HackTheBox — Access

Access is an Easy Rated Windows machine on Hack The Box.

Please note that is have saved this writeup as a part of my notekeeping.The original writer of this writeup is Sam Wedgwood so all credits go to him.

Link to his original writeup-https://medium.com/ctf-writeups/hack-the-box-access-write-up-33ab4cb7d9b3

ENUMERATION

nmap -sVC -oN nmap.txt 10.10.10.98

The initial nmap scan shows us that there’s three services: FTP (with anonymous login allowed), Telnet and HTTP.

We can take a look at the FTP server by logging in anonymously;

In the Backups folder there’s a file called ‘backup.mdb’, so let’s download that.

In the Engineer folder there’s a file called ‘Access Control.zip’, so let’s get that one also.

We’ve got everything we can from there, let’s try extracting that zip file:

It requires a password, we can probably assume the password is located within the ‘backup.mdb’ file:

It’s a Microsoft Access Database file. As I run Linux natively, I had to find a tool for the job; Unfortunately, I couldn’t get any working so I ended up just searching through the raw data in Bless Hex Editor, searching for keywords:

When searching for admin, we find a suspicious string ‘access4u@security’ which looks password-like.

And it works! We’re left with a new file called ‘Access Control.pst’.

More Microsoft file-types!

Unfortunately, running cat or strings doesn’t yield much, maybe we can convert it to a more global file-type?

Luckily someone has made a program for this already! And with that we have our mbox file.

Running strings on the mbox file gives us some login details, let’s try those details on the telnet:

And we have user!

Part 2: Root

Now that we have user, we need to find our privilege escalation. So let’s have a poke around! For some reason this shell doesn’t let you backspace, which is annoying.

After having a poke through this (ignoring user-made files, which you can tell from the timestamp) I couldn’t find much interesting other than .yawcam which appeared to be some application to help take photos? Not quite sure, let’s have a look at other folders we have access to outside of the user folder:

A Public user? Let’s look in there!

Seems rather… empty? Where’s Desktop for example?

It’s hidden! Just like how Linux has ls -a , Windows has dir /a , who woulda guessed?

There’s a shortcut (.lnk) file, lets just type it and see what we get:

A big mess! But a keen eye might spot:

runas , /user:ACCESS\Administrator and /savecred . The last one is for lazy people who want their credentials saved when they use runas so they don’t have to type their password every time. If the credentials are still saved, we might be able to leverage this into a full blown shell!

Uh…? Doesn’t seem like it worked, but it didn’t ask for a password either?

From what I can tell, the runas command appears to open a process and it does run the command, but just not in our telnet session. So we essentially have blind command execution as System. Since the Root flag will be located in root.txt on the Desktop of the Admin, we can just copy it out; I devised this command:

runas /savecred /user:ACCESS\Administrator "cmd.exe /C type C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Searches\out.txt"

Essentially I’m just copying the file to the Searches folder, which I do to hide it from other people attempting to escalate.

Boom! Rooted!!!

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fixing Intel compiler’s unfair CPU dispatcher (Part 2/2)

Mutual Auth — Nginx and ServiceNow

Updates to Entry Definitions, Conductor Network Configuration, and More

Consistent Hashing

Approaching to validate the Unique fields?

Container Certification using GitHub Actions

How To Create an App in 5 Easy Steps

Online Computer Coding Courses: The Writing of the Future

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Devel

HacktheBox [Toolbox]

TryHackMe Steel Mountain Walkthrough

OSCP — Cracking The New Pattern