🔑Access

https://app.hackthebox.com/machines/156

after a quick nmap we just find a webserver and ftp &telnet port open:

the webserver seems useless for now

anonymous login is enabled

type in the following command:

binary

In FTP (File Transfer Protocol), the binary command is used to set the transfer mode to binary or image mode. This mode is used when transferring files that are not plain text files, such as images, executables, or compressed files.

then cd into all the folders and get the files (Access Control.zip & backup.mdb)

for the mdb file, you can utilize the following command:

mdb-sql backup.mdb 

and for the other tool who is a pst file:

readpst filename.pst

there are plenty of ways to open it in a GUI, but there is also https://www.mdbopener.com/ for easy access:

after looking around for a bit we find credentials:

The other file had a password, now we can see the content:

using the readpst command, we generate a mbox file that looks like an email:

4Cc3ssC0ntr0ller

While reading the email, we see clear text credentials

now connect with those credentials via telnet:

Next is privesc:

cmdkey /list

RunAs – Windows Privilege Escalation - Juggernaut-SecJuggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.

the output indicates that there is a stored credential for an interactive logon session to the ACCESS domain with the Administrator user account.

now we utilize the runas command:

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt

1. C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred:

   • This part of the command invokes the runas.exe utility, which is used to run a program with different credentials.

   • /user:ACCESS\Administrator specifies the username (Administrator) and domain (ACCESS) under which the subsequent command will be executed.

   • /savecred flag instructs runas.exe to save the entered credentials (password) for future use, enabling the command to be executed without requiring manual authentication in the future. This flag essentially stores the credentials in the Windows Credential Manager, allowing for automatic authentication in subsequent executions.

2. "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt":

   • This part of the command specifies the command to be executed with elevated privileges using runas.exe.

   • "C:\Windows\System32\cmd.exe launches the Windows Command Prompt (cmd.exe).

   • /c flag indicates that the subsequent string should be treated as a command to be executed by cmd.exe, and then the command specified after /c is executed.

   • TYPE C:\Users\Administrator\Desktop\root.txt is the command to display the contents of the file root.txt located on the desktop of the Administrator user.

   • > is the output redirection operator, which redirects the output of the TYPE command (the contents of root.txt) to a file specified after >.

   • C:\Users\security\root.txt is the path where the output of TYPE command (root.txt) will be saved. It will be saved in the root.txt file in the security user's directory.