Home Nickel
Post
Cancel

Nickel

Posted Oct 6, 2024
By KS
5 min read

Machine Information

  • Machine Name: Nickel
  • Machine Difficulty: Intermediate

Information Gathering

Classic nmap time

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

Nmap scan report for 192.168.160.99
Host is up, received user-set (0.018s latency).
Scanned at 2024-10-06 12:33:28 +08 for 645s
Not shown: 65518 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
22/tcp    open  ssh           syn-ack ttl 125 OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYR4Bx82VWETlsjIFs21j6lZ6/S40jMJvuXF+ay4Qz4b+ws2YobB5h0+IrHdr3epMNFmSY8JXFWzIILhkvF/rmadXRtGwib1VZkSa3nr5oYdMajoWK0jOVSoFJmDTJvhj+T3XE7+Q0tEkQ2EeGPrz7nK5XWzBp8SZdywCE/iz1HLvUIlsOqpDWHSjrnjkUaaleTgoVTEi63Dx4inY2KS5mX2mnS/mLzMlLZ0qj8vL9gz6ZJgf7LMNhXb/pWOtxfn6zmSoVHXEXgubXwLtrn4wOIvbZkm5/uEx+eFzx1AOEQ2LjaKItEqLlP3E5sdutVP6yymDTGBtlXgfvtfGS2lgZiitorAXjjND6Sqcppp5lQJk2XSBJC58U0SzjXdyflJwsus5mnKnX79nKxXPNPwM6Z3Ki1O9vE+KsJ1dZJuaTINVgLqrgwJ7BCkI2HyojfqzjHs4FlYVHnukjqunG90OMyAASSR0oEnUTPqFmrtL/loEc3h44GT+8m9JS1LgdExU=
|   256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDJYE805huwKUl0fJM8+N9Mk7GUQeEEc5iA/yYqgxE7Bwgz4h5xufRONkR6bWxcxu8/AHslwkkDkjRKNdr4uFzY=
|   256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8cLYuHBTVFfYPb/YzUIyT39bUzA/sPDFEC/xChZyZ4
80/tcp    open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2024-10-06T04:44:12+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=nickel
| Issuer: commonName=nickel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-02T12:08:06
| Not valid after:  2025-02-01T12:08:06
| MD5:   213b:2936:2580:4cc6:9690:ecc0:b098:9502
| SHA-1: d81f:d8b7:8feb:dfac:0a9d:1ee5:dcde:0a38:aa30:df02
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQNVSefaZ44JRG/kY5nQDBPTANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZuaWNrZWwwHhcNMjQwODAyMTIwODA2WhcNMjUwMjAxMTIwODA2
| WjARMQ8wDQYDVQQDEwZuaWNrZWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDnovhr8afVw+V0fm95rr9ConeFkaT0vNuSbJjAYZHdSTRxSCd6tO7w9gYI
| xwXCaYqvujkA/lCdZMtHlFagnJ9n+Wnc/Zbg+W7fdefvTkT/JrYng4v7apGmPE0Z
| TEPvOb+dAQ6mdiSPPOvZxYixjebM40ynfnLS20fBKI1VSwk2mKBbLjj7H/gFm+Gj
| QNje/AKNGws2j9HAIEezjwXI/cMP4J7YnGiM7/9sBP+wemBPb0PIORunTql4ZVDj
| zedom9trNJwzK9tfajVjPK90BSoO2uMzGJuEYXKvm0zFOzCPnvWIsIRYXJSv0di8
| fwipiruAKXtKztO/RaR0La6wD4OxAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEAAwmemd786ieQqfTN
| abQM8kDp0wxW1DcQqTymPQh48pq6yHVEjY313Y1Q3DbQwT0p/nLodZ1X8EALownI
| DucaFTwby5UREtwrys16uohJ7Y5T/5ei2u0++OpWkhG0sDZd+2fWUhQ0q3iMkyiN
| Pdh+srgyvqWGSMn/LZNe3e4JQ/6W5QTFegF1ZqanEDcm6WK2JzX4vd1hEH+zgU0H
| IU1tBbP/+HVJ3tivix1fhqN9QW5pju2EUDeG9DW7nYCZ/wCwsXRHd3A6dqYm5WG/
| sOTMDQT4nYFspI4DAxp6gKGxhoNQHDYy/Pc88mN36C9HuMhSTVdvgInW+4MwU8J+
| Jr5ugg==
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2024-10-06T04:43:06+00:00
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
8089/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-favicon: Unknown favicon MD5: 9D1EAD73E678FA2F51A70A933B0BF017
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
| http-methods: 
|_  Supported Methods: GET
33333/tcp open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-favicon: Unknown favicon MD5: 76C5844B4ABE20F72AA23CBE15B2494E
| http-methods: 
|_  Supported Methods: GET POST
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

