Access is an easy difficulty machine, that highlights how machines associated with the physical security of an environment may not themselves be secure. Also highlighted is how accessible FTP/file shares can often lead to getting a foothold or lateral movement. It teaches techniques for identifying and exploiting saved credentials.

Enumeration

First I check for available open ports.

nmap -p- --min-rate=10000 10.10.10.98

nmap -sC -sV -p21,23,80 10.10.10.98 -oA ./nmap/access

|Ports|Service
|21| ssh OpenSSH for_Windows_7.9 (protocol 2.0)
|22| ssh OpenSSH for_Windows_7.9 (protocol 2.0)
|80| msrpc Microsoft IIS httpd 7.5

I checked the FTP port which has an anonymous login on.

There are 2 folders Backups & Engineer. Backups have backup.mdb and Engineer has Access Control.zip

Note: To download backup.mdb you need to be in binary mode otherwise it just corrupts the file.

Next, I checked for the webserver an IIS server with a server picture.

I decided to check for IIS_shortnames and although it was vulnerable nothing was interesting.

Foothold

I used mdbtools to enumerate backup.mdb. First I checked mdb-tables to check all the tables. and there are too many of them checked one by one.

I used mdbopener to download an Excel version for easy enumeration

Inside I found some credentials.

Using the credential of engineer we can unlock the zip file and inside I found .pst file.

I used Goldfynch to view the file content and inside I found an email with credentials.

I logged into Telnet with the creds and got the user flag.

Privilege Escalation

After looking for a bit I found an .lnk file and inside we can see that the user running the command as admin using saved creds.

C:\Users\Public\Desktop

To make sure I used cmdkey to check if there was any saved key and found that indeed administrator’s key was saved.

cmdkey /list

It’s a very long process to get a shell because when using [runas] it will create a new window and this can be annoying. So I copied the content of the root flag to somewhere I have access to. 

1
runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c type \"C:\Users\Administrator\Desktop\root.txt\" > \"C:\Users\security\Desktop\rootflag.txt\""

Now I can check out the root flag.