Sunset: Nightfall Walkthrough – Vulnhub
I thought it was about a time to start a blog after around 3 months as a keen ethical hacker, rooting on vulnhub and htb boxes. So, welcome to my first blog!
Before we get into this box, I wanted to say thank you to whitecr0wz for creating such a fun box. I really did enjoy it and I would highly recommend it for those who are starting to get into ethical hacking.
Without further ado, let’s jump in.
We start with using nmap automator tool
~/Desktop/Resources/nmapAutomator/nmapAutomator.sh 192.168.56.114 All
Initially, there’s 6 open ports:
With an open ftp port, it is common that there’s an anonymous access enabled. Let’s try attempt to login into ftp as anonymous.
Unfortunately, we can see the anonymous access is not allowed. So, let’s come back to the nmap automator to see if it has produced any interesting findings.
Since there are two open smb service ports, the nmap automator has ran an enum4linux scan automatically.
As we wait until the enum4linux scan is completed, let’s check on port 80 web-server to see if we find anything interesting or valuable. We were introduced with Apache2 Debian default page.
Dammit, a dead end. Let’s try and run a gobuster scan to double-check if there’s any hidden directories:
gobuster dir -w /usr/share/wordlists/dirb/common.txt -x html,php -u 192.168.56.114
Since all discovered directories are forbidden, there’s not much we can do about it. Let’s return to enum4linux to see if it has finished the scan.
And it did! It has indicated two users associated with the host machine.
Since, there’s an open FTP and SSH port, I’ve decided to brute force FTP as it’s a lot quicker than SSH. I created a user.txt file which contains two users: Matt and Nighthawk.
Now, let’s brute force on open ftp service port with hydra, using user.txt and darkweb2017-top10000.txt for user and password wordlist, respectively:
hydra -L user.txt -P ~/Desktop/Resources/SecLists/Passwords/darkweb2017-top10000.txt -V -f ftp://192.168.56.114
As we let the hydra scan to run on its own, I had an another read through on results of nmap automator to ensure we have not missed anything. Before I could finish reading it, hydra has found a matched password for user matt!
The password for user matt was “cheese”. I attempted to login on ftp service to see if it works and it did :D
Clearly, we’re in the home directory (assuming it is matt’s). As we know there’s an open ssh port, we can try and create an .ssh/ directory with an authorized_keys file which contains my machine’s public key. In that way, we can login into the host machine as matt without entering any password.
I exited the ftp and generated a new private and public key on my machine with no passphrase:
Then, we cat ~/.ssh/id_rsa.pub > authorized_keys onto the current directory. We checked the id_rsa.pub and authorized keys are identical too.
Brilliant! Looks like everything’s prepared. Let’s login back to ftp service and create a new .ssh/ directory.
ftp> mkdir .ssh
257 “/.ssh” directory created.
ftp> cd .ssh
250 “/.ssh” is the current directory.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
391 bytes sent in 0.00 secs (1.3760 MB/s)
Now, we should have an access to the host machine via ssh as matt. Let’s try this:
Now, let’s check if the host machine has wget installed by entering wget so we could download the linux smart enumeration to automatically check any potential privilege escalation. It did, let’s run python -m SimpleHTTPServer 1234 on my machine, in the same directory as where lse.sh is located. The server is now listening, so let’s run wget on host machine to download lse.sh:
To run the lse.sh:
Chmod +x lse.sh
Linux Smart Enumeration has spotted a script that has suid permission which means matt can run the script as the owner of the file.
It turns out the file is owned by nightfall. Since Linux Smart Enumeration has not spotted anything else, we can try do horizontal privilege escalation instead of vertical and try our luck as nightfall rather than as matt.
As we run the script (find) by:
It turns out it was exactly the same as find command in linux. Find command has a option where we could execute a command line which we can do by:
/scripts/find lse.sh -exec “whoami” \;
Looks like it is working! Let’s try and run a shell as nightfall:
/scripts/find lse.sh -exec sh -p \:
Boom! It’s working :p
Let’s repeat the ssh key steps so we can login into ssh as nightfall. In that way, we’ll get an interactive shell.
Let’s run lse.sh again as nightfall. Looks like nightfall has sudo permissions on cat tool! I tried to cat the /etc/shadow where the root’s hashed password is stored and it works!
Now, let’s copy a line containing root’s information and paste it into a new text file in my machine.
Let’s try and use the John The Ripper machine to crack the hash:
Whooop! The password has been cracked!!
Let’s return to the ssh shell and switch the user to root to see if it works!
And it did!
There’s a flag in root’s home directory:
Completed it! This box has been a good fun, loved the fact that it relies your understanding on linux command lines and understanding how privilege escalation works in different ways.
Once again, thank you so much whitecr0wz for creating a fun box.