Vulnhub - Nightfall writeup

Sunset: Nightfall

Author: whitecr0w1


There are quite a few port open. Let’s start with SMB


There are no shares to login into. But I found some users.


First we were not sure what to do, @theart42 even tried to bruteforce password for nightfall user on FTP but found nothing.

Then I tried to brute force FTP password for matt and found it.


I logged it and found some directory which looked like home directory.

I started to look around and thought that there was a share for user matt.

But this wasn’t a SMB share. Then @theart42 said that he made a .ssh directory and placed my public key in a file called authorized_key and then use put to place it in that directory.

Now we can login as matt via SSH.

Horizontal Privilege escalation

I ran my enumeration script and found a SUID file

but it had permission of nightfall user meaning if we use find to escalate our privileges we’ll become nightfall and not root.

I used gtfobins/find to get shell for nightfall user.

And then I got the user.txt

I decided to do the same thing as I did before, made a .ssh directory in nightfall home directory and placed my public key to login through SSH.

Vertical Privilege escalation

In the nightfall home directory we can see a file named .mysql_history. In the process we can see that mysql is running as root.

And then @theart42 said that mysql is running as root. So maybe we can login into mysql and then might be able to escalate our privileges.

Then I found out that nightfall can run cat as root

@theart42 used this to cat the .mysql_history of root user.

and in that we found the password for root.


We used this to login in mysql

Since the .mysql_history in the /home/nightfall was talking about raptor etc we thought that we have to exploit mysql with MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2).

We tried to use that exploit but it didn’t worked.

Since we have root permission to cat any file as root I decided to get the /etc/shadow and /etc/passwd.

$ sudo -u root cat /etc/shadow

$ sudo -u root cat /etc/passwd

Then I did

$ unshadow passwd shadow > hash.txt

and started john on hash.txt and within few minutes I got the password.

I used this password to su root.

and then get the root flag.

This was really awesome machine. For starting we had no idea because for a sec we ignored all the usernames. But things went so fast that we rooted it in an hour or so.

Thanks @whitecr0w1 for this awesome machine.

And thanks to @theart42 and @4ndr34z for this awesome machine.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”.