I’ve done a couple more HackMyVM boxes and one thing on THM since I last wrote anything but I only want to write about one of them, and that’s Nightfall from HMV.
FTP and SSH only:
I can’t coax a version out of ProFTPD. It allows anonymous access with no writing, and contains one file with a somewhat cryptic hint:
In the darkness, there are invisible things happening that can be seen by taking a closer look at the horizon as a whole
Hmmm ok I guess.
OpenSSH version 7.7 is vulnerable to username enumeration, and I use a python script from searchsploit to run it:
The wordlist shown above is big - 624370 entries big. This takes a long time to run. I had already run the script with a much smaller list and found what I needed, but after stalling out I ran it again with the above entry. The python script, taken from here writes every entry in the input to an output file (and only when the script completes) so that’s kinda wierd. Anyway:
The name we want is abraham. So, now what? We have two services only, one username and nothing else. I try a UDP port scan but get nothing. I guess it’s bruteforcing either SSH or FTP with Hydra? I do try both of these approaches - nothing. I must be missing something? It turns out that yes, I am.
Since about the time I started doing HackMyVM boxes I’ve been running with an Internal Network mode in VirtualBox. I used to run everything Bridged even though I knew it wasn’t really a good idea, and there was even a VulnHub box called WORST WESTERN HOTEL: 1 that said:
Important: This box probably needs to be run in an isolated environment (Host-Only network), or it might disrupt your internal network. You should of course always run downloaded vm that way.
Incidentally that was a good box, not that I solved it but I did look at a write-up. What actually tipped me over the edge was a Windows VM that someone had made that they said (and I’m paraphrasing here):
‘lol, don’t give this thing internet access’.
I’ve never had much success with Host Only since I’m running a Kali VM attackbox in a Windows Host, so Internal Network was the go. That gives me the ability to communicate freely between Kali and the victim, without either of them having access to the host or the internet. It’s actually not hard to set up but you do need to use a CLI tool that comes with Virtualbox. It was basically this:
And then you just choose ‘Internal Network’ with the network name of ‘testlab’ for both machines. One of the nice things about VirtualBox is you can change the network adapter of the machine while it’s running so if I want to download a script or whatever I can easily switch Kali to Bridged while it is running, do whatever is required, then switch back to Internal Network. Nice. This has all been working well….until now.
Nightfall has socat doing a broadcast on UDP as a cronjob:
The idea is that you can detect this with tcpdump, e.g.
However, this does not work in Internal Network mode:
Essentially this box can’t be done with an Internal Network mode. Other modes may work (I’m not sure) but I switched it to Bridged to get it done.
What it means
The broadcast is the SSH private key of our user abraham, encrypted. It’s basically this, which is Hawk from HTB.
Once we’re on the box we are in the disk group which is basically game over:
In this case there is a root SSH key which we can read and use to SSH in:
Also I ‘upgraded’ to Windows 11 (I had to switch to UEFI, MBR2GPT and enable TPM) and I’m not sure if I am pleased I did or not…