Hello. I’m Rahmos. Here is my Anonforce — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- -v <ip>
There are 2 services running: FTP and SSH.
Let’s first login to FTP as anonymous:
Move around to find valuable files. After a while I’ve found the 1st flag: user.txt
**Note: specify the “-” symbol at the end, so you can read the file directly without transfer it to your machine.
Next, find a way to own root.
There’s a suspicious folder: notread. Let’s see what’s inside
There’s a .pgp file and a private key. Get both of the files to our machine using mget * and then use john to crack the private key. After that, use the key to decrypt the backup file.
First, use gpg2john to change the private key to the format john can read.
gpg2john private.asc > privatejohn
Then, use john to crack the password:
Now I’ve got the password. Let’s import the private key and use the passphrase to decrypt.
Enter the password above
Now the key has been imported. Decrypt the backup file:
It’s the shadow file! Let’s crack this shadow file to find root password using john.
First, get the /etc/passwd from FTP:
Use unshadow to change the passwd and shadow file to the format john can crack
unshadow passwd shadow.txt > unshadowed.txt
Then use john to crack root hash:
john — wordlist=/path-to-wordlist unshadowed.txt
Now I’ve got the root’s password. Get the final flag: