Vulnhub sunset: nightfall Walkthrough

The description states:  "nightfall is a born2root VM designed for beginners."

I have to say that I was sort of disappointed at the direction this went because I thought it was going one way and then it ended up going another.  I guess if I had given some attention to the description, I would have realized my direction is a little more than beginner but I guess that's also in the eye of the beholder.  Anyway, let's get after it...

We kickoff with Nmap:





A few avenues to explore but we hit it with enum4linux to see if we can retrieve anything of use from SMB:





At the end, we uncover:





Excellent!  We have a couple of users, let's toss them into a text file and let's see if we can brute force some passwords:





We uncover:





Not that we have a user, let's see if we can use it to gain access through FTP:





Looks like we're in Matt's home directory.  Let's see if we can create SSH keys and then access the account using said keys. 

First we create the keys and then we put the public key into the authorized_keys file.





Now let's upload everything into a .ssh folder (which we need to create):





Now that everything is set, let's try to access Matt's account through SSH using the private key:





Excellent!

Let's see if we can uncover some interesting setuid binaries:





Nothing with root of interest to us but we do find one under the username nightfall.

Let's see if we can use it to read the user flag:





Now let's see if we can uncover anything interesting in the mysql history file:





At this point, I think the root is going to be Raptor.  I'm wrong but I don't know that as of yet.

Let's move into the nightfall account using the setuid binary:





And let's go through the same process with ssh keys for nightfall:





Once we're setup...





Let's check the sudoers file to see if we have any privileges:





Let's read the shadow file:





And let's see if we can crack the root hash:




And now I realize Raptor is not the root.  

Let's go for root:






The flag is massive.  I have to break it up:





This is definitely a good beginner box where attention to the minor details is what will get you to the low privilege shell and to root.