Too many options, lets focus on some web ports

Port 80

I have no idea what is going on, so I shall just perform brute force directory while looking into other ports.

Port 8089

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

curl http://192.168.160.99:8089/
<h1>DevOps Dashboard</h1>
<hr>
<form action='http://169.254.64.47:33333/list-current-deployments' method='GET'>
<input type='submit' value='List Current Deployments'>
</form>
<br>
<form action='http://169.254.64.47:33333/list-running-procs' method='GET'>
<input type='submit' value='List Running Processes'>
</form>
<br>
<form action='http://169.254.64.47:33333/list-active-nodes' method='GET'>
<input type='submit' value='List Active Nodes'>
</form>
<hr>

I have a look at the website and decided to show the output using curl command. It seems like this port is redirecting me to some other IP address and working on port 33333. Since I also have port 33333 opened, let me try if it works the same.

Port 33333

1
2

curl http://192.168.160.99:33333/list-current-deployments
<p>Cannot "GET" /list-current-deployments</p>

I tried doing the same thing to port 33333 but the results shows that it could not use GET method. I then try if it works if I use other HTTP method such as POST.

1
2
3
4
5
6
7

curl http://192.168.160.99:33333/list-current-deployments -X POST
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Length Required</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Length Required</h2>
<hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>
</BODY></HTML>

It seems like I could use POST method but it has some new errors. After gooogling, it has something to do with the header. Then I add the needed header accordingly.

1
2

curl http://192.168.160.99:33333/list-current-deployments -X POST -H "Content-Length:0"  
<p>Not Implemented</p>

Alright, it seems everything is work but it is not implemented. I then tried the same thing on the remaining endpoint given by port 8089.

1
2
3
4
5
6
7
8

curl -X POST http://192.168.160.99:33333/list-running-procs -H 'Content-Length: 0'

...
name        : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 
              "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
...

It works and it provides some useful information such as the credentials needed for SSH.

Port 22

I then tried to use ariah:Tm93aXNlU2xvb3BUaGVvcnkxMzkK to login into SSH but it did not work. I thought it might be some encrypted or encoded passwords. After testing around, it is base64 encoded password.

1
2

echo Tm93aXNlU2xvb3BUaGVvcnkxMzkK | base64 -d
NowiseSloopTheory139

By using ariah:NowiseSloopTheory139, I manage to login as user ariah and get a shell. Since its not administrator shell, its time to perform privilege escalation.

Privilege Escalation

Its always good to look into winpeas result. After exploring around, I found a pdf in C:\ftp\Infrastructure.pdf . I then transfer into my host machine and try to open it. It seems like it has password proctected. Time to crack it and get the password.

1
2
3
4
5
6
7
8
9
10

john -w=/usr/share/wordlists/rockyou.txt hash               
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ariah4168        (Infrastructure.pdf)     
1g 0:00:02:05 DONE (2024-10-06 13:08) 0.007998g/s 80014p/s 80014c/s 80014C/s ariah4168..ariadne01
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed.

After getting the password, time to have a look at the file.

Ok, it seems like I could just execute command on port 80. Let me try that and see.

Dem, I could just execute command and get Administrator shell by utilizing the port 80.

Things I learned from this machine

  • Can just try if the ports if same although the IP is different
  • POST method need to add Content-Length: 0 to make sure it works
  • always try to check if the password is encrypted / encoded or not
  • lookout for pdf files as it might be useful
  • get the creds using john ~
PG
boot2root OSCP-Prep
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Medjed

-