[HTB] Access Writeup
Enumeration⌗
IP: 10.10.10.98
So we have http, ftp and possibly telnet open.
FTP⌗
We try anonymous login on the ftp port.
We download the two files onto our host.
The zip
file is password protected and the backup is Microsoft access database.
Telnet⌗
We need credentials so let’s skip for the moment.
http⌗
Not much value in the web server too.
Downloading the image and running exiftool
on it.
backup.mdb⌗
In our linux machine let’s install mdbtools
which is a linux tool for accessing Microsoft Access database.
Using mdb-tables
to view the tables inside the database.
For visibility let’s do:
Exporting value from the auth_user
we get:
We try the engineer
password on the password protected zip
archive.
We get a Microsoft Outook email folder. I don’t know how to open pst file on my linux machine so I have utilised an online pst-viewer
We got another cred. Let’s test this on telnet.
We have user > type C:\Users\Desktop\user.txt
.
Going through C:\Users\Public\Desktop
we find an interesting shortcut.
Running type
on the file we get a bunch of strings.
Before we analyse it let’s upgrade our shell by using a reverse shell from nishang.
Now let’s use powershell command to analyse the .lnk
shortcut file.
On analysing we see that runas.exe
is used to run the command and there is /user:ACCESS\Administrator /savecred
as argument. This means that we can run the command as Administrator and password is cached.
We try to use runas
with user
and savecred
from our reverse shell but it’s not working as intended. So let’s start over with our telnet connection and try to get a reverse shell with admin privilege.
We have roottype C:\Users\Administrator\Desktop\root.txt
The machine has been pwned.