This room another simple boot2root kind of a challenge. The main focus of this room is on enumeration as we directly have the access to the file system via FTP and all we need is to do is enumerate in order to gain root access. Also, we need to do some GPG passphrase cracking in order to access some encrypted data.

Initial Enumeration

The first thing that we need to do after starting the machine is to run an nmap scan against the machine’s IP address.

One thing is pretty clear that we have access to the machine's file system via FTP. But we must keep in mind that we have only FTP access which means that we can’t run OS commands like cat, whoami etc.

Moving on we can access the machine via FTP by logging in as anonymous and search for some interesting files that might turn out to be helpful.

As our immediate target is to get the user flag, we can head over to the /home directory and check the user files.

We can see that there is a user named melodias on the machine and in his directory we can see that user.txt file is also present. As we are having an FTP connection we can't use the command cat. So, we need to download the file using mget on our local machine in order to read it.

Now, the next task is to escalate our privileges and obtain the root flag.

Privilege Escalation

We can try some of the basic things that we do for privilege escalation such as checking if there is some odd any cron job running on the machine.

Once downloaded, we can read its content.

But we don’t find anything odd over here. Also, as this is an FTP connection we can’t run the find command to look for files with specific names and permission, which leaves us with no other option but to enumerate the file system manually.

We can start enumerating files from the root (/) and look for any odd file.

Here, we can see that there is one odd directory named as notread.

And in that directory we can see there are two files namely backup.pgp and private.asc. This gives us a direct hint towards PGP cracking. And for that, we first need to download both these files on our local system.

In order to access the encrypted data, we need to proceed in a defined step (more details can be found here).

We can directly try to import the private.asc key but won't succeed as we don't have the passphrase for the same.

So, our first task is to crack the private.asc file to get the passphrase. For doing so, we will need gpg2john which can be downloaded from here. Then we will use it to convert the asc file to a format that can be understood by john.

Now, we can pass the newly created hash to john for cracking.

And here we get the passphrase for importing the private.asc key. Now, we can easily import the private.asc key.

Once our key in imported, we can move ahead to decrypt the backup.pgp file.

From the content of the file, it is pretty clear that it is the shadow file of the system which contains the password hashes for all the account on the machine. Also, we can see that the password hash for the root account is present in this file. And the $6$ at the beginning of the hash indicates that it is a sha512crypt hash. We can directly copy the hash to a new file and then pass it to john to get the decrypted password.

So, here we get the password for the root account. Now, all that we need to do is log on to the machine as root via SSH and read the flag.

And there we go. So, we have got the root flag marking the completion of this challenge.

Reference Links

  1. TryHackMe-Anonforce: https://tryhackme.com/room/bsidesgtanonforce
  2. Recover Your GPG Passphrase: https://www.ubuntuvibes.com/2012/10/recover-your-gpg-passphrase-using-john.html
  3. John Tools: https://github.com/openwall/john

Do check out my other work and write-ups at https://github.com/0xNirvana

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store