mw

AnonforceTryHackMe Logo

This engagement involved assessing a Linux-based target exposed on a private network. Initial reconnaissance revealed limited surface area, with FTP and SSH services available. The primary focus of the assessment was to identify misconfigurations and leverage them to gain initial access and escalate privileges.

Reconnaissance

Port scanning revealed the following services:

No web server was exposed, reducing the initial attack surface. However, FTP access allowed unauthenticated users to browse and interact with the filesystem.

Initial Access

Anonymous FTP access provided visibility into the underlying filesystem. This misconfiguration exposed sensitive directories, including a user home directory and a writable folder. Within the user directory, the user flag was immediately accessible, indicating improper access controls on file permissions.

Key Finding: Exposed Private Key Material via FTP

A directory containing sensitive files was discovered, including:

The presence of a private key accessible via anonymous FTP represents a critical misconfiguration, as it enables attackers to decrypt protected data.

Exploitation

The private key was extracted and imported into a local GPG keyring. Since the key was passphrase-protected, it was converted into a crackable hash format using `gpg2john`. The passphrase was successfully recovered using a wordlist-based attack with John the Ripper. With the decrypted private key available, the encrypted backup file was decrypted using GPG, revealing sensitive system data including credential hashes from `/etc/shadow`. These hashes were subsequently cracked, allowing full system compromise via SSH as the root user.