Anonforce
This room another simple boot2root kind of a challenge. The main focus of this room is on enumeration as we directly have the access to the file system via FTP and all we need is to do is enumerate in order to gain root access. Also, we need to do some GPG passphrase cracking in order to access some encrypted data.
Initial Foothold
The first thing that we need to do after starting the machine is to run an nmap scan against the machine's IP address.
ββ[tester@parrot-virtual]β[~/Downloads/anonforce]
ββββΌ $nmap -A 10.10.94.82
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-20 11:19 IST
Nmap scan report for 10.10.94.82
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot
| drwxr-xr-x 17 0 0 3700 Nov 19 21:38 dev
| drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 home
| lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
| lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
| drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 lib64
| drwx------ 2 0 0 16384 Aug 11 2019 lost+found
| drwxr-xr-x 4 0 0 4096 Aug 11 2019 media
| drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt
| drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread [NSE: writeable]
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt
| dr-xr-xr-x 93 0 0 0 Nov 19 21:38 proc
| drwx------ 3 0 0 4096 Aug 11 2019 root
| drwxr-xr-x 18 0 0 540 Nov 19 21:38 run
| drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv
| dr-xr-xr-x 13 0 0 0 Nov 19 21:38 sys
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.91.135
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:f9:48:3e:11:a1:aa:fc:b7:86:71:d0:2a:f6:24:e7 (RSA)
| 256 73:5d:de:9a:88:6e:64:7a:e1:87:ec:65:ae:11:93:e3 (ECDSA)
|_ 256 56:f9:9f:24:f1:52:fc:16:b7:7b:a3:e2:4f:17:b4:ea (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.86 secondsOne thing is pretty clear that we have access to the machines file system via FTP. But we must keep in mind that we have only the FTP access which means that we can't run OS commands like cat, whoami etc.
Moving on we can access the machine via FTP by logging in as anonymous and search for some interesting files that might turn out to be helpful.
As our immediate target is to get the user flag, we can head over to the /home directory and check the user files.
We can see that there is a user named melodias on the machine and in his directory we can see that user.txt file is also present. As we are having an FTP connection we can't use the command cat. So, we need to download the file using mget on our local machine in order to read it.
Now, the next task is to escalate our privileges and obtain the root flag.
Privilege Escalation
We can try some of the basic things that we do for privilege escalation such as checking if there is some odd any cronjob running on the machine.
Once downloaded, we can read it's content.
But we don't find anything odd over here. Also, as this is an FTP connection we can't run the find command to look for files with specific names and permission, which leaves us with no other option but to enumerate the file system manually.
We can start enumerating files from the root (/) and look for any odd file.
Here, we can see that there is one odd directory named as notread.
And in that directory we can see there are two files namely backup.pgp and private.asc. This gives us a direct hint towards PGP cracking. And for that we first need to download both these files on our local system.
In order to access the encrypted data, we need to proceed in a defined step (more details can be found here).
We can directly try to import the private.asc key but won't succeed as we don't have the passphrase for the same.
So, our first task is to crack the private.asc file to get the passphrase. For doing so, we will need gpg2john which can be downloaded from here. Then we will use it to convert the asc file to a format that can be understood by john.
Now, we can pass the newly created hash to john for cracking.
And here we get the passphrase for importing the private.asc key. Now, we can easily import the private.asc key.
Once our key in imported, we can move ahead to decrypt the backup.pgp file.
From the content of the file it is pretty clear that it is the shadow file of the system which contains the password hashes for all the account on the machine. Also, we can see that the password hash for root account is present in this file. And the $6$ at the beginning of the hash indicates that it is a sha512crypt hash. We can directly copy the hash to a new file and then pass it to john to get the decrypted password.
So, here we get the password for the root account. Now, all that we need to do is log on to the machine as root via SSH and read the flag.
And there we go. So, we have got the root flag marking the completion of this challenge.
Links Referred
TryHackMe-Anonforce: https://tryhackme.com/room/bsidesgtanonforce
Recover Your GPG Passphrase: https://www.ubuntuvibes.com/2012/10/recover-your-gpg-passphrase-using-john.html
John Tools: https://github.com/openwall/john
Last updated
Was this helpful?