Post

Access

Posted Updated
By Peter Soverns 2 min read

Overview

Access is a vulnerable machine from Hack the Box that requires some unique enumeration and file reading, with abusing a local file on the target to read the last flag. The foothold is accomplished after some enumeration of a couple files in the ftp server, and the privilege escalation/abuse is using a file on the machine to be able to read the final flag.

Nmap Scan

sudo nmap -sS -Pn 10.10.10.98 -vvv

  • 21/tcp open ftp syn-ack ttl 127
  • 23/tcp open telnet syn-ack ttl 127
  • 80/tcp open http syn-ack ttl 127

Basic Enumeration

Telnet seems like the obvious choice, but permissions are configured well for this service, so we cannot access telnet right away. We will need credentials to gain access over this service.

  • FTP is the next service we want to try to gain entry. We have anonmymous login available to us, so we can see what files are there and retrieve those files.
    • Two files, a .mdb and a .pst file.
    • The .pst file is protected by a password and zipped, so we need to look through the other file to find it.
  • We can run strings against the .mdb file, but we get a big mess of strings, so it is not clear what we need to look for.
    • We can get a tool called mdbtools to enumerate through the file.
    • mdb-tables can help extract tables available to parse through in the file.
      • mdb-tables -1 <file>
    • Now that we have an extract list of tables to look through, we can grep for certain key words like “auth” or “pass”.
    • Another part of mdbtools, mdb-json can dump the contents of a table in a json format.
      • mdb-json -U backup.mdb <table>
        1
2
3

        {"id":25,"username":"admin","password":"admin","Status":1,"last_login":"08/23/18 21:11:47","RoleID":26}
{"id":27,"username":"engineer","password":"access4u@security","Status":1,"last_login":"08/23/18 21:13:36","RoleID":26}
{"id":28,"username":"backup_admin","password":"admin","Status":1,"last_login":"08/23/18 21:14:02","RoleID":26}

Foothold

Now that we have some credentials, we have tried to pass these over telnet. These don’t work, but one set of creds is able to help us unpack the zip file to get access to the .pst file.

  • We can use readpst to read .pst files. Looking at the contents of mbox.pst, we see this message: ``` Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.

Regards,

John ```

Before, we haven’t seen an account referred to as security, but it may still be a valid account. Using this credential combo, we gain access to the box over telnet (security:4Cc3ssC0ntr0ller).

  • We have user.txt as account security:

User

Local Enumeration

Checking around the host, there is a unique path for us to follow.

  • Net user shows that we have users of Administrator, security, engineer, and guest on the host.

  • After running cmdkey /list, we see that a stored credential for the user Administrator and type of password Domain Password is available.

    • This allows us to abuse the process runas.exe in order to execute a command as the Administrator user. We could use this to potentially try for a shell, but we can also bypass doing another shell and just try to read root.txt.

Privilege Escalation

We execute this command, and get our flag:

  • C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\Security\root.txt

Root

ctf, security, hacking, exploits, web application, clear credentials, anonymous access, information discolsure
ctf security hacking exploits web application clear credentials anonymous access information discolsure
This post is licensed under CC BY 4.0 by the author.