Access is the first box I owned so it definitely has a place in my heart. However, if I ever have to experience a Telnet box like this again I will cry. I also think it’s important to note that I’m not as comfortable in a Windows environment as I am in Linux so I started with this box to learn more (which I did).
The loving and caring road to user.txt
To start off this box I used a simple nmap scan:
nmap -F 10.10.10.98
-F: Fast mode - Scan fewer ports than the default scan
Sweet — Three ports. Let’s try browsing to the web page and see what’s going on.
That doesn’t look interesting — However, I did end up using dirbuster and checked the source code to make sure I didn’t miss anything:
Okay, so there’s really nothing going on. Let’s work our way down the list and try going for the telnet:
And we’re prompted with a login. It’s safe to assume we’re going to be logging in here at some point but we don’t currently have the credentials so let’s go have a look at our final stop — port 21:
And yet again we’re prompted with a login.. But wait! We can bruteforce this login so let’s go to msf and search for ftp_login:
Awesome! We have a module. Let’s use this module and then view the options:
Okay — I’m going to fill out the RHOST and add a password and username file. For the usernames I created my own small list — targeting this specific machine:
And for the password list I used a list of the top 100 passwords to make it go by fast. The list I used was: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-100.txt
Here’s a look at my options before I start my attack:
And fifteen seconds later.. We get a match.
Now.. Before I login — You don’t have to bruteforce anything. I should’ve enumerated more from the start. If I had thrown in a -A in nmap then I would’ve been able to see that anonymous FTP login is allowed. So if we were to take this approach our username:password would be anonymous:anonymous.
Anyways, since I spent time getting these credentials let’s login with them:
Now let’s have a look at what directories there are and see if there’s anything interesting:
In the Backups directory we have a file named backup.mdb and in the Engineer directory we have a file named Access Control.zip. Let’s download both of these and see what’s going on:
After downloading both of these files — I was presented with a password on the .zip file and the .mdb file was corrupted when I tried to upload it. However, the corrupted .mdb file could easily be fixed by typing binary, and then re-downloading backup.mdb.
Once I had re-downloaded the file I uploaded it to a site I found by googling “view .mdb file online” — doing this showed:
After digging around for awhile I looked into “auth user” and found some juicy credentials:
I wasn’t too sure whether the website was blocking out the full password (even though we can assume it’s access4u@security) — so I downloaded the file and tried to find the password manually so I didn’t feel as though I was cheating the system:
Yikes, what the hell is that? Let’s only get the strings:
And now we’re in business:
So now we can go back to Access Control.zip and try entering the password access4u@security since it’s listed under the engineer username and we’re given a .pst file. I’ve never worked with a .pst file before but by using the elite hacker tool known as Google I learned about readpst which allowed me to finally view the file:
This email gives us the username and password for the security account — since we didn’t see anything related to security on the ftp, let’s try logging into the telnet with the credentials security:4Cc3ssC0ntr0ller:
As you can see… It worked. I’m on the box and I can assume that the user.txt is around here somewhere — and rather than browsing around looking for it in each directory let’s search for it:
Now let’s navigate to the Desktop and view this file:
It works! We have just obtained the user flag!
The less kind road to root.txt
If you haven’t worked on this box then I really recommend that you do. You’re not able to see your output — and you can’t delete any of your syntax. HILARIOUS. The command we’re going to be working with is a longboi. So, I sat there looking like this the entire time I worked on this box:
So for some reason — I stopped taking screenshots here. I don’t know why but it really just be like that sometimes. I was slowly losing my mind, please forgive me. However, I did write down the command that I used and the key point of enumeration.
So we can see that there is a directory for the Administrator — it’s safe to assume that the root.txt flag is in there:
This is where I hit a roadblock I set up my own Windows environment and tried running commands on that machine since it was faster and I wasn’t in the disgusting telnet environment.
So after enumerating for what felt like hours — I learned of the cmdkey command. This command is magical, and I can see it being used in the real world by lazy admins. After reading the man page, I decided that the /list command would be the most helpful.
/list: Displays the list of stored user names and credentials.
So let’s use that command see if there’s anything interesting:
Yikes. Looks like we can own a lazy admin who’s saved his credentials. Except now the question is, how do we do that? I looked into Windows machines a little more and learned of the runas command which seemed like it would be useful.
The RUNAS command can “Execute a program under a different user account (non-elevated)”. This is even more interesting when you learn about /savecred which can:
/savecred: Use credentials previously saved by the user.
So now we have a plan. I also popped runas into my local system to see the output of the command:
Sweet — now let’s work on the syntax of the command (this is where the screenshots stop but the gifs don’t):
runas /user:ACCESS\Administrator /savecred “cmd.exe /k more C:\\Users\\Administrator\\Desktop\\root.txt >> C:\\Users\\security\\Downloads\\saveme.txt”
Yes. You had to type that and figure out the syntax without seeing the output. I was missing one or two characters the entire time. Oh dear. Anyways, this allowed us to move the root.txt file to the Downloads of the security user so I could successfully view it. Although I don’t have anymore screenshots, please here’s a gif demonstrating how I reacted when I submitted the hash successfully:
I actually really enjoyed working on this machine even though the privilege escalation gave me a pretty hard time. However, I learned a lot in the process — there’s really no better feeling than finally succeeding after hours of working on something.