HTB - Access

Windows | FTP | mdb | pst | RunAs

Tools For This Room

  • mdbtools - used to interact with .mdb (Microsoft Database) files - documentation

  • pst-utils - used to interact with .pst (Outlook) files - documentation

TL;DR / Executive Summary

  1. Scan and enumerate with nmap

  2. Gain foothold with credentials from mdb file

  3. Privesc with RunAs

Scanning & Enumeration

We'll begin with the standard nmap scans

  • nmap

nmap -sV -sC -vv <IP>

We get the following open ports: 21: FTP 23: Telnet 80: HTTP

We also run a full port scan in the background, but nothing more comes of it.

Checking out port80 only gives us an image of some servers with the title LON-MC6. Viewing the page source doesn't turn up any further details.

Let's see if we can login to FTP anonymously, and we're in.

First, let's switch the mode to binary from ASCII so that any files we download will be in the right format. This can be done by entering "binary".

Navigating around gives us 2 directories: Backups and Engineer. We also find a file in each: backup.mdb and Access Control.zip. We can grab those to our working directory with "get".

Hopping over to port23, we telnet in but it turns out we need credentials to login.

We also run a few gobuster scans with multiple wordlists, and also check for file extensions, but we don't get anything useful from them.

Gaining Foothold

Let's shift our focus to the files we got from FTP.

We can open and interact with an .mdb file in a few ways. The first way is to simply open it with Microsoft Access. The second way is to use mdbopener.com. The way we'll use is through a command line tool called mdbtools.

If it's not installed yet, go ahead and install it with:

sudo apt install mdbtools

To see the various tools included in mdbtools, we can enter "mdb-" and press tab twice. We can find the documentation for the tools here.

After listing the tables, we realize that there are too many to inspect individually. Let's try to narrow this search to interesting tables with keyword "user". 

mdb-tables backup.mdb | grep -i user

We can start checking out the highlighted tables. The first one yields 3 username/password combinations.

Unfortunately, these don't provide access to Telnet.

Let's see what's in the Access Control.zip file instead. Unzipping the file leads us to a password requirement. Here's when "access4u@security" works to unzip it for us.

This gives us a .pst file, which is an Outlook Data File. Once again, we can open this in Outlook, but let's check it out via the command line instead.

We'll use a tool called pst-utils for this. The functions of pst-utils can be found here. If it's not installed yet, we can install it via:

sudo apt install pst-utils

Since we're unable to print the contents of the .pst file directly, we need to convert it to the more generic format of .mbox. We can do this with:

readpst "Access Control.pst"

Now we print out the contents and get the username/password combination of "security/4Cc3ssC0ntr0ller".

Logging into Telnet with this password gets us in:

Navigating to the Desktop, we get the user.txt:

Privilege Escalation

A simple privilege escalation check we can try is "cmdkey /list".

Now that we see that the Administrator's credentials are available, let's try to use it to copy the root.txt into a directory which is accessible by us.

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred “C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt”

We get the root.txt in our working directory!

PreviousHTB - PopcornNextHTB - Kotarak

Last updated

Was this helpful?