Anonforce — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Anonforce — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

There are 2 services running: FTP and SSH.

Let’s first login to FTP as anonymous:

Move around to find valuable files. After a while I’ve found the 1st flag: user.txt

**Note: specify the “-” symbol at the end, so you can read the file directly without transfer it to your machine.

Next, find a way to own root.

There’s a suspicious folder: notread. Let’s see what’s inside

There’s a .pgp file and a private key. Get both of the files to our machine using mget * and then use john to crack the private key. After that, use the key to decrypt the backup file.

First, use gpg2john to change the private key to the format john can read.

gpg2john private.asc > privatejohn

Then, use john to crack the password:

john privatejohn

Now I’ve got the password. Let’s import the private key and use the passphrase to decrypt.

Enter the password above

Now the key has been imported. Decrypt the backup file:

It’s the shadow file! Let’s crack this shadow file to find root password using john.

First, get the /etc/passwd from FTP:

Use unshadow to change the passwd and shadow file to the format john can crack

unshadow passwd shadow.txt > unshadowed.txt

Then use john to crack root hash:

john — wordlist=/path-to-wordlist unshadowed.txt

Now I’ve got the root’s password. Get the final flag:

The end.