sunset: nightfall

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/sunset-nightfall,355/

Walkthrough

nmap
alt text

default 80…nothing with dirb either so moved on to smb
alt text

enum4linux gives us usernames and nothing else
alt text
alt text
alt text

ran hydra against ftp with more common user…creds
alt text

ftp as user and we write files and create directories in the user’s home folder…ssh
alt text

create a pub/priv key and copy pub to authorized_keys file
alt text

upload new file to .ssh folder using ftp
alt text

ssh as matt works
alt text

found suid find file under top level scripts folder
alt text

able to reach user.txt file in other users home directory
alt text

we create .ssh file and cp authorized_keys file over to other users home directory using this method
alt text

ssh as other user
alt text

grab root shadow hash
alt text

run hash against hashcat
alt text

we have root
alt text

and flag
alt text
alt text

Written on September 6, 2019
Share on: