Anonforce
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets login through FTP as anonymous login is allowed
Looking through we can transfer the user.txt file to our machine, its is located in the home directory of user melodias
.
Exploitation
Looking through the directories there is one directory that is interesting, and there are 2 files that are interesting.
Now lets transfer these files to our machines
We need to crack these files using john the ripper to find a password that we can use to read the backup.pgp
file as we are not allowed to access it without a password. Lets do this.
Now lets crack it
Now we have the password, lets first import the private.asc
file and then decrypt the backup file.
Lets put in the password we found
We have the root users hash, lets save it into a file called shadow
.
Now we have to get the /etc/passwd
file from the FTP server.
Now lets unshadow
the file and save it into a file called output
.
Now lets crack the password
Now that we have the password, we can login through ssh as root
We can read the root flag
Last updated