045#:HTB - Access
It’s a rainy Sunday morning and I am excited to dive in to Access on Hack the Box. I am continuing to prep for the OSCP by working my way through TJ Null’s list. Today’s room is another windows box and I could use the practice.
We’ve got some good results here. Anonymous FTP is allowed, they are using telnet for some reason, and they are hosting a website. I decided to start by exploring FTP.
I grabbed both files that were on there and starting trying to inspect them on my machine. The zip is password protected though.
I was going to use ssh2john on this, but I thought maybe I should check that mdb file first in case it had the password. I ran strings and began skimming through.
A little ways down, we have something interesting. I noticed various account names like backup_admin and what looked like a password. I put all the potential usernames into a users.txt file and then tried the password against our protected zip file.
I don’t have an email client on this VM, so I installed the Evolution email client and the plugin for pst imports before opening our file.
Nice! We have one email and it contains a password. It also shows a couple relevant domains. I think we’ve done everything we can with our FTP findings, so I tried our new credentials against their telnet service which gets us our first flag!
I now started exploring our users folders, starting with the .yawcam one. Inside ver.dat, we find the version number.
I then started checking out c:\inetpub and the ZKTeco folders. In the ZKTeco folder, I found a directory named “ZKAccess3.5”. It looks like this is a access control management app and since it is the namesake of the room, probably our privilege escalation path too. A quick google search has this looking even more promising.
This exploit relies on us having modify rights over the application folder, which we do not have. I looked up exploits for yawcam but found nothing useful. I decided to get winpeas running on the target.
I tried to use iwr to download it from my machine, but it fails. CURL doesn’t work. Then I tried uploading winpeas using anonymous FTP but we get access denied errors. I tried connecting to FTP as our security user, but they don’t have the rights. I spent some time checking out the site on port 80 before falling back to a Guided Mode question as a hint.
I neglected to check the public desktop and I don’t think I would have remembered on my own, good to note for the future though. Looking at the lnk file, it seems like the admin credentials are being used to run the app. I looked up how /savecred works with runas since this is likely where things are heading.
I messed around a little trying to use the saved credential to run cmd, but this all failed. Let’s see if we can dump the password instead.
This didn’t show me a password, but it did reveal I was not specifying the user correctly in my last commands. Still no luck though. I double checked that I can’t modify the Access.exe file that the .lnk points to.
I tried running Access.exe once using this method to see if it needed to cache the credential first. This seemed to work, since I didn’t get prompted for the password but I didn’t get elevated shell.
I began wondering if the limitations of the telnet shell are preventing me from getting the runas exploit to work. Alright, what else can we do. I had the thought to put a revshell payload that I could try to launch via runas, so I spent more time trying to figure out how to get a file to the target.
I made a payload with msfvenom for our revshell. I searched for alternate powershell methods for downloading a file from a webserver, and eventually found one that works.
That gives us our root shell and our final flag! This was a cool room. I don’t think I would have found that .lnk file on the public desktop without a hint though, so I will need to be sure to check for that in the future.