🔑Access
https://app.hackthebox.com/machines/156
after a quick nmap we just find a webserver and ftp &telnet port open:
the webserver seems useless for now
anonymous login is enabled
type in the following command:
In FTP (File Transfer Protocol), the binary
command is used to set the transfer mode to binary or image mode. This mode is used when transferring files that are not plain text files, such as images, executables, or compressed files.
then cd into all the folders and get the files (Access Control.zip & backup.mdb)
for the mdb file, you can utilize the following command:
and for the other tool who is a pst file:
there are plenty of ways to open it in a GUI, but there is also https://www.mdbopener.com/ for easy access:
after looking around for a bit we find credentials:
The other file had a password, now we can see the content:
using the readpst
command, we generate a mbox file that looks like an email:
While reading the email, we see clear text credentials
now connect with those credentials via telnet:
Next is privesc:
the output indicates that there is a stored credential for an interactive logon session to the ACCESS
domain with the Administrator
user account.
now we utilize the runas command:
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred
:This part of the command invokes the
runas.exe
utility, which is used to run a program with different credentials./user:ACCESS\Administrator
specifies the username (Administrator
) and domain (ACCESS
) under which the subsequent command will be executed./savecred
flag instructsrunas.exe
to save the entered credentials (password) for future use, enabling the command to be executed without requiring manual authentication in the future. This flag essentially stores the credentials in the Windows Credential Manager, allowing for automatic authentication in subsequent executions.
"C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt"
:This part of the command specifies the command to be executed with elevated privileges using
runas.exe
."C:\Windows\System32\cmd.exe
launches the Windows Command Prompt (cmd.exe
)./c
flag indicates that the subsequent string should be treated as a command to be executed bycmd.exe
, and then the command specified after/c
is executed.TYPE C:\Users\Administrator\Desktop\root.txt
is the command to display the contents of the fileroot.txt
located on the desktop of theAdministrator
user.>
is the output redirection operator, which redirects the output of theTYPE
command (the contents ofroot.txt
) to a file specified after>
.C:\Users\security\root.txt
is the path where the output ofTYPE
command (root.txt
) will be saved. It will be saved in theroot.txt
file in thesecurity
user's directory.
Last updated