Nickel - Proving Grounds Practice

Enumeration

Nmap

Initial nmap scan revealed FTP, SSH and 8089 HTTP ports were open.

Website

Website at port 8089 had 3 different buttons which forward user to different endpoint on windows private IP (169..).

So what I did is, I changed that IP to target IP and was able to access to endpoints. However there was an error Cannot GET.

Exploitation

HTTP Verb Tampering

I captured the request using Burp then I changed it to POST and I was able to access to endpoint. It showed different proccesses on target machine.

ClearText Password on Command Line

While checking processes I found a username and a password. Password was base64 encoded so I decoded it.

And then I was able to access SSH shell as user.

Privilege Escalation

FTP Encrypted PDF file (pdf2john)

There was an encrypted PDF file under FTP share.

So I cracked it using pdf2john.

It showed 3 different endpoints but first one seemed suspicious. It was a command endoint.

internal website

Then I executed netstat -ano and found internal website.

ligolo-ng

Then I used ligolo-ng agent and proxy to pivot to that internal website using special subnet 240.0.0.0/4

Then I visited the endpoint and I tried appending command to parameter ? as we have seen on encrypted pdf file. Well it worked, I got command execution as SYSTEM.

nc64.exe

So I downloaded and transfered nc64.exe and executed it to obtain SYSTEM shell and read Admin flag.

---

<

Previous Post

Shenzi - Proving Grounds Practice

>

Next Post

Ochima - Proving Grounds Practice