Nickel Proving Grounds Write-Up
SUMMARY
This write-up covers the Nickel machine from Offsec’s Proving Grounds, a Windows machine where sensitive credentials were inadvertently leaked through an internal HTTP API.
Port 8089 exposed an HTTP API with misconfigured endpoints. Browsing the service revealed routes pointing to an unreachable IP, but sending a POST request with the correct Content-Length header to the list-running-procs endpoint returned a list of running processes. Embedded within the output were base64-encoded credentials for user ariah. These were decoded and used to log into the FTP service, where a password-protected PDF was found and downloaded.
The PDF was cracked using pdf2john and hashcat, and the revealed contents described a command injection parameter in a URL on port 80. Sending a request with a reverse shell payload via that parameter executed commands as NT AUTHORITY SYSTEM directly no privilege escalation step needed.
PATH TO FOLLOW
- Reconnaissance & HTTP API Discovery on Port 8089
- POST Request to Process Listing Endpoint
- Base64 Credential Extraction & Decoding
- FTP Access & PDF Download
- PDF Hash Cracking with pdf2john & hashcat
- Command Injection via URL Parameter on Port 80
- Reverse Shell as NT AUTHORITY\SYSTEM
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.