Hackthebox - Access
Windows
Nmap
Initial foothold
FTP
We take all the files in our attacking machine using
get
We have an mdb file which is a microsoft access database file, we can open it using this website we also could have used
mdb-sql
Theres a lot of tables however only some of them have rows
The one called USERINFO contains name and password, let's get the csv version of this table
This definitely looks like a db for hr management
Another one called auth_user also has password so we take the csv as well
I put it in a file called userinfoclean
cat USERINFO.csv | awk -F "," '{print $25, $46, $86}' > userinfoclean
For the other file
auth_user.csv
let's keep the usernames in a file called userscat auth_user.csv | awk -F "," '{print $2}' > users
, I cleaned it a little removing the title of column and the quotes
Telnet
We have a telnet port open
if we use
admin
as login we get a mention that the user does not existIf we use
engineer
as login we then get prompt for the password (which means our user is valid), and if we typeadmin
we have the handle is invalide but if we typeaccess4u@security
we get access denied, which means that our user pass combinaison is correctLet's keep it aside
engineer
access4u@security
Port 80
Let's run gobuster here (we do not get anything)
FTP
Let's try to bruteforce ftp with the discovered users
hydra -L users -P pass 10.10.10.98 -t 4 ftp
We do not get anything
Zip file
We get an Outlook email folder:
We can read this file on linux using
readpst Access\ Control.pst
(apt install readpst
to install it), here is what we get in the email, another Password!!
Let's add these to our files
Telnet again
We can grab the user flag on the desktop
Privilege escalation
We are going to be able to run commands as administrator (just like sudo in linux)
Let's grab the root flag like this:
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Desktop\root.txt"
and then it will be in our current user's desktopHave a look at PayloadsAllTheThings to see how else we could use runas
Last updated