FTP Brute Force
We have another CTF challenges for CTF players that named as “Sunset: nightfall” and it can be download from vulnhub from here. The credit goes to “whitecr0wz” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.
Task: Boot to Root
- FTP Brute force
- Injecting blank SSH key
- SSH login
- SUID Binaries
- Sudo Rights
Let’s begin with the network scan using netdiscover to identify the host machine IP.
And this gave 192.168.0.24 as Host IP, now we will move toward ports and service scan further.
For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.
nmap -A 192.168.0.24
From its scan result, we found that it has multiple open ports for various services but here port 21 i.e. look interesting as it is using pyftplib for ftp.
For more detail we need to start enumeration against the host machine, therefore, we navigate to a web browser for exploring HTTP service but we found nothing at this place.
While enumerating SMB service we found two use name “nightfall” & “matt” with the help of Enum4linux.
Since we have enumerated two usernames let’s go for brute force attack with the help of hydra and try to find its password for login into FTP
hydra -l matt -P /usr/share/wordlists/rockyou.txt 192.168.0.24 ftp -e nsr
Great! “Cheese” 😊is the password of user “matt” let’s use this credential for ftp login.
We logged into FTP successfully, therefore we decide to upload a malicious file inside /var/www/html but unfortunately, we were unable to access that directory.
This is due to pyftplib which is using python library for FTP and might be File sharing is allowed on any particular directory hence we are unable to access /var/www/html directory.
But still we have another approach i.e. uploading SSH key which means we will try to inject our created SSH key inside the host machine and access the tty shell of the host machine via ssh and this can be achieved when we will create an .ssh named folder and upload our ssh key inside it.
Thus, in our local machine, we created a ssh key with a blank passphrase using ssh-keygen and it will create two files. Then we copied id_rsa.pub file into another file and named “authorized_keys” and now we need to transfer this file inside the host machine.
As we already have FTP access of the host machine, therefore, it becomes easy to for us to upload authorized_keys inside the .ssh directory which we have created earlier.
So, when we try to connect with ssh as matt user, we got login successfully as shown in the below image. At this phase, we have compromised the host machine but to get access of the root shell we need to bypass user privileges, therefore without wasting time we try to identify SUID enabled binaries with the help of find command.
find / -perm -u=s -type f 2>/dev/null
So, we found /script/find has SUID permissions and it works similarly as Linux-Find utility thus we try to execute /bin/sh command and obtained access of the nightfall shell.
./find . -exec /bin/sh -p \; -quit
So, we got access of nightfall shell where we found our 1st flag from inside user.txt file.
But this was limited shell thus to access proper shell as nightfall, we try to apply the previous approach of placing blank passphrase ssh key. Therefore inside /home/nightfall we created a .ssh named folder and upload the authorized_key which we had created previously.
Now repeat the same and try to connect with ssh as nightfall and you will get ssh shell, like us as shown in below image. Further, we check sudo right for nightfall and observed he has sudo right for cat program which means we can read higher privilege files such as the shadow.
we have executed the following command for reading shadow file and obtain some hash values.
sudo -u root cat /etc/shadow
So, we saved the hash of user: root in a text file and then use john the ripper for cracking hash.
Booomm!! We got user: root password: miguel2
Using above credential i.e. root:miguel2 we got the root shell access and inside /root directory we found our final flag.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here