Anonforce
https://tryhackme.com/room/bsidesgtanonforce
Nmap
Looks like we have port 21 and port 22 open on the server. port 21 looks to be misconfigured lets have a closer look.
We can log in to FTP with the anonymous user name and specify anything for the password.
Straight away we can cd into home and identify a possible user for SSH and grab the user.txt flag.
Looking in the directorys we can see a directory called "notread" which list the follow contents:
We can download both of these files with the mget * command.
After downloading the files we need to decrypt the files so we should first start by using the gpg command to try and import the privatekey file private.asc. Unfortunately we need a passphrase to complete this process.
We can attempt to hash the file and run it through John The Ripper. We need the module gpg2john which usually comes preinstalled with John The Ripper. As you can see below we locate the module and then execute it and define the private key file and a locate to output the hash:
After hashing we can run John. I have removed the password from the following image as per guidelines from THM.
We can now try importing the private.asc key again and when prompted for a password I entered the one cracked by John.
We have now imported the key. Next we need to see if this key will decrypt the backup.pgp file we downloaded earlier.
After run the command below and entering the password we retrieved earlier we can see backup.pgp appears to be a backup of /etc/shadow.
We can run this file against John to see if we can crack the account hashes.
In this instance I was only able to find a hash for the root account. I tried a few more passwords and was unable to hit the user account. Lets see if we can SSH into root seeing as port 22 is open.
As you can see above I was able to login with the password cracked from John and was able to read the root flag.
Last updated
