Anonforce — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Anonforce — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

nmap

nmap

There are 2 services running: FTP and SSH.

Let’s first login to FTP as anonymous:

ftp

Move around to find valuable files. After a while I’ve found the 1st flag: user.txt

**Note: specify the “-” symbol at the end, so you can read the file directly without transfer it to your machine.

user.txt

Next, find a way to own root.

There’s a suspicious folder: notread. Let’s see what’s inside

notread

There’s a .pgp file and a private key. Get both of the files to our machine using mget * and then use john to crack the private key. After that, use the key to decrypt the backup file.

First, use gpg2john to change the private key to the format john can read.

gpg2john private.asc > privatejohn

Then, use john to crack the password:

john privatejohn

private key

Now I’ve got the password. Let’s import the private key and use the passphrase to decrypt.

Enter the password above

import key

Now the key has been imported. Decrypt the backup file:

decrypt

It’s the shadow file! Let’s crack this shadow file to find root password using john.

First, get the /etc/passwd from FTP:

Use unshadow to change the passwd and shadow file to the format john can crack

unshadow passwd shadow.txt > unshadowed.txt

Then use john to crack root hash:

john — wordlist=/path-to-wordlist unshadowed.txt

root’s password

Now I’ve got the root’s password. Get the final flag:

root.txt

The end.

HAPPY HACKING