We have another CTF
challenges for CTF players that named as “Sunset: nightfall” and it can be
download from vulnhub from here. The
credit goes “whitecr0wz” for designing this VM machine for beginners. This is a
Linux based CTF challenge where you can use your basic pentest skill for
Compromising this VM to escalate the root privilege shell.
Level: Easy
Task: Boot to Root
Penetrating
Methodologies
Network Scanning
·
Netdiscover
·
Nmap
Enumeration
·
Enum4linux
Exploiting
·
FTP Brute force
·
Injecting blank SSH key
·
SSH login
Privilege Escalation
·
SUID Binaries
·
Sudo Rights
Walkthrough
Network Scanning
Let’s begin with the network
scan using netdiscover to identify the host machine IP.
netdiscover
And this gave 192.168.0.24 as
Host IP, now we will move toward ports and service scan further.
For deep network scan we always prefer to use nmap
aggressive scan and this time also we will go with the same approach, thus will
run the below command to enumerate running services and open port.
nmap -A 192.168.0.24
From its scan result, we found that it has multiple open
ports for various services but here port 21 i.e. look interesting as it is
using pyftplib for ftp.
Enumeration
For more detail we need to start enumeration against the
host machine, therefore, we navigate to a web browser for exploring HTTP
service but we found nothing at this place.
While enumerating SMB service we found two use name “nightfall”
& “matt” with help of Enum4linux.
enum4linux 192.168.0.24
Exploiting
Since we have enumerated two usernames let’s go for brute
force attack with the help of hydra and try to find its password for login into
FTP
hydra -l matt -P /usr/share/wordlists/rockyou.txt
192.168.0.24 ftp -e nsr
Great! “Cheese” 😊is
the password of user “matt” let’s use this credential for ftp login.
We logged into FTP successfully, since we were logged
inside the host machine but to access proper shell we need to compromise TTY
shell, therefore we decide to upload a malicious file inside /var/www/html but
unfortunately we were unable to access that directory.
This is due to pyftplib which is using python library for
FTP and might be File sharing is allowed on any particular directory hence we
are unable to access /var/www/html directory.
But still we have another approach i.e. SSH key placement
which means we will try to inject our created SSH key inside the host machine
and access the pty shell of the host machine via ssh and this can be achieved
when we will create an .ssh named folder and upload our ssh key inside it.
Thus, in our local machine we created a ssh key with blank
passphrase using ssk-keygen and it will create two files. Then we copied
id_rsa.pub file into another file and named “authorized_keys” and we need to
transfer this file inside host machine.
As we already have FTP access of the host machine therefore
it becomes easy to for us to upload authorized_keys inside the .ssh directory
which we have created earlier.
So, when we try to connect with ssh as matt user, we got
login successfully as shown in the below image. At this phase we have
compromised the host machine and to get access of root shell we need bypass user
privileges, therefore without wasting time we try to identify SUID enabled
binaries with help of find command.
find / -perm -u=s -type f 2>/dev/null
So, we found /script/find has SUID permissions and it work
similar as Linux-Find utility thus we try to execute /bin/sh command and obtain
nightfall shell access.
./find . -exec /bin/sh -p \; -quit
So, we got access of nightfall shell where we found our 1st
flag from inside user.txt file.
But this was limited shell thus to access proper shell as
nightfall, we try to apply previous approach of placing blank passphrase ssh
key. Therefore inside /home/nightfall we created a .ssh named folder and upload
the authorized_key which we had created previously.
Privilege Escalation
Now repeat the same and try to connect with ssh as nightfall
and you will get ssh shell like us as shown in below image. Further, we check
sudo right for nightfall and observe he has sudo right for cat program which
means we can read higher privilege such as shadow.
sudo -l
we have executed the following command for reading shadow
file and obtain some hash value.
sudo cat /etc/shadow
So, we saved the hash of user: root in a text file and then
use john the ripper for cracking hash.
Booomm!! We got user: root password: miguel2
Using above credential i.e. root:miguel2 we got the root
shell access and inside /root directory we found our final flag.
0 comments:
Post a Comment