HackTheBox / InfoSec / CTF

HackTheBox | Access Walkthrough

. 7 min read . Written by Nautilus
HackTheBox | Access Walkthrough

Access is the first box I owned so it definitely has a place in my heart. However, if I ever have to experience a Telnet box like this again I will cry. I also think it’s important to note that I’m not as comfortable in a Windows environment as I am in Linux so I started with this box to learn more (which I did).

The loving and caring road to user.txt

To start off this box I used a simple nmap scan:

nmap -F
-F: Fast mode - Scan fewer ports than the default scan

Sweet — Three ports. Let’s try browsing to the web page and see what’s going on.

That doesn’t look interesting — However, I did end up using dirbuster and checked the source code to make sure I didn’t miss anything:

Okay, so there’s really nothing going on. Let’s work our way down the list and try going for the telnet:

And we’re prompted with a login. It’s safe to assume we’re going to be logging in here at some point but we don’t currently have the credentials so let’s go have a look at our final stop — port 21:

And yet again we’re prompted with a login.. But wait! We can bruteforce this login so let’s go to msf and search for ftp_login:

Awesome! We have a module. Let’s use this module and then view the options:

Okay — I’m going to fill out the RHOST and add a password and username file. For the usernames I created my own small list — targeting this specific machine:

And for the password list I used a list of the top 100 passwords to make it go by fast. The list I used was: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-100.txt

Here’s a look at my options before I start my attack:

And fifteen seconds later.. We get a match.

Now.. Before I login — You don’t have to bruteforce anything. I should’ve enumerated more from the start. If I had thrown in a -A in nmap then I would’ve been able to see that anonymous FTP login is allowed. So if we were to take this approach our username:password would be anonymous:anonymous.

Anyways, since I spent time getting these credentials let’s login with them:

Now let’s have a look at what directories there are and see if there’s anything interesting:

In the Backups directory we have a file named backup.mdb and in the Engineer directory we have a file named Access Control.zip. Let’s download both of these and see what’s going on:

After downloading both of these files — I was presented with a password on the .zip file and the .mdb file was corrupted when I tried to upload it. However, the corrupted .mdb file could easily be fixed by typing binary, and then re-downloading backup.mdb.

Once I had re-downloaded the file I uploaded it to a site I found by googling “view .mdb file online” — doing this showed:

After digging around for awhile I looked into “auth user” and found some juicy credentials:

I wasn’t too sure whether the website was blocking out the full password (even though we can assume it’s access4u@security) — so I downloaded the file and tried to find the password manually so I didn’t feel as though I was cheating the system:

Yikes, what the hell is that? Let’s only get the strings:

And now we’re in business:

So now we can go back to Access Control.zip and try entering the password access4u@security since it’s listed under the engineer username and we’re given a .pst file. I’ve never worked with a .pst file before but by using the elite hacker tool known as Google I learned about readpst which allowed me to finally view the file:

This email gives us the username and password for the security account — since we didn’t see anything related to security on the ftp, let’s try logging into the telnet with the credentials security:4Cc3ssC0ntr0ller:

As you can see… It worked. I’m on the box and I can assume that the user.txt is around here somewhere — and rather than browsing around looking for it in each directory let’s search for it:

Now let’s navigate to the Desktop and view this file:

It works! We have just obtained the user flag!

The less kind road to root.txt

If you haven’t worked on this box then I really recommend that you do. You’re not able to see your output — and you can’t delete any of your syntax. HILARIOUS. The command we’re going to be working with is a longboi. So, I sat there looking like this the entire time I worked on this box:

So for some reason — I stopped taking screenshots here. I don’t know why but it really just be like that sometimes. I was slowly losing my mind, please forgive me. However, I did write down the command that I used and the key point of enumeration.

So we can see that there is a directory for the Administrator — it’s safe to assume that the root.txt flag is in there:

This is where I hit a roadblock I set up my own Windows environment and tried running commands on that machine since it was faster and I wasn’t in the disgusting telnet environment.

So after enumerating for what felt like hours — I learned of the cmdkey command. This command is magical, and I can see it being used in the real world by lazy admins. After reading the man page, I decided that the /list command would be the most helpful.

/list: Displays the list of stored user names and credentials.

So let’s use that command see if there’s anything interesting:

Yikes. Looks like we can own a lazy admin who’s saved his credentials. Except now the question is, how do we do that? I looked into Windows machines a little more and learned of the runas command which seemed like it would be useful.

The RUNAS command can “Execute a program under a different user account (non-elevated)”. This is even more interesting when you learn about /savecred which can:

/savecred: Use credentials previously saved by the user.

So now we have a plan. I also popped runas into my local system to see the output of the command:

Sweet — now let’s work on the syntax of the command (this is where the screenshots stop but the gifs don’t):

runas /user:ACCESS\Administrator /savecred “cmd.exe /k more C:\\Users\\Administrator\\Desktop\\root.txt >> C:\\Users\\security\\Downloads\\saveme.txt”

Yes. You had to type that and figure out the syntax without seeing the output. I was missing one or two characters the entire time. Oh dear. Anyways, this allowed us to move the root.txt file to the Downloads of the security user so I could successfully view it. Although I don’t have anymore screenshots, please here’s a gif demonstrating how I reacted when I submitted the hash successfully:


I actually really enjoyed working on this machine even though the privilege escalation gave me a pretty hard time. However, I learned a lot in the process — there’s really no better feeling than finally succeeding after hours of working on something.