Hack The Box — Access

Hey folks, today we have one of HackTheBox machines which I think it’s easy and get you with some interesting skills, but before we get started let’s check its info

As you can see it seems to real world challenges, that’s enough, let’s go ahead…

Usually we start our scan with nmap scan to know what’s entry point which we will use to login to the machine

nmap -A -T4 -oG access.gnmap 10.10.10.98

For now, we have 3 open ports ftp/http/telnet and anonymous login to ftp so for now we will do 2 tasks:

  1. Enumerate http and ftp servers on the browser
  2. Enumerate ftp server

For the webpage on port 80 it doesn’t have anything useful 10.10.10.98:80

And I tried to brute-force the directories by using dirsearch + gobuster but also there’s nothing useful in the directories and I checked the source code and still found nothing useful so let’s try to open ftp://10.10.10.98

nothing so it requires us to login using credentials

To get FTP credentials, I’ve used brutespray tool to brute force the server credentials and sound these results

Now we have 2 accounts, let’s use one of them to login to the FTP

Good, it’s valid, and we’re in the server now.

Let’s search for the flags or any useful files

We have 2 files which we need to take a look at them, so we will download these files by using this command get <file-name> and you can see all the files using help

Also, I’ve tried to upload a shell to the server but unfortunately there’s no access for me until now :( Let’s discover our files

The zip has internal file Access Control.pst which require us to type a password to open

I’ve tried to crack it using multiple tools, but it fails so the only solution now is the password is in the backup.mdb file, but this type is unreadable, so we will use strings tool to extract all useful words from it

I’ve tried to grep multiple words and I found access4u@security so we will try to use it as the password and see what will happen.

It’s valid, and it’s the real password, so now we have file Access Control.pst but again it’s unreadable file, so we will use readpst tool to convert the pst file to mbox file which we can reed it

Let’s open the mbox file

This is a mail from John to Security which inform him about the changes which happened to his account’s user, so we have the updated or the new username and the password. Let’s use these credentials to login to the server using telnet

Good, now we’re inside the server but in security user not admin so let’s grab user.txt first

At the first I used Windows-Suggester to search for any vulnerabilities into the kernel which will manage me to get high privileges by getting the system info and check it

Unfortunately nothing here.

Let’s try to enumerate all the files on the server which we have permission to open it.

At the public directory you will have lnk file which you will find good information inside it

we found something runas.exe and after searching for it, I know that this program manage the administrator to run commands as administrator privileges without typing the password by using /savedcred which saves his credentials to the system

For more informations about this step, check this resource

So we will use this EXE file to move the root.txt from the Administrator directory to security directory

We have the root.txt now ❤

LinkedIn | GitHub | Twitter

Offensive Security Enthusiast