Access is the 29th machine I attempted on HackTheBox. User Access is gained through reading a MS Access database to get the password to a zipped file. Root access is gained by exploiting stored credentials.
User Access
I started, as I always do, with the nmapautomator script that the wonderful 21yfd made available on GitHub and shared in the HTB forums. It’s a great timesaving tool and gives you a good start on your scans (Available here).
This revealed FTP, Telnet and HTTP ports were open. Very interesting!
Gobuster running on port 80, even using the “big” text file, didn’t return anything interesting.
Next, we look at FTP, which the scan revealed allows anonymous logins. There are two files available in here, backup.mdb (an MS Access database file, so that’s where the name of the box comes from) and Access Control.zip. We can have a look at the backup file later, but the Access Control file is much smaller so we can download that and have a look at what’s inside.
When trying to unzip this file using the “unzip” command, we get an error returned.
After some research, it turns out this error is because the “unzip” program cannot handle AES-256 encryption. So we try again with 7z.
The file is password protected. Looks like we will have to go back and grab the backup database file.
This shows that the file may not have transferred correctly due to our ftp session being in ASCII mode. If we type “bin”, this will change it to binary mode and we can try again.
We can then use mdbtools to access this MS Access database in Linux. mdb-tables allows us to view all tables in the database.
This is not particularly user friendly output. mdbtools comes with a number of commands though, and we can try using mdb-sql instead which gives us a much nicer output.
The auth_user table jumps out as potentially containing useful information for us. We can use “mdb-export backup.mdb auth_user” to export the contents of this table.
This provides usernames and passwords. The Access Control.zip was in the Engineer folder on the FTP server, so it makes sense to try that password “access4u@security” first for the zip file, and it works!
readpst can be used to access the PST file that is extracted, and this creates a .mbox file which can be read using cat or a text editor.
More credentials, bringing our total to 4 sets of credentials.
At this point the only access method we haven’t tried yet is telnet, so it seems to follow that it is worth trying these credentials on telnet to see if it allows us access.
Success! Our initial foothold. From here we can go to the security user’s desktop and claim the user flag.
Privilege Escalation
Following the enumeration steps recommended in swisskeyrepo‘s Windows Privilege Escalation guide (found here), we eventually get to the “cmdkey /list” command which tells us if there are stored credentials on the machine.
Bingo! Now we can check the Windows Credentials Manager for more details.
Since there is only one stored credential, we can safely assume using this saved credential will give us administrator access. Windows gives us the ability to run as a different user using the stored credential. We can use this to copy the root flag to somewhere that we can read it.
runas /user:Access\Administrator /savecred “cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Desktop\root.txt”
And that’s it, root flag claimed!
Tales from the Encrypt 