Access Walkthrough
Hey folks, today we have one of HackTheBox machines which I think itâs easy and get you some interesting skills, but before we get started letâs check its info
As you can see it seems to real-world challenges, thatâs enough, letâs go aheadâŚ
Nmap scan
Usually, we start our scan with nmap scan to know whatâs entry point we will use to log in to the machine
nmap -A -T4 -oG access.gnmap 10.10.10.98
For now, we have 3 open ports ftp/http/telnet and anonymous login to ftp so for now we will do 2 tasks:
Enumerate
httpandftpservers on the browserEnumerate
ftpserver
HTTP / FTP Enumeration
For the webpage on port 80 it doesnât have anything useful 10.10.10.98:80
And I tried to brute-force the directories by using dirsearch + gobuster but also thereâs nothing useful in the directories I checked the source code and still found nothing useful so letâs try to open ftp://10.10.10.98
nothing so it requires us to log in using the credentials
FTP Enumeration
To get FTP credentials, Iâve used brutespray the tool to brute force the server credentials and sound these results
Now we have 2 accounts, letâs use one of them to log in to the FTP
Good, itâs valid, and weâre in the server now.
Letâs search for the flags or any useful files
We have 2 files that we need to take a look at them, so we will download these files by using this command get <file-name> and you can see all the files using help
Also, Iâve tried to upload a shell to the server but unfortunately, thereâs been no access for me until now :( Letâs discover our files
The zip has internal file Access Control.pst which requires us to type a password to open
Iâve tried to crack it using multiple tools, but it fails, so the only solution now is the password is in the backup.mdb file, but this type is unreadable, so we will use strings the tool to extract all useful words from it
Iâve tried to grep multiple words and I found access4u@security so we will try to use it as the password and see what will happen.
Itâs valid, and itâs the real password, so now we have a file Access Control.pst but again itâs an unreadable file, so we will use readpst a tool to convert the pst file to mbox file which we can read it
Letâs open the mbox file
This is a mail from John to Security that informs him about the changes which happened to his accountâs user, so we have the updated or the new username and the password. Letâs use these credentials to log in to the server using telnet
Good, now weâre inside the server but in security user not admin so letâs grab user.txt first
Privilege Escalation
At the first, I used Windows Suggester to search for any vulnerabilities in the kernel which will manage me to get high privileges by getting the system info and checking it
Unfortunately nothing here.
Letâs try to enumerate all the files on the server to which we have permission to open it.
In the public directory, you will have lnk a file which you will find good information about it
we found something runas.exe and after searching for it, I know that this program manages the administrator to run commands with administrator privileges without typing the password by using /savedcred which saves his credentials to the system
For more informations about this step, check this resource
So we will use this EXE file to move the root.txt from the Administrator directory to security directory
We have the root.txt now â¤
Congrats â¤
Last updated