Vulnhub - Nightfall writeup
There are quite a few port open. Let’s start with SMB
There are no shares to login into. But I found some users.
First we were not sure what to do, @theart42 even tried to bruteforce password for
nightfall user on FTP but found nothing.
Then I tried to brute force FTP password for
matt and found it.
I logged it and found some directory which looked like home directory.
I started to look around and thought that there was a share for user
But this wasn’t a SMB share. Then @theart42 said that he made a
.ssh directory and placed my public key in a file called
authorized_key and then use
put to place it in that directory.
Now we can login as
Horizontal Privilege escalation
I ran my enumeration script and found a SUID file
but it had permission of
nightfall user meaning if we use
find to escalate our privileges we’ll become
nightfall and not
I used gtfobins/find to get shell for
And then I got the
I decided to do the same thing as I did before, made a
.ssh directory in
nightfall home directory and placed my public key to login through SSH.
Vertical Privilege escalation
nightfall home directory we can see a file named
In the process we can see that
mysql is running as
And then @theart42 said that mysql is running as
root. So maybe we can login into mysql and then might be able to escalate our privileges.
Then I found out that
nightfall can run
@theart42 used this to cat the
and in that we found the password for
We used this to login in
.mysql_history in the
/home/nightfall was talking about
raptor etc we thought that we have to exploit mysql with MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2).
We tried to use that exploit but it didn’t worked.
Since we have root permission to
cat any file as
root I decided to get the
$ sudo -u root cat /etc/shadow
$ sudo -u root cat /etc/passwd
Then I did
$ unshadow passwd shadow > hash.txt
hash.txt and within few minutes I got the password.
I used this password to
and then get the root flag.
This was really awesome machine. For starting we had no idea because for a sec we ignored all the usernames. But things went so fast that we rooted it in an hour or so.
Thanks @whitecr0w1 for this awesome machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.