# Anonforce

![](/files/-McLBVxul_LUX1yyhDFI)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.151.85
```

![](/files/-McLCUND6zLC2jnrjx6f)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 21,22
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 21,22 -oN nmap 10.10.151.85
```

![](/files/-McLCe5lVnNehRbUXv22)

## Enumeration

Lets login through FTP as anonymous login is allowed

![](/files/-McLCwZB2NZQvHLCOEff)

Looking through we can transfer the user.txt file to our machine, its is located in the home directory of user `melodias`.&#x20;

![](/files/-McLDTeID3qDSPjZMqyr)

![](/files/-McLD_9wrvGUc2-yGGC_)

## Exploitation

Looking through the directories there is one directory that is interesting, and there are 2 files that are interesting.

![](/files/-McLE7Dq_QNctTykmYK7)

Now lets transfer these files to our machines

![](/files/-McLE_yHd5IoDqycyfZG)

We need to crack these files using john the ripper to find a password that we can use to read the `backup.pgp` file as we are not allowed to access it without a password.  Lets do this.

![](/files/-McLEwe-YeMQ9w-R_Tvy)

Now lets crack it

![](/files/-McLF3bjrOjUbJJpZdK_)

Now we have the password, lets first import the `private.asc` file and then decrypt the backup file.&#x20;

![](/files/-McLFzaKNigDGD50UbBz)

![](/files/-McLFx8S4x4ME5tT_ioN)

Lets put in the password we found

![](/files/-McLG5-VlPwWZR6RQ_HN)

We have the root users hash, lets save it into a file called `shadow`.

![](/files/-McLGLd97-ejtmFmtc0p)

Now we have to get the `/etc/passwd` file from the FTP server.

![](/files/-McLHJ52AAfqP5rNAwD2)

Now lets `unshadow` the file and save it into a file called `output`.

![](/files/-McLHZBfqtLe91h6hHl-)

Now lets crack the password

![](/files/-McLHbNDx8BcYCXBtEB6)

Now that we have the password, we can login through ssh as root

![](/files/-McLHmrGOXaTCWCIW3bv)

We can read the root flag

![](/files/-McLHu6GngMDdskvGW4w)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/anonforce.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.