrypted, 0, -$padding);

return  $decrypted;
}