HacktheBox - Access
Another box has retired and thought I would do a walkthrough. This box was rated easy. Below are some notes on what I did to gain Administrator access.
- Logged into FTP with Anonymous login
- Downloaded backup.mdb and Access Control.zip in binary mode.
- Access Control.zip required a password to unzip.
- Used mdb-sql to view the tables
- Used mdb-export to export the tables auth_user which contains the password for the .zip file.
- Able to used the password for Access Control.zip which gave me a .pst file
- Used readpst to unpack the .pst file and able to read .mbox file with cat. This has given me another password.
- I used the newly aquired password to log into telnet.
- At this stage, I would continue with my normal enumeration. Going through the the list, I stumbled across cmdkey /list which states that the Administrator had cached credentials stored on the machine.
- Using this information, this means that I could run anything as Adminstrator, I created a reverse shell with msfvenom on my kali machine.
- Transfered the file over using certutil
- Ran the binary with /runas /savecred command while having a netcat listner waiting for a successful connection.
I used the below guide for my Privilege Escalation Methodology by going through them one by one and crossing them off. Hope you guys enjoyed the Video and the short walkthrough.
Windows Priv Esc
Click here to view my walkthrough