AesirSec
  • 🏑Home
  • πŸ“šBlog
    • Radio Silence
    • OSCP Strategy
    • Plan for 2023
    • PNPT
    • Plan for 2022
    • eJPT
  • ❓Enumeration
  • 🐧Linux
    • Commands
    • Restricted Shell Bypassing
    • Stabilize Shell
  • πŸͺŸWindows
    • Commands
    • Transferring Files
  • πŸ“•Active Directory
    • Enumeration
    • Attacking AD Initial Vectors
    • Ipv6 attacks
    • Post Compromise Enum
    • Strategy
  • #️Privilege Escalation
    • 🐳Docker
    • 🐧Linux
    • πŸͺŸWindows
  • πŸ•ΈοΈWeb Apps
    • LFI
    • Apache
    • CSRF
    • PHP
    • XSS
    • SQLi
    • Pay Loads All The Things
  • πŸ‘ΎBuffer Overflows
  • πŸ’»Programming
    • 🐍Python
  • πŸ‘¨β€πŸ’»Ports/Technologies
    • FTP - Port 21
    • SSH - Port 22
    • Telnet - Port 23
    • DNS - 53
    • HTTP/S - 80/443
    • RPC - 135
    • SMB - 139/445
    • LDAP - 389/636
    • SQL - Port 3306
    • Docker
    • IIS
  • πŸ› οΈTools
    • ffuf
    • wwwtree
    • Rogue LDAP Servers
    • Wpscan
    • crackmapexec
    • msfvenom
    • John the Ripper
    • Hydra
  • 🐬Flipper Zero/ Radio Frequency
  • πŸ—ƒοΈBoxes/Write Ups
    • Template
    • πŸ‰Game Of Active Directory v2 - Day 1
    • Proving Grounds
      • Proving Grounds Practice
        • πŸ“šHeist
        • πŸ“šHutch
        • πŸͺŸInternal
        • πŸͺŸShenzi
        • πŸͺŸJacko
        • πŸͺŸDVR4 - qued
        • πŸͺŸNickel
        • πŸͺŸSlort
        • 🐧Walla
        • 🐧Snookums
        • 🐧Exfiltrated
        • 🐧Wheels
        • 🐧ClamAV
        • πŸͺŸSquid
        • πŸͺŸAlgernon
        • πŸͺŸHelpdesk
      • Proving Grounds Play
        • πŸͺŸSams
        • 🐧Assertion101
        • 🐧DriftingBlues6
        • 🐧DC-2 - unfinished
        • 🐧InfoSecPrep
        • 🐧Stapler
        • 🐧BBSCute
        • 🐧SoSimple
        • 🐧Solstice
        • 🐧FunBoxEasyEnum
        • 🐧Sumo
        • 🐧FunBoxRookie
        • 🐧MoneyBox
        • 🐧CyberSploit1
        • 🐧Wpawn
        • 🐧Dawn
        • 🐧Pwned1
        • 🐧FunBoxEasy
        • 🐧DC-1
    • TryHackMe
      • πŸͺŸAnthem
  • πŸ”—Helpful Links
  • πŸ§™whoami
  • πŸ΄β€β˜ οΈGithub
  • πŸ“‘Discord
  • 🐦Twitter
Powered by GitBook
On this page
  • IP: 192.168.66.99
  • Enumeration
  • Port 80
  • Port 3333
  • Shell
  • Root

Was this helpful?

  1. Boxes/Write Ups
  2. Proving Grounds
  3. Proving Grounds Practice

Nickel

PreviousDVR4 - quedNextSlort

Last updated 2 years ago

Was this helpful?

IP: 192.168.66.99

Enumeration

Nmap scan

nmap 192.168.66.99 -p- -sV -Pn

Port 80

Port 3333

Had to get a hint here. All I had to do was add the content lengthπŸ€¦β€β™‚οΈ

Seems to be a user account ariah:NowiseSloopTheory139 for SSH login.

Shell

Found a file that looks interesting: C:\ftp\Infrastructure.pdf Had to look at how to copy this over since sending it to wwwtree was messing up the file.

PDF is password protected. Cracked it with john.

Tried making a reverse shell with msfvenom here but it kept crashing whenever the shell would come back.

Added ariah to local admin group on the machine and enabled RDP. Both commands had to be URL encoded to send. 

net localgroup Administrators ariah /add

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Connected with RDP.

xfreerdp /u:ariah /p:NowiseSloopTheory139 /v:192.168.66.99

Root

Got an admin command prompt.

πŸ—ƒοΈ
πŸͺŸ