Anonforce

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.151.85

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 21,22

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,22 -oN nmap 10.10.151.85

Enumeration

Lets login through FTP as anonymous login is allowed

Looking through we can transfer the user.txt file to our machine, its is located in the home directory of user melodias.

Exploitation

Looking through the directories there is one directory that is interesting, and there are 2 files that are interesting.

Now lets transfer these files to our machines

We need to crack these files using john the ripper to find a password that we can use to read the backup.pgp file as we are not allowed to access it without a password. Lets do this.

Now lets crack it

Now we have the password, lets first import the private.asc file and then decrypt the backup file.

Lets put in the password we found

We have the root users hash, lets save it into a file called shadow.

Now we have to get the /etc/passwd file from the FTP server.

Now lets unshadow the file and save it into a file called output.

Now lets crack the password

Now that we have the password, we can login through ssh as root

We can read the root flag

Last updated