Sunday, March 31, 2019

Access


ACCESS

- Layout for this exercise:





1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine Access, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

2.1 - Ports enumeration

- The IP for Access is 10.10.10.82:




- Scanning with Nmap:




- Scanning deeper ports  21, 23 and 80:





2.2 - FTP enumeration

- From previous image we learn that the FTP server allows anonymous connection.

- Connection to the FTP server is successful:




- There are two directories available: Backups and Engineer




- Let's explore first Backups where there is a file called backup.mdb:





- Trying to download backup.mdb it seems that there are some problems related with the transfer in FTP ASCII mode:




- However changing to FTP binary mode the transfer is successful:






- Going to the Engineer folder the transfer is also problematic, in this case due to the name of the file Access Control.zip:




- Changing to Access\ Control.zip the transfer of the .zip file is successul:




- Finally we've got both files available to study at Kali:





2.3 - Microsoft Access database enumeration


- Let's start trying to unzip 'Access Control.zip':



- A password is required for extracting the .zip file:






- Going to backup.mdb, the easiest way to open it is with a Microsoft application, for instance using Access or even Excel.

- Once selected backup.mdb and the table auth_user:







- Also, there are some Linux tools to handle Access databases:

https://github.com/brianb/mdbtools


- For instance, extracting all the tables with mdb-tables from backup.mdb and writing them to the file backup_tables:




- The text file is a little bit messy:






- To clarify the content, looking for "user" related information:




- Exporting the content of table auth_user with mdb-export the result is the same as before:





- So it seems that we have discovered two potentials passwords: admin and access4u@security

- Now, going back to the .zip file and applying the password access4u@security the extraction is succesful:





- As a result of the extraction we have the file Access Control.pst:



 


- The .pst file extension means Personal Storage Table, an open proprietary file format used to store copies of messages, calendar events, and other items within Microsoft software such as Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook:

https://en.wikipedia.org/wiki/Personal_Storage_Table


- The readpst Linux command helps to read content of Access Control.pst:

https://linux.die.net/man/1/readpst


- Applying readpst on Access Control.pst the result is another file called Access Control.mbox:



- Reading the .mbox (MailBox) file is trivial with cat, and we find the promising password 4Cc3ssC0ntr0ller for the user account security:




3 - EXPLOITATION


- Now, taking advantage of the user account security and the password 4Cc3ssC0ntr0ller and connecting to the Telnet service the result is a remote shell from Access:

 

4 - CAPTURING THE 1st FLAG

- Reading user.txt is easy:





5 - PRIVILEGE ESCALATION


- However access to the Administrator's folder is denied, so we will need some Privilege Escalation method:




- At this moment the current user is security, whose Desktop only holds the previously file found user.txt:





- The Privilge Escalation technique to be used is based on the command runas /savecred.


- The runas command lets to run a program from a command prompt using the credentials of another user account.

- cmdkey lists the stored credentials in the Credential Manager Database:





- In our case the command runas /savecred impersonates the user Administrator without using his password.

- For instance, to ouput the file root.txt from Administrator's Desktop to user security's Desktop:




- Now the root.txt is available at the user security's Desktop:





6 - CAPTURING THE 1st FLAG


- Reading root.txt: