HackTheBox Access Writeup

Reconnaissance

Enumeration

Exploitation

Windows Privilege Escalation

________________________________________

Reconnaissance

Run the nmapAutomator.sh script to automate all of the process of recon/enumeration.We can see there are three ports are open port 21,23 & 80 port 21 allowed anonymous ftp login, lets login

Enumeration

We can see there are two directory Backups & EngineerBackups directory have backup.mdb file and Engineer directory has Access Control.zip file. We have download both files in our attacking machineAccess Control.zip need a passwordwhen we run strings command on backup.mdb we get some interesting string. Lets try this password and extract the file, we get “Access Control.pst” file, to convert the file run “readpst Access Control.pst” command it will convert into .mbox format run cat command to see what we have inside the fileExploitation

we get the user credentials and we have telnet port open, so lets login into telnet

we get the low priv

After Enumerating directories we got the link file in “C:\Users\Public\Desktop”, lets see what we have inside, we can see runas command executed as administrator. Runas command allow us to run commands as another user and the /savecred allows us to use the command without asking password

Windows Privilege Escalation

Now run a Python SimpleHTTPServer on port 80 on attacking machine to upload nc.exe file on victim machine to find nc.exe in attacking machine run locate nc.exe command, to transfer nc.exe file we can use “powershell” or “certutil” command, now start the netcat listener on attacking machine and final we will use runas command to get the reverseshell We got the shell User flag is in “C:\Users\security\Desktop” and root flag is in “C:\Users\Administrator\DesktopExtra Content

 Creating Base64 (UTF-16LE) on attacking machine to use in victim machine as a Powershell EncodedCommand to get reverse shell

we will use runas command to get the reverseshell as shown above image, to see in video here is a link of ippsec video.

Leave a Reply

Your email address will not be published. Required fields are marked *