TryHackMe - Anonforce
Another challenge from TryHackMe team, a challenge where we have only 2 tasks, to find the user flag and the root flag. Let’s solve it!
Since there wasn’t any information with the exception of an IP address, I started with a scan to find out more. Using nmap, I scanned the server and found that there were 2 opened ports, 21 and 22, so we had FTP and SSH services running.
Not too much to work with, though. My first move was to test if the FTP server allowed the anonymous login. I tried to connect and it worked.
Now, let’s see what we have available. It looks like we are in the root directory. I didn’t know what users were available so I went to /home directory and listed the existing folders in order to see what users were there. I got lucky and I found only one. I moved inside its home directory and checked if the flag was there. I got it and downloaded the user.txt file locally, then read it and got the user flag.
Well, I found the user flag but, to be honest, I didn’t have too many hints on how to proceed for the root one. I had access to the FTP but I wasn’t able to run commands like I would do it if I was connected via SSH. The first thing I did was a brute force attempt. I got an username when I obtained the user flag, so I used hydra to try to connect via SSH and rockyou.txt as password list. However, I didn’t have to much hope that I would find anything, but, at least, I could look for other things while that was running.
I connected again to the FTP server, maybe I missed something. The default location after connection was in /, I listed there to see what I could find. Initially, I thought that there shouldn’t be much but I noticed something. Among the standard directories, I saw one called notread. I also noted that the id of the owner and group was not 0, but 1000, so it wasn’t owned by root but by the user we found initially (the permissions on it were 777 anyway). I checked what was inside and I found 2 files: backup.pgp and private.asc. It looked like I found a encrypted message and a private key.
I documented a bit about this kind of files and I saw that I have to import the private key and then decrypt the message. When I tried to import the private key, it asked for a password, not a great thing for me since I didn’t have anything related to that. I tried to use the username I found but it didn’t work. I googled a bit more and saw that there is a tool, named gpg2john, that allows to convert the private key file in a format that can be cracked with John The Ripper. I used the classic rockyou.txt file and cracked the password.
After getting the password, I imported again the private key and decrypted the message I initially downloaded from the FTP server.
Now, I checked what I got in the decrypted message. It was the content of an /etc/passwd file, with the hashed password for root and the user we found in the first part.
I obtained 2 hashed passwords, the next step I took was to try to crack them with John The Ripper. Even though I got the user flag at the previous point, I added that user also, because I didn’t know if I can crack the root password directly. In this way, if I had obtained the password of the standard user, at least I could have tried to find a method to escalate the privileges to root. Fortunately, I was able to get the root password directly!
Since I obtained the root password, the only left thing to do was to connect to the server using this user and then just read the root flag (ignore the fact that it is a different IP compared to the previous screenshots, I had to restart the machine since at some point it wasn’t responding, not even to ping).
That’s it, I hope this walkthrough was useful for you